Sun ONE logo      Previous      Contents      Index      Next     

Sun ONE Identity Synchronization for Windows Installation and Configuration Guide

Chapter 10
Configuring Security

This chapter contains the following items:

Some of the information in this section is written with an assumption that you are familiar with the basic concepts of public-key cryptography and Secure Sockets Layer (SSL) protocol, and understand the concepts of intranet, extranet, and the Internet security and the role of digital certificates in an enterprise. If you are new to these concepts, please refer to the security-related appendixes of the manual, Managing Servers with iPlanet Console 5.0.

Security Overview

Passwords are sensitive information; therefore, Identity Synchronization for Windows takes security precautions to ensure that user and administrative password credentials used to access the directories being synchronized are not compromised. This section covers the following security methodologies:

This security approach aims to prevent the following events from taking place:

Configuration Password

To protect sensitive information while it is stored in the product’s configuration registry and while it is transferred over the network, Identity Synchronization for Windows uses a configuration password. This configuration password is chosen by the administrator during core installation and is provided whenever the console or installer is run.

Note

The System Manager must access the configuration password before passing it to the connector, therefore it stores it in its initialization file. File system access controls prevent access by non-privileged users to the System Manager’s initialization file. The installer does not enforce any password policy for this password, see Hardening Your Security to increase security when selecting a configuration password.

SSL

Identity Synchronization for Windows can be configured to use LDAP over SSL everywhere that components use LDAP, the one exception to this is the installer. The installer cannot communicate with the Directory Server where the product’s configuration registry is stored, and with the directories being synchronized over SSL. All access to the Sun ONE Message Queue is protected with SSL. SSL is mandatory between the Active Directory connector and Active Directory when synchronizing from the Sun ONE Directory Server to Active Directory.

Note

When the synchronization settings are configured from Sun to Windows SSL is mandatory between the Active Directory connector and Active Directory. During connector installation, in order to search for a CA Certificate to store in the local AD connector certificate database the installer prompts you for Active Directory Credentials, the installer transfers this password in the clear as there is no SSL support in the installer. See the Hardening Your Security to avoid this security risk.

Generated 3DES Keys

A 3DES key generated from the configuration password is used to secure all sensitive information in the product’s configuration registry. With the exception of log messages, all messages to the Message Queue are encrypted with per-topic 3DES keys. Messages sent between connectors and subcomponents are encrypted with per session 3DES keys. The Directory Server (subcomponent) plugin encrypts all user password changes with a 3DES key

SSL & 3DES Keys Protection Summary

The following table summarizes how Identity Synchronization for Windows protects sensitive information that is sent over the network.

Table 10-1  Network Security

Optional LDAP over SSL between?

  • The Directory Server connector and the Directory Server, The Active Directory connector and Active Directory,
  • The Directory Server plugin and Active Directory,
  • The command line interfaces and the product’s configuration registry,
  • The console and the product’s configuration registry,
  • The console and the Active Directory Global Catalog
  • The console and the Active Directory domains or the Directory Servers being synchronized
  • The Sun ONE Message Queue Broker and the product’s configuration registry
  • The connectors, system manager, central logger, command line interface, and console may authenticate over LDAPS the Sun ONE Message Queue

Encrypted with 3DES keys

  • All data between the DS connector and the Directory Server plugin
  • All data between the NT Connector and the NT Password Filter DLL, and the NT Change Detector
  • All sensitive information in the product’s configuration registry.
  • All messages sent between connectors and subcomponents are encrypted with per-session 3DES keys
  • All messages sent over the Message Queue

Figure 10-1 contains an overview of the security features discussed in this section.

Figure 10-1  Identity Synchronization for Windows Security Overview

Physical deployment of Identity Synchronization for Windows Components

Sun ONE Message Queue Access Controls

Identity Synchronization for Windows uses Sun ONE Message Queue’s access control to prevent unauthorized access to message subscription and publishing, allowing each connector to trust messages that it receives.

