Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide

Adding Active Directory Certificates to the Connector’s Certificate Database

Use this procedure only if you enabled SSL for the Active Directory Connector after installing the Connector or if invalid credentials were provided during installation.

ProcedureTo Add Active Directory Certificate to the Connector's Certificate Database

  1. On the machine where the Active Directory Connector is installed, stop the Identity Synchronization for Windows service/daemon.

  2. Retrieve the Active Directory CA certificate using one of the following methods:

  3. Assuming the Active Directory Connector has connector ID CNN101 (see logs/central/ error.log for a mapping from connector ID to the directory source it manages), go to its certificate database directory on the machine where it was installed, and import the certificate file:

    • If the certificate was retrieved using certutil, type:

      <ISW-server-root>\shared\bin\certutil.exe -A -d . -n ad-ca-cert -t C,, -i \cacert.bin
    • If the certificate was retrieved using LDAP, type:

      <ISW-server-root>\shared\bin\certutil.exe -A -d . -n ad-ca-cert -t C,,
       -a -i \ad-cert.txt

      ISW-server-root is the path where ISW-hostname directory is present

    The certificate can be imported using dsadm in the following manner(on Solaris platform):

    /opt/SUNWdsee/ds6/bin/dsadm add-cert -C <DS-server-root>/slapd-<hostname>/ ad-ca-cert cacert.bin

    where ad-ca-cert is the name of the certificate assigned after the import and cacert.bin is the certificate about to be imported

  4. Restart the Identity Synchronization for Windows service/daemon.


    Note –

    Because the Directory Server certutil.exe is installed automatically when you install Directory Server 6.0, you will not be able to add a CA certificate to a connector installed on a machine with no Directory Server.

    At a minimum, you must install the Sun Java System Server Basic Libraries and Sun Java System Server Basic System Libraries from the Directory Server 6.0 package on the server where the Active Directory Connector is installed. (You do not have to install the Administration Server or Directory Server components.)

    In addition, be sure to select the JRE subcomponent from the Console (to ensure your ability to uninstall).