Sun Java System Identity Synchronization for Windows 6.0 Deployment Planning Guide

Setting Up SSL

Global Telco requires that all network traffic is encrypted, so SSL is used with trusted certificates for all LDAP connections. This setup includes connections between the following:


Note –

The idsync certinfo command displays the steps for configuring SSL for Identity Synchronization for Windows components, based on the current configuration. It does not have access to each component’s certificate database, so it cannot determine if the steps have already been followed.


The output of this command is shown for the primary installation below. The output for the failover installation is identical except that the roles of the US and European machines is reversed.

bash-2.05# /opt/SUNWisw/bin/idsync certinfo -q <omitted password\> -w <omitted password\>
Connector: CNN100
Installation Host: connectors-us
Installation Path: /opt
Certificate Database Location:   /var/opt/SUNWisw/etc/CNN100
**The Directory Server Connector's certificate database must contain the 
CA certificate used to sign Directory Server's SSL certificate. If this 
certificate has not already been added to the connector's certificate 
database, please export the CA certificate and import into Directory Server 
Connector certificate database for server ldaps://master1-us.gt.com:636.


**The Directory Server's certificate database must contain the CA certificate 
used to sign the Active Directory's SSL certificate. If this certificate has 
not already been added to the Directory Server's certificate database, please 
export the CA certificate from the Active Directory at ldaps://ad1-us.gt.com:636 
and import into Directory Server certificate database for server 
ldaps://master1-us.gt.com:636.


**The Directory Server's certificate database must contain the CA certificate 
used to sign the Active Directory's SSL certificate. If this certificate has 
not already been added to the Directory Server's certificate database, please 
export the CA certificate from the Active Directory at ldaps://ad2-us.gt.com:636 
and import into Directory Server certificate database for server 
ldaps://master1-us.gt.com:636.


**The Directory Server's certificate database must contain the CA certificate 
used to sign the Active Directory's SSL certificate. If this certificate has 
not already been added to the Directory Server's certificate database, please 
export the CA certificate from the Active Directory at ldaps://ad3-eu.gt.com:636 
and import into Directory Server certificate database for server 
ldaps://master1-us.gt.com:636.


**The Directory Server Connector's certificate database must contain the 
CA certificate used to sign the Directory Server's SSL certificate. 
If this certificate has not already been added to the connector's certificate 
database, please export the CA certificate and import into Directory Server 
Connector certificate database for server ldaps://master2-us.gt.com:636.
**The Directory Server's certificate database must contain the 
CA certificate used to sign the Active Directory's SSL certificate. 
If this certificate has not already been added to the Directory Server's 
certificate database, please export the CA certificate from the 
Active Directory at ldaps://ad1-us.gt.com:636 and import into 
Directory Server certificate database for server 
ldaps://master2-us.gt.com:636.


**The Directory Server's certificate database must contain the CA certificate 
used to sign the Active Directory's SSL certificate. If this certificate has 
not already been added to the  Directory Server's certificate database, please 
export the CA certificate from the Active Directory at 
ldaps://ad2-us.gt.com:636 and import into Directory Server certificate 
database for server ldaps://master2-us.gt.com:636.


**The Directory Server's certificate database must contain the CA certificate 
used to sign the Active Directory's SSL certificate. If this certificate has 
not already been added to the Directory Server's certificate database, please 
export the CA certificate from the Active Directory at 
ldaps://ad4-eu.gt.com:636 and import into Directory Server certificate 
database for server ldaps://master1-us.gt.com:636.


**The Directory Server's certificate database must contain the CA certificate 
used to sign the Active Directory's SSL certificate. If this certificate has not 
already been added to the Directory Server's certificate database, please 
export the CA certificate from the Active Directory at ldaps://ad3-eu.gt.com:636 
and import into Directory Server certificate database for server 
ldaps://master2-us.gt.com:636.


**The Directory Server's certificate database must contain the CA certificate 
used to sign the Active Directory's SSL certificate. If this certificate has not 
already been added to the Directory Server's certificate database, please export 
the CA certificate from the Active Directory at ldaps://ad4-eu.gt.com:636 and 
import into Directory Server certificate database for server 
ldaps://master2-us.gt.com:636.


Connector: CNN101
Installation Host: connectors-us
Installation Path: /opt
Certificate Database Location: /var/opt/SUNWisw/etc/CNN101


**The Active Directory Connector's certificate database must contain the CA 
certificate used to sign the Active Directory's SSL certificate. If this certificate 
has not already been added to the Active Directory Connector certificate database, 
please export the CA certificate from the Active Directory and import into 
Active Directory Connector's certificate database for server 
ldaps://ad1-us.gt.com:636.
**The Active Directory Connector's certificate database must contain 
the CA certificate used to sign the Active Directory's SSL certificate. If this 
certificate has not already been added to the Active Directory Connector 
certificate database, please export the CA certificate from the Active Directory 
and import into Active Directory Connector's certificate database for server 
ldaps://ad2-us.gt.com:636.