Unique username and passwords only known to Sun ONE Message Queue and to the connector are provided to access the Sun ONE Message Queue broker. Each message sent over the Sun ONE MQ is encrypted with a per topic 3DES key, which protects the message contents and prevents outsiders who do not know the topic key from sending meaningful messages. These measures prevent (a) an attacker from sending falsified password synchronization messages to connectors and (b) an attacker from impersonating a connector and receiving actual password updates.

Note

By default clients of the Message Queue, such as the connectors and system manager, accept any SSL certificate that the Sun ONE Message Queue broker returns. See Hardening your Security for more information to enhance Message Queue certificate validation and other Message Queue-related security issues.

Directory Credentials

Privileged credentials are required by the connectors to change passwords in Active Directory and the Directory Servers being synchronized. These privileged credentials are encrypted before they are stored in the product’s configuration registry.

Persistent Storage Protection Summary

The following tables summarize how Identity Synchronization for Windows protects sensitive information that is stored on disk.

Table 10-2  Persistent Storage Protection

Persistent Storage

Confidential Information

Protection

Product’s configuration registry stored in a Directory Server

Credentials for accessing the directories and per Sun ONE Message Queue topic 3DES keys are stored in the product’s configuration registry.

All sensitive information stored in the product’s configuration registry is encrypted with a 3DES key that is generated from the configuration password. See Hardening your Security for recommendations to further protect the product’s configuration registry.

Directory Server Retro Changelog

The Directory Server (subcomponent) plugin captures password changes and writes them to the Directory Server Retro Changelog.

The Directory Server (subcomponent) plugin encrypts all user password changes with a 3DES key per deployment.

Message Queue Broker Persistent Storage

The Message Queue Broker stores password synchronization messages sent between all connectors.

With the exception of log messages, all persisted messages are encrypted with per-topic 3DES keys.

Message Queue Broker Directory Credentials

The Message Queue Broker authenticates users against the product’s configuration registry. It connects to the configuration registry using the directory administrative user name and password provided during core installation.

The directory password is stored in a passfile, which is protected with file system access controls.

System Manager Boot File

The system manager’s boot file contains information for accessing the configuration. This includes the configuration password and the directory administrative user name and password provided during core installation.

This file is protected with file system access controls.

Connectors and Central Logger Boot Files

Each connector as well as the central logger have an initial configuration file with credentials for accessing the Sun ONE Message Queue.

These files are protected with file system access controls.

Directory Server (subcomponent) plugin Boot Configuration

The plugin’s configuration, stored under cn=config, includes credentials for connecting to the connector.

The cn=config subtree is protected with ACI’s and the dse.ldif file, which mirrors this tree, is protected with file system access controls.

NT Password Filter DLL and NT Change Detector Boot Configuration

The NT subcomponent’s configuration, which is stored in the Windows registry, includes credentials for connecting to the connector.

If access to the PDC’s registry is not secure, these registry keys can be protected with access controls.

Windows connector’s object cache

Windows connectors store hashed user passwords in the connector’s object cache.

The passwords are not stored in the clear but encrypted with MD5 hashes (See Hardening you Security)

Note

Active Directory and NT connectors object cache file permissions, which store unsalted MD5 hashes of user passwords, are set by default to 744. See Hardening your Security for more information to protect these stores from intruders.

Hardening your Security

This section depicts potential security weaknesses in the current release of the product and recommendations as to how to extend and harden security outside the product’s default configuration. It includes the following:

Configuration Password

The configuration password is used to protect sensitive configuration information but the installer does not enforce any password policy for this password; make sure that this password follows some strict guidelines choose a complex password that is not easily guessed and follow standard policy guidelines for strong passwords.

For example, it should be at least eight characters long, include upper case letters, lower case letters, and non-alphanumeric characters. It should not include your name, initials, or dates.

