Sun Identity Manager 8.1 Resources Reference

Resource Configuration Notes

This section provides instructions for configuring NetWare NDS resources for use with Identity Manager, including:

Gateway Location

Install the Sun Identity Manager Gateway on any NDS client that can connect to the domain to be managed. Multiple gateways should be installed if pass-through authentication is enabled.

Gateway Service Account

By default, the Gateway service runs as the local System account. This is configurable through the Services MMC Snap-in.

If you run the Gateway as an account other than Local System, then the Gateway service account requires the “Act As Operating System” and “Bypass Traverse Checking” user rights. It uses these rights for pass-through authentication and for changing and resetting passwords in certain situations.

When performing before and after action scripts, the gateway may need the Replace a process level token right. This right is required if the gateway attempts to run the script subprocess as another user, such as the resource administrative user. In this case, the gateway process needs the right to replace the default token associated with that subprocess.

If this right is missing, the following error may be returned during subprocess creation:

"Error creating process: A required privilege is not held by the client"

The Replace a process level token right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers. To set this right on a system, open the Local Security Policies application within the Administrative Tools folder, then navigate to Local Policies > User Rights Assignment > Replace a process level token.

SecretStore Certificates

To support SecretStore, a SSL certificate must be exported from the NDS system to the Identity Manager application server.

One possible way to obtain this certificate is to use ConsoleOne to export the public key. To do this, start ConsoleOne and navigate to the SSL CertificateDNS object. On the Properties dialog of the SSL CertificateDNS object, select Public Key Certificate from the Certificates tab. Press the Export button to begin the process of exporting the certificate. You do not need to export the private key. Store the file in DER format.

Copy the DER file to the Identity Manager application server. Then add the certificate to the jdk\jre\lib\security\cacerts keyfile using keytool or other certificate management tool. The keytool utility is shipped with the Java SDK. Refer to the Java documentation for more information about the keytool utility.