Use the idsync certinfo utility to determine what certificates are required based on the current Identity Synchronization for Windows SSL settings. Execute idsync certinfo to retrieve information about what certificates are required in each certificate database.
You must be sure that when you are configuring the Directory Server source for SSL, both the preferred and secondary Directory Server source certificates are trusted by the replica Directory Server for all Directory subcomponents or Plug-ins.
If Identity Synchronization for Windows tries to establish SSL connections (with the trust all certificates setting enabled), and the server’s hostname does not match the hostname provided in the certificate presented by the server during the SSL negotiation phase, the Identity Synchronization for Windows Connector will refuse to establish the connection.
The directory source hostname in the Identity Synchronization for Windows configuration must always match the hostname embedded in the certificate used by that directory source.
Arguments describes the arguments you can use with the idsync certinfo subcommand.
Table 10–4 certinfo Arguments
Argument |
Description |
---|---|
-h CR-hostname |
Specifies the configuration directory hostname. This argument defaults to the values specified during Core installation. |
-p CR-port-no |
Specifies the configuration directory LDAP port number. (Default is 389) |
-D bind-DN |
Specifies the configuration directory bind distinguished name (DN). This argument defaults to the values specified during Core installation. |
-w bind-password | - |
Specifies the configuration directory bind password. The - value reads the password from standard input (STDIN). |
-s rootsuffix |
Specifies the configuration directory rootsuffix. Where rootsuffix is a distinguished name such as dc=example,dc=com. This argument defaults to the values specified during Core installation. |
-q configuration_password |
Specifies the configuration password. The - value reads the password from standard input (STDIN). |
The following example uses idsync certinfo to search for system components designated to run under SSL communications. The results of this example identifies two connectors (CNN101 and CNN100) and provides instructions as to where to import the appropriate CA certificate.
:\Program Files\Sun\MPS\isw- hostname\bin idsync certinfo -h CR-hostname -p 389 -D "cn=Directory Manager" -w dirmanager -s dc=example,dc=com -q password Connector: CNN101 Certificate Database Location: C:\Program Files\Sun\MPS\isw- hostname\etc\CNN101 Get ’Active Directory CA’ certificate from Active Directory and import into Active Directory Connector certificate db for server ldaps::/ hostname.example.com:636 Connector: CNN100 Certificate Database Location: C:\Program Files\Sun\MPS\isw- hostname\etc\CNN100 Export ’Directory Server CA’ certificate from Directory Server certificate db and import into Directory Server Connector certificate db ldaps://hostname.example.com:636 Export ’Active Directory CA’ certificate from Active Directory Server hostname.example.sun.com:389 and import into Directory Server Server certificate db for server ldaps://hostname.example.com:638 SUCCESS |