Active Directory Credentials during Installation

When the synchronization settings are configured from Sun to Windows SSL is mandatory between the Active Directory connector and Active Directory. During installation of the Active Directory Connector, in order to search for a CA Certificate, (this certificate is eventually stored in the local AD connector certificate database) the installer prompts you for Active Directory Credentials. Please note that while the installer provides “Administrator” as the default user in the installation panel, Administrator rights are not required to retrieve the certificate.

The installer cannot communicate with Active Directory over SSL. Therefore these Active Directory credentials, although not required to be administrative are transferred over the network in the clear.

Consequently, one of the following might be desirable,

Directory Server Administrative Credentials During Installation

The installer prompts you for administrative credentials for the Directory Server being synchronized when,

The installer cannot communicate with the Directory Sever over SSL; therefore, these credentials are transferred in the clear.

This is not an issue when installing the Directory Server (subcomponent) plugin as the installer must be run in the same machine where the Directory Server being synchronized is located; however, this is an issue when installing the Directory Server Connector as it does not need to be installed in the same machine as the Directory Server being synchronized. In the latter case one of the following might be desirable,

Directory Server User Credentials During Installation

When installing the Directory Server Connector the installer generates a Connector User password and is transferred to the Directory Server over the network in the clear.

Product’s Configuration Registry Credentials During Installation

Every time you run the installer it prompts you for the Directory Server location and credentials where the product’s configuration registry is stored. The installer cannot communicate with this Directory Server over SSL; therefore these credentials, which must be in the group Configuration Administrators (i.e.: admin), are not transferred over the network in the clear.

This is not an issue if core or any other component are installed on the same machine as the Directory Server used to store the products configuration registry.

Creating New product’s Configuration Registry Credentials

Credentials to access the Directory Server where the product’s configuration registry resides must be in the group Configuration Administrators. You might have a reason to create new credentials other than Admin, if so consider the following:

Message Queue Client Certificate Validation

By default clients of the Message Queue, such as the connectors and system manager, accept any SSL certificate that the Sun ONE Message Queue broker returns.

  1. To override this setting and force Message Queue clients to validate the Message Queue Broker’s certificate, edit:

    2. <installation-root>/isw-<hostname>/resources/WatchList.properties,

  2. Add the following to the JVM arguments of each process:

    3. -Djavax.net.ssl.trustStore=<keystore path> -DimqSSLIsHostTrusted=false

  3. Restart the Identity Synchronization daemon or service.

The javax.net.ssl.trustStore property should point to a JSEE keystore that trusts the broker certificate, for example, /etc/imq/keystore can be used on the machine where core was installed because this is the same keystore used by the broker.

Message Queue Self-signed SSL certificate

By default the Sun ONE Message Queue broker uses a self-signed SSL certificate.

To install a different certificate, use the keytool utility that ships with Java to modify the broker’s keystore (/etc/imq/keystore on Solaris and <installation-root>/isw-<host name>/imq/etc/keystore on Windows 2000). The alias of the certificate must be imq.

Access to the Message Queue Broker

By default the Sun ONE Message Queue uses dynamic ports for all services except for its port mapper. To access the broker trough a firewall or restrict the set of hosts that can connect to the broker, the broker should use fixed ports for all services.

This can be achieved by setting the imq.<service_name>.<protocol_type>.port broker configuration properties. Refer to the Sun ONE Message Queue Administrator’s Guide for details.

Product’s Configuration Registry Certificate Validation

The system manager accepts any certificate when connecting to the product’s configuration registry over SSL; the Message Queue Broker accepts any certificate when connecting to the product’s configuration registry over SSL. Currently, there is no way to make either the system manager or the Message Queue Broker validate the product’s configuration registry SSL certificates.

