JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Installing Identity Synchronization for Windows

1.  Understanding the Product

2.  Preparing for Installation

3.  Installing Core

4.  Configuring Core Resources

5.  Installing Connectors

6.  Synchronizing Existing Users and User Groups

7.  Removing the Software

8.  Configuring Security

Security Overview

Specifying a Configuration Password

Using SSL

Requiring Trusted SSL Certificates

Generated 3DES Keys

SSL and 3DES Keys Protection Summary

Message Queue Access Controls

Directory Credentials

Persistent Storage Protection Summary

Hardening Your Security

Configuration Password

Creating Configuration Directory Credentials

To Create a New User Other Than admin

Message Queue Client Certificate Validation

To Validate the Message Queue Client Certificate

Message Queue Self-Signed SSL Certificate

Access to the Message Queue Broker

Configuration Directory Certificate Validation

Restricting Access to the Configuration Directory

Securing Replicated Configurations

Using idsync certinfo

Arguments

Usage

Enabling SSL in Directory Server

To Enable SSL in Directory Server

Retrieving the CA Certificate from the Directory Server Certificate Database

Retrieving the CA Certificate from the Directory Server (using dsadm command on Solaris platform)

Enabling SSL in the Active Directory Connector

Retrieving an Active Directory Certificate

Using Window's Certutil

Using LDAP

Adding Active Directory Certificates to the Connector's Certificate Database

To Add Active Directory Certificate to the Connector's Certificate Database

Adding Active Directory Certificates to Directory Server

To Add the Active Directory CA certificate to the Directory Server Certificate Database

Adding Directory Server Certificates to the Directory Server Connector

To Add the Directory Server Certificates to the Directory Server Connector

9.  Understanding Audit and Error Files

Part II Identity Synchronization for Windows Appendixes

A.  Using the Identity Synchronization for Windows Command Line Utilities

B.  Identity Synchronization for Windows LinkUsers XML Document Sample

C.  Running Identity Synchronization for Windows Services as Non-Root on Solaris

D.  Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows

E.  Identity Synchronization for Windows Installation Notes for Replicated Environments

Index

Enabling SSL in the Active Directory Connector

Identity Synchronization for Windows automatically retrieves Active Directory SSL certificates over SSL and imports them into the Connector’s certificate database using the same credentials you provided for the Connector.

However; if an error occurs (for example, invalid credentials or no SSL certificates were found), you can retrieve an Active Directory CA certificate and add it to the Connector certificate database. See the following sections for instructions:

Retrieving an Active Directory Certificate

If an error occurs, you can use certutil (a program that ships with Windows 2000/2003) or LDAP to retrieve an Active Directory certificate, as described in the following sections.

Note - The certutil command discussed in this section is not the same as the certutil command that ships with the Directory Server and discussed previously in this publication.

Using Window’s Certutil

To Retrieve an Active Directory Certificate Using the certutil program

  1. Run the following command from the Active Directory machine to export the certificate.
    C:\>certutil -ca.cert cacert.bin
  2. You can then import thecacert.bin file into a certificate database.

Using LDAP

To Retrieve an Active Directory Certificate using LDAP

  1. Execute the following search against Active Directory:
    ldapsearch -h CR-hostname -D administrator_DN -w administrator_password 
-b "cn=configuration,dc=put,dc=your,dc=domain,dc=here" "cacertificate=*"

    Where the administrator_DN might look like:

    cn=administrator,cn=users,dc=put,dc=your,dc=domain,dc=here

    In this example, the domain name is: put.your.domain.name.here.

    Several entries will match the search filter. You probably need the entry using cn=Certification Authorities, cn=Public Key Services in its DN.