**The Active Directory Connector's certificate database must contain the 
CA certificate used to sign the Active Directory's SSL certificate. 
If this certificate has not already been added to the Active Directory Connector 
certificate database, please export the CA certificate from the Active Directory 
and import into Active Directory Connector's certificate database for server 
ldaps://ad3-eu.gt.com:636.


**The Active Directory Connector's certificate database must contain the 
CA certificate used to sign the Active Directory's SSL certificate. If this 
certificate has not already been added to the Active Directory Connector certificate 
database, please export the CA certificate from the Active Directory and import into 
Active Directory Connector's certificate database for server 
ldaps://ad4-eu.gt.com:636.


SUCCESS

Setting Up SSL summarizes SSL communication between components in this installation, including trust requirements for the primary and failover installations.

Table 3–1 SSL Communication between Components

Component

Must Trust Certificates From

Required By  

Comments  

Directory Server Connector on connector-us.gt.com 

master1-us.gt.com 

Primary 

Only required only if the Require trusted SSL certificates option is enabled in the console.

 

master2-us.gt.com 

Primary 

Only required if the Require trusted SSL certificates option is enabled in the console.

Active Directory Connector on connector-us.gt.com 

ad1-us.gt.com 

Primary 

Only required if the Require trusted SSL certificates option is enabled in the console. The output of idsync certinfo erroneously mentions that certificates for the other Active Directory domain controllers are required.

Directory Server Connector on connector-eu.gt.com 

master3-eu.gt.com 

Failover 

Only required if the Require trusted SSL certificates option is enabled in the console.

 

master4-eu.gt.com 

Failover 

Only required if the Require trusted SSL certificates option is enabled in the console.

Active Directory Connector on connector-eu.gt.com 

ad3-eu.gt.com 

Primary 

Only required if the Require trusted SSL certificates option is enabled in the console. The output of idsync certinfo erroneously mentions that certificates for the other Active Directory domain controllers are required.

master1-us.gt.com 

ad1-us.gt.com 

Primary 

Required for on-demand password synchronization.

 

ad2-us.gt.com 

   
 

ad3-us.gt.com 

   
 

ad4-us.gt.com 

   
 

master3-eu.gt.com 

Failover 

Required for on-demand password synchronization. idsync certinfo does not mention this requirement.

 

master4-eu.gt.com 

   

master2-us.gt.com 

ad1-us.gt.com 

Primary 

Required for on-demand password synchronization. 

 

ad2-us.gt.com 

   
 

ad3-us.gt.com 

   
 

ad4-us.gt.com 

   
 

master3-eu.gt.com 

Failover 

Required for on-demand password synchronization. idsync certinfo does not mention this requirement.

 

master4-eu.gt.com 

   

master3-eu.gt.com 

ad1-us.gt.com 

Failover 

Required for on-demand password synchronization. 

 

ad2-us.gt.com 

   
 

ad3-us.gt.com 

   
 

ad4-us.gt.com 

   
 

master1-us.gt.com 

Primary 

Required for on-demand password synchronization. idsync certinfo does not mention this requirement.

 

master2-us.gt.com 

   

master4-eu.gt.com 

ad1-us.gt.com 

Failover 

Required for on-demand password synchronization 

 

ad2-us.gt.com 

   
 

ad3-us.gt.com 

   
 

ad4-us.gt.com 

   
 

master1-us.gt.com 

Primary 

Required for on-demand password synchronization. idsync certinfo does not mention this requirement

 

master2-us.gt.com 

   

replica1-us.gt.com 

replica2-us.gt.com 

replica3-eu.gt.com 

replica4-eu.gt.com 

master1-us.gt.com 

Primary 

Required for on-demand password synchronization. idsync certinfo does not mention this requirement

 

master2-us.gt.com 

   
 

master3-eu.gt.com 

Failover 

Required for on-demand password synchronization. idsync certinfo does not mention this requirement.

 

master4-eu.gt.com 

   

In this installation, Global Telco adds both the CA certificates to the certificate databases of the four connectors and eight directory servers.


Note –

See the Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide for detailed instructions on adding certificates to the certificate databases. The Directory Server and connectors must be restarted after the certificates have been added. The Directory Server must be restarted after the Identity Synchronization for Windows Plugin is installed, therefore, it is recommended that you add the CA certificates to the Directory Servers' certificate databases before the Identity Synchronization for Windows Plugin is installed.