User Passwords in the Windows connector’s Object Cache

Active Directory and NT connectors store unsalted MD5 hashes of user passwords in the connector’s object cache. In order to ensure maximum protection we recommend that you override default permissions of persist/ADP[nnn]/oc:

Restricting Access to the Product’s Configuration Registry

When core is installed, the process of adding information to the Directory Server where the product’s configuration registry is stored does not include adding any access control information. To restrict access to only Configuration Administrators, the following ACI can be used:

(targetattr = "*") (target = "ldap:///ou=IdentitySynchronization,ou=Services,dc=example,dc=com") (version 3.0;acl "Test";deny (all)(groupdn != "ldap:///cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot");)

Documentation on managing access controls in the Sun ONE Directory Server can be found in the Directory Server 5.2 Administrator’s Guide Chapter 6 Managing Access Control.

Securing Replicated Configurations

Deployments connecting to Directory Servers using replication follow the same rules identified in Security Overview. This section gives an example replicated configuration and explains how to enable use of SSL in this configuration.

Note

For an overview of planning, deploying, and securing replicated configurations see Installation Notes for Replicated Environments.

Table 10-3 lists the configuration components requiring CA certificates and identifies which certificates are required where.

Table 10-3  

Component

Required CA certificates

Preferred Directory Server Replicated master

Active Directory system

Secondary Directory Server Replicated master

Active Directory system

Read-only Directory Server hub(s)

Preferred Directory Server replicated master

Secondary Directory Server Replicated master

Directory Server connector

Preferred Directory Server replicated master

Secondary Directory Server Replicated master

Active Directory connector

Active Directory system

MMR Configuration Components Requiring CA Certificates

Figure 10-2 shows Identity Synchronization for Windows installed in an MMR configuration. There are two replicated Directory Server masters with multiple Directory Server read-only hubs or consumers. Each Directory Server has its own plugin and there is only one Directory Server connector. There is one Active Directory system and one Active Directory connector.

Note

When the Directory Server source is configured for SSL, you must make sure that both the preferred and secondary Directory Server certificates are trusted by the replica Directory Server.This is true for every Directory Server plugin of type other that you install on a system with a Directory Server hub or read-only replica.

Directory Server Plugin has access to the same CA certificates as its associated Directory server.

Figure 10-2  

Replicated deployment of Identity Synchronization for Windows Components

Replicated Configuration

Using idsync certinfo

Use the idsync certinfo utility to determine what certificates are required based on the current Identity Synchronization for Windows SSL settings. Execute idsync certinfo to retrieve information about what certificates are required in each certificate database.

Note

You must be sure that when you are configuring the Directory Server source for SSL, both the preferred and secondary Directory Server source certificates are trusted by the replica Directory Server for all Directory subcomponents or plugins.

Arguments

idsync certinfo accepts the following arguments:

Argument

Description

-h

Configuration registry hostname

-p

Configuration registry LDAP port number

-D

Configuration registry bind DN

-w

Configuration registry bind password

-s

Configuration registry rootsuffix. A rootsuffix is a distinguished name such as dc=example,dc=com.

-q

Configuration password

Usage

The following example uses idsync certinfo to search for system components designated to run under SSL communications. The results of this example identifies two connectors (CNN101 and CNN100) and provides instructions as to where to import the appropriate CA certificate.

C:\Program Files\Sun\MPS\isw-hostname\bin> idsync certinfo -h hostname -p 388 -D "cn=Directory Manager" -w dirmanager -s dc=example,dc=com -q <password>

Connector: CNN101

Certificate Database Location: C:\Program Files\Sun\MPS\isw-hostname\etc\CNN101
Certificate Database Password: LTD8a4kfXtMe95CX
Connector Server Certificate Name:
Get ’Active Directory CA’ certificate from Active Directory and import into Active Directory Connector certificate db for server ldaps:://hostname.example.com:636

Connector: CNN100

Certificate Database Location: C:\Program Files\Sun\MPS\isw-hostname\etc\CNN100
Certificate Database Password: d1JESIKFRfriCFnq
Connector Server Certificate Name: server-cert100
Export ’Directory Server CA’ certificate from Directory Server certificate db and import into Directory Server Connector certificate db ldaps://hostname.example.com:636
Export ’Active Directory CA’ certificate from Active Directory Server hostname.example.sun.com:389 and import into Directory Server Server certificate db for server ldaps://hostname.example.com:638

SUCCESS

Note

Use the certutil version bundled with Directory Server 5.2. Later versions of certutil are incompatible with Identity Synchronization for Windows.

