Global Telco requires that all network traffic is encrypted, so SSL is used with trusted certificates for all LDAP connections. This setup includes connections between the following:
Directory Server Connector and the preferred and secondary directory server masters.
Active Directory Connector and the Active Directory domain controller.
Preferred and secondary directory server masters, and the Active Directory domain controllers for on-demand password synchronization.
All other masters and read-only replicas and the preferred and secondary directory server masters for on-demand password synchronization.
Companies typically use only a few Certificate Authorities (CA) to sign certificates, so the simplest approach to setting up SSL for Identity Synchronization for Windows is to add all CA certificates to every component’s certificate database. Global Telco uses two Certificate Authorities: one to sign their Directory Server certificates and one to sign their Active Directory certificates. Both these CA certificates are added to the certificate database of each connector and each directory server instance.
The idsync certinfo command displays the steps for configuring SSL for Identity Synchronization for Windows components, based on the current configuration. It does not have access to each component’s certificate database, so it cannot determine if the steps have already been followed.
The output of this command is shown for the primary installation below. The output for the failover installation is identical except that the roles of the US and European machines is reversed.
bash-2.05# /opt/SUNWisw/bin/idsync certinfo -q <omitted password\> -w <omitted password\> Connector: CNN100 Installation Host: connectors-us Installation Path: /opt Certificate Database Location: /var/opt/SUNWisw/etc/CNN100 **The Directory Server Connector's certificate database must contain the CA certificate used to sign Directory Server's SSL certificate. If this certificate has not already been added to the connector's certificate database, please export the CA certificate and import into Directory Server Connector certificate database for server ldaps://master1-us.gt.com:636. **The Directory Server's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Directory Server's certificate database, please export the CA certificate from the Active Directory at ldaps://ad1-us.gt.com:636 and import into Directory Server certificate database for server ldaps://master1-us.gt.com:636. **The Directory Server's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Directory Server's certificate database, please export the CA certificate from the Active Directory at ldaps://ad2-us.gt.com:636 and import into Directory Server certificate database for server ldaps://master1-us.gt.com:636. **The Directory Server's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Directory Server's certificate database, please export the CA certificate from the Active Directory at ldaps://ad3-eu.gt.com:636 and import into Directory Server certificate database for server ldaps://master1-us.gt.com:636. **The Directory Server Connector's certificate database must contain the CA certificate used to sign the Directory Server's SSL certificate. If this certificate has not already been added to the connector's certificate database, please export the CA certificate and import into Directory Server Connector certificate database for server ldaps://master2-us.gt.com:636.
**The Directory Server's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Directory Server's certificate database, please export the CA certificate from the Active Directory at ldaps://ad1-us.gt.com:636 and import into Directory Server certificate database for server ldaps://master2-us.gt.com:636. **The Directory Server's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Directory Server's certificate database, please export the CA certificate from the Active Directory at ldaps://ad2-us.gt.com:636 and import into Directory Server certificate database for server ldaps://master2-us.gt.com:636. **The Directory Server's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Directory Server's certificate database, please export the CA certificate from the Active Directory at ldaps://ad4-eu.gt.com:636 and import into Directory Server certificate database for server ldaps://master1-us.gt.com:636. **The Directory Server's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Directory Server's certificate database, please export the CA certificate from the Active Directory at ldaps://ad3-eu.gt.com:636 and import into Directory Server certificate database for server ldaps://master2-us.gt.com:636. **The Directory Server's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Directory Server's certificate database, please export the CA certificate from the Active Directory at ldaps://ad4-eu.gt.com:636 and import into Directory Server certificate database for server ldaps://master2-us.gt.com:636. Connector: CNN101 Installation Host: connectors-us Installation Path: /opt Certificate Database Location: /var/opt/SUNWisw/etc/CNN101 **The Active Directory Connector's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Active Directory Connector certificate database, please export the CA certificate from the Active Directory and import into Active Directory Connector's certificate database for server ldaps://ad1-us.gt.com:636.
**The Active Directory Connector's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Active Directory Connector certificate database, please export the CA certificate from the Active Directory and import into Active Directory Connector's certificate database for server ldaps://ad2-us.gt.com:636. **The Active Directory Connector's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Active Directory Connector certificate database, please export the CA certificate from the Active Directory and import into Active Directory Connector's certificate database for server ldaps://ad3-eu.gt.com:636. **The Active Directory Connector's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Active Directory Connector certificate database, please export the CA certificate from the Active Directory and import into Active Directory Connector's certificate database for server ldaps://ad4-eu.gt.com:636. SUCCESS
Setting Up SSL summarizes SSL communication between components in this installation, including trust requirements for the primary and failover installations.
Table 3–1 SSL Communication between Components
In this installation, Global Telco adds both the CA certificates to the certificate databases of the four connectors and eight directory servers.
See the Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide for detailed instructions on adding certificates to the certificate databases. The Directory Server and connectors must be restarted after the certificates have been added. The Directory Server must be restarted after the Identity Synchronization for Windows Plugin is installed, therefore, it is recommended that you add the CA certificates to the Directory Servers' certificate databases before the Identity Synchronization for Windows Plugin is installed.