  2. Open a text editor and cut the first value of the first CA certificate attribute (it should be a base64 encoded text block). Paste that value (text block) into the text editor (only the value). Edit the contents, so that none of the lines start with white space.
  3. Add-----BEGIN CERTIFICATE----- before the first line and -----END CERTIFICATE----- after the last line. See the following example:
    -----BEGIN CERTIFICATE-----
MIIDvjCCA2igAwIBAgIQDgoyk+Tu14NGoQnxhmNHLjANBgk
qhkiG9w0BAQUFADCBjjEeMBwGCSqGSIb3DQEJARYPYmVydG
9sZEBzdW4uY29tMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV
FgxDzANBgNVBAcTBkF1c3RpbjEZMBcGA1UEChMQU3VuIE1p
Y3Jvc3lzdGVtczEQMA4GA1UECxMHaVBsYW5ldDEUMBIGA1U
EAxMLUmVzdGF1cmFudHMwHhcNMDIwMTExMDA1NDA5WhcNMT
IwMTExMDA1OTQ2WjCBjjEeMBwGCSqGSIb3DQEJARYPYmVyd
G9sZEBzdW4uY29tMQswCQYDVQQGEwJVUELMAkGA1UECBMCV
FgxDzANBgNVBAcTBkF1c3RpbjEZMBcGA1UEChMQU3VuIE1p
Y3Jvc3lzdGVtczEQMA4GA1UECxMHaVBsYW5ldDEUMBIGA1U
EAxMLUmVzdGF1cmFudHMwXDANBgkqhkiG9w0BAQEFAANLAD
BIAkEAyekZa8gwwhw3rLK3eV/12St1DVUsg31LOu3CnB8cM
HQZXlgiUgtQ0hm2kpZ4nEhwCAHhFLD3iIhIP4BGWQFjcwID
AQABo4IBnjCCAZowEwYJKwYBBAGCNxQCBAYeBABDAEEwCwY
DVR0PBAQDAgFGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBB
YEFJ5Bgt6Oypq7T8Oykw4LH6ws2d/IMIIBMgYDVR0fBIIBK
TCCASUwgdOggdCggc2GgcpsZGFwOi8vL0NOPVJlc3RhdXJh
bnRzLENOPWRvd2l0Y2hlcixDTj1DRFAsQ049UHVibGljJTI
wS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZm
lndXJhdGlvbixEQz1yZXN0YXVyYW50cyxEQz1jZW50cmFsL
RPXN1bixEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9u
TGlzdD9iYXNlP29iamVjdGNsYXNzPWNSTERpc3RyaWJ1dGl
vblBvaW50ME2gS6BJhkdodHRwOi8vZG93aXRjaGVyLnJlc3
RhdXJhbnRzLmNlbnRyYWwuc3VuLmNvbS9DZXJ0RW5yb2xsL
1Jlc3RhdXJhbnRzLmNybDAQBgkrBgEEAYI3FQEEAwIBADAN
BgkqhkiG9w0BAQUFAANBAL5R9R+ONDdVHWu/5Sd9Tn9dpxN
8oegjS88ztv1HD6XSTDzGTuaaVebSZV3I+ghSInsgQbH0gW
4fGRwaI BvePI4=
-----END CERTIFICATE-----
  4. Save the certificate into a file (such as ad-cert.txt).
  5. You can then import that file (for example, ad-cert.txt) into a certificate database. Continue to the next section, Adding Active Directory Certificates to the Connector's Certificate Database

Adding Active Directory Certificates to the Connector’s Certificate Database

Use this procedure only if you enabled SSL for the Active Directory Connector after installing the Connector or if invalid credentials were provided during installation.

To Add Active Directory Certificate to the Connector's Certificate Database

  1. On the machine where the Active Directory Connector is installed, stop the Identity Synchronization for Windows service/daemon.
  2. Retrieve the Active Directory CA certificate using one of the following methods:
  3. Assuming the Active Directory Connector has connector ID CNN101 (see logs/central/ error.log for a mapping from connector ID to the directory source it manages), go to its certificate database directory on the machine where it was installed, and import the certificate file:

    • If the certificate was retrieved using certutil, type:

      <ISW-server-root>\shared\bin\certutil.exe -A -d . -n ad-ca-cert -t C,, -i \cacert.bin

    • If the certificate was retrieved using LDAP, type:

      <ISW-server-root>\shared\bin\certutil.exe -A -d . -n ad-ca-cert \
-t C,, -a -i \ad-cert.txt

      ISW-server-root is the path where ISW-hostname directory is present

    On Solaris, the certificate can be imported using the dsadm command in the following manner:

    /opt/SUNWdsee/ds6/bin/dsadm add-cert -C <DS-server-root>/slapd-<hostname>/ ad-ca-cert cacert.bin

    where ad-ca-cert is the name of the certificate assigned after the import and cacert.bin is the certificate about to be imported

  4. Restart the Identity Synchronization for Windows service/daemon.

    Note - Because the Directory Server certutil.exe is installed automatically when you install Directory Server, you will not be able to add a CA certificate to a connector installed on a machine with no Directory Server.

    At a minimum, you must install the Sun Java System Server Basic Libraries and Sun Java System Server Basic System Libraries from the Directory Server package on the server where the Active Directory Connector is installed. (You do not have to install the Administration Server or Directory Server components.)

    In addition, be sure to select the JRE subcomponent from the Console (to ensure your ability to uninstall).

Copyright © 2009, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next