Enabling SSL in Directory Server

Follow these steps to enable SSL in a Directory Server.

Note

These abbreviated procedures are for your convenience. Refer to the Directory Server 5.2 Administrator’s Guide for more information.

Note

While certutil is provided with the Directory Server in most cases, it is not included in the version of the Directory Server installed from Solaris packages. Therefore, if someone has installed their server using Solaris packages rather than the zip installation, they will need to get download the Directory Server Resource Kit (DSRK), which does contain certutil and other utilities for interacting with NSS certificate databases.

Use the certutil version bundled with Directory Server 5.2. Later versions of certutil are incompatible with Identity Synchronization for Windows.

  1. Create a new key certificate database for the Directory Server by entering:

    2. C:\Program Files\Sun\MPS\shared\bin\certutil.exe -N -d . -P slapd-hostname

    In order to finish creating your database, you
    must enter a password which will be used to
    encrypt this key and any future keys.
    The password must be at least 8 characters long,
    and must contain at least one non-alphabetic character.
    Enter new password:
    Re-enter password:

    Note

    These examples are run in the alias directory immediately below the server root. Otherwise, the Directory Server will not be able to find the certificate database.

  2. Generate a self-signed certificate - this will be the server certificate used by the Directory Server. Make sure you choose the subject DN according to the hostname of the server where the Directory Server is running.

    3. Note

    By default, a self-signed certificate is valid for three months. If you want to increase or decrease this time period, use the -v <months-valid> option. For example, to increase the time period to 24 months, enter -v 21 or to decrease the time period to one month, enter -v -2.

    C:\Program Files\Sun\MPS\shared\bin\certutil.exe -d . -P slapd-hostname -S -n server-cert -s "cn=hostname.example.com,c=us" -x -t CTu,,

    A random seed must be generated that will be used in the
    creation of your key. One of the easiest ways to create a
    random seed is to use the timing of keystrokes on a keyboard.
    To begin, type keys on the keyboard until this progress meter
    is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
    Continue typing until the progress meter is full:
    |************************************************************|
    Finished. Press enter to continue:
    Enter Password or Pin for "NSS Certificate DB":
    Generating key. This may take a few moments...

  3. Display the certificates for checking purposes.

    4. C:\Program Files\Sun\MPS\shared\bin\certutil.exe -L -d . -P slapd-hostname

    Certificate Name               Trust Attributes

    server-cert               CTu,,

    p Valid peer
    P Trusted peer (implies p)
    c Valid CA
    T Trusted CA to issue client certs (implies c)
    C Trusted CA to certs(only server certs for ssl) (implies c)
    u User cert
    w Send warning

  4. Create a PIN file, so that certificate database password does not have to be entered each time the Directory Server is restarted.

    5. C:\Program Files\Sun\MPS\alias > echo Internal (Software) Token:secret12 > slapd-hostname-pin.txt

  5. Enable SSL in the Directory Server:
    1. Open the console.
    2. Select the Configuration tab.
    3. Select the Encryption tab (on the right pane).
    4. Check Enable SSL for this server.
    5. Check Use this cipher family: RSA.
    6. Click on save and on OK twice.
    7. Select the Network tab.
    8. Update the Secure Port field. If running on the same machine as Active Directory, the port must be changed from 636 to an unused port or the Directory Server will not start.
    9. Click on Save, then yes, then OK.
    10. Select the Tasks tab (on the top).
    11. Click on Restart Directory Server, then click on yes.

Retrieving the CA Certificate from the Directory Server Certificate Database

Ensure that you have enabled SSL in the Directory Server. To export the Directory Server certificate to a temporary file so that you can import it into the certificate database of the Directory Server connector, issue the following command:

C:\Program Files\Sun\Sun\MPS\shared\bin\certutil.exe -L -d . -P slapd-hostname -n server-cert -a > C:\s-cert.txt

These examples are run in the alias directory immediately below the server root. Otherwise, the Directory Server will not be able to find the certificate database.

Enabling SSL in the Active Directory Connector

Enabling SSL in the Active Directory takes several steps:

Retrieving the Active Directory CA Certificate

Note

The Active Directory CA certificate can be retrieved in two ways:

Retrieving the Active Directory CA Certificate using certutil

From the Active Directory machine run the following command to export the certificate. Note that certutil is a program that ships with Windows 2000.

C:\>certutil -ca.cert cacert.bin

The cacert.bin file can then be imported into a certificate database.

Retrieving the Active Directory CA Certificate over LDAP

  1. Execute the following search against Active Directory

    2. ldapsearch -h hostname -D administrator DN -w administrator password -b "cn=configuration,dc=put,dc=your,dc=domain,dc=here" "cacertificate=*"

  1. Open up a text editor and cut out the first value of the first CA certificate attribute (it should be a BASE-64 encoded text block). Paste those lines into the text editor (only the value). Edit the contents, so that none of the lines start with white space.
  2. Add -----BEGIN CERTIFICATE----- before the first line and -----END CERTIFICATE----- after the last line. So, in the end you should have something like this:

    3. -----BEGIN CERTIFICATE-----

    MIIDvjCCA2igAwIBAgIQDgoyk+Tu14NGoQnxhmNHLjANBgkqhkiG9w0BAQUFA DCBjjEeMBwGCSqGSIb3DQEJARYPYmVydG9sZEBzdW4uY29tMQswCQYDVQQGEwJVUzELMAkGA1UEC BMCVFgxDzANBgNVBAcTBkF1c3RpbjEZMBcGA1UEChMQU3VuIE1pY3Jvc3lzdGVtczEQMA4GA1UEC xMHaVBsYW5ldDEUMBIGA1UEAxMLUmVzdGF1cmFudHMwHhcNMDIwMTExMDA1NDA5WhcNMTIwMTExM DA1OTQ2WjCBjjEeMBwGCSqGSIb3DQEJARYPYmVydG9sZEBzdW4uY29tMQswCQYDVQQGEwJVUzELM AkGA1UECBMCVFgxDzANBgNVBAcTBkF1c3RpbjEZMBcGA1UEChMQU3VuIE1pY3Jvc3lzdGVtczEQM A4GA1UECxMHaVBsYW5ldDEUMBIGA1UEAxMLUmVzdGF1cmFudHMwXDANBgkqhkiG9w0BAQEFAANLA DBIAkEAyekZa8gwwhw3rLK3eV/12St1DVUsg31LOu3CnB8cMHQZXlgiUgtQ0hm2kpZ4nEhwCAHhF LD3iIhIP4BGWQFjcwIDAQABo4IBnjCCAZowEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDA gFGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJ5Bgt6Oypq7T8Oykw4LH6ws2d/IMIIBMgYDV R0fBIIBKTCCASUwgdOggdCggc2GgcpsZGFwOi8vL0NOPVJlc3RhdXJhbnRzLENOPWRvd2l0Y2hlc ixDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlnd XJhdGlvbixEQz1yZXN0YXVyYW50cyxEQz1jZW50cmFsLERDPXN1bixEQz1jb20/Y2VydGlmaWNhd GVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdGNsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50ME2gS 6BJhkdodHRwOi8vZG93aXRjaGVyLnJlc3RhdXJhbnRzLmNlbnRyYWwuc3VuLmNvbS9DZXJ0RW5yb 2xsL1Jlc3RhdXJhbnRzLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQUFAANBAL5R9 R+ONDdVHWu/5Sd9Tn9dpxN8oegjS88ztv1HD6XSTDzGTuaaVebSZV3I+ghSInsgQbH0gW4fGRwaI BvePI4=
    -----END CERTIFICATE-----

  3. Save this into a file, e.g. ad-cert.txt.

    4. The ad-cert.txt file can then be imported into a certificate database.

Adding the Active Directory Certificate to the Connector’s Certificate Database

These steps only need to be followed if SSL is enabled for the Active Directory connector after the connector was installed or if invalid credentials were provided during installation.

  1. On the machine where the Active Directory connector is installed, stop the Identity Synchronization for Windows service/daemon.
  2. Retrieve the Active Directory CA certificate and save it to a file called cacert.bin.

    3. Note

    This procedure assumes that the CA certificate was obtained using the Active Directory certutil tool (see Retrieving the Active Directory CA Certificate using certutil) and will not work if it was obtained over LDAP in ASCII form.

  3. Assuming the Active Directory connector has connector ID CNN101 (see logs/central/error.log for a mapping from connector ID to the directory source it manages), go to its certificate database directory on the machine where it was installed, and import the cacert.bin file:

    4. C:\\Program Files\Sun\Sun\MPS\isw-hostname\shared\bin\certutil.exe -A -d . -n ad-ca-cert -t C,, -i \cacert.bin

    Note

    If the certificate was obtained in ASCII form over LDAP, then you should add a “-a” argument to the certutil command line to indicate that it is in ASCII form rather than binary.

  4. Restart the Identity Synchronization for Windows service/daemon.

    5. Note

    Because the certutil.exe is installed automatically when you install Directory Server 5.2, you will not be able to add a CA certificate to a connector when the connector is installed on another host.

    At a minimum, you must install the Sun ONE Server Basic Libraries and Sun ONE Server Basic System Libraries from the Directory Server 5.2 package on the server where the Active Directory connector is installed. (You do not have to install the Administration Server or Directory Server components.)

    In addition, be sure to select the JRE subcomponent from the console (to ensure your ability to uninstall).

Adding the Active Directory Certificate to the Directory Server

Follow these steps to add the Active Directory CA certificate to the Directory Server certificate database.

Note

Make sure that you have enabled SSL in the Directory Server.

  1. Retrieve the Active Directory CA certificate and save it to a file called cacert.bin.
  2. Stop the Directory Server.
  3. On the machine where Directory Server is installed, import the Active Directory CA certificate:

    4. C:\Program Files\Sun\MPS\shared\bin\certutil.exe -A -d . -P slapd-hostname- -n ad-ca-cert -t C,, -i cacert.bin

    Note

    If the certificate was obtained in ASCII form over LDAP, then you should add a “-a” argument to the certutil command line to indicate that it is in ASCII form rather than binary.

  4. Start the Directory Server.

Adding the Directory Server Certificate to the Directory Server Connector

  1. On the machine where the Directory Server connector is installed, stop the Identity Synchronization for Windows service/daemon.
  2. Retrieve the Directory Server CA certificate.
  3. Assuming the Directory Server connector has connector ID CNN100 (see logs/example/error.log for a mapping from connector ID to the directory source it manages), go to its certificate database directory on the machine where it was installed, and import the cacert.bin file:

    4. C:\Program Files\Sun\MPS\shared\bin\certutil.exe -A -d . -n ds-cert -t C,, -i C:\s-cert.txt

    Note

    If the certificate was obtained in ASCII form over LDAP, then you should add a “-a” argument to the certutil command line to indicate that it is in ASCII form rather than binary.

  4. Restart the Identity Synchronization for Windows service/daemon.


Previous      Contents      Index      Next     

Copyright 2003 Sun Microsystems, Inc. All rights reserved.