JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Installing Identity Synchronization for Windows

1.  Understanding the Product

2.  Preparing for Installation

3.  Installing Core

4.  Configuring Core Resources

5.  Installing Connectors

6.  Synchronizing Existing Users and User Groups

7.  Removing the Software

8.  Configuring Security

Security Overview

Specifying a Configuration Password

Using SSL

Requiring Trusted SSL Certificates

Generated 3DES Keys

SSL and 3DES Keys Protection Summary

Message Queue Access Controls

Directory Credentials

Persistent Storage Protection Summary

Hardening Your Security

Configuration Password

Creating Configuration Directory Credentials

To Create a New User Other Than admin

Message Queue Client Certificate Validation

To Validate the Message Queue Client Certificate

Message Queue Self-Signed SSL Certificate

Access to the Message Queue Broker

Configuration Directory Certificate Validation

Restricting Access to the Configuration Directory

Securing Replicated Configurations

Using idsync certinfo

Arguments

Usage

Enabling SSL in Directory Server

To Enable SSL in Directory Server

Retrieving the CA Certificate from the Directory Server Certificate Database

Retrieving the CA Certificate from the Directory Server (using dsadm command on Solaris platform)

Enabling SSL in the Active Directory Connector

Retrieving an Active Directory Certificate

Using Window's Certutil

Using LDAP

Adding Active Directory Certificates to the Connector's Certificate Database

To Add Active Directory Certificate to the Connector's Certificate Database

Adding Active Directory Certificates to Directory Server

To Add the Active Directory CA certificate to the Directory Server Certificate Database

Adding Directory Server Certificates to the Directory Server Connector

To Add the Directory Server Certificates to the Directory Server Connector

9.  Understanding Audit and Error Files

Part II Identity Synchronization for Windows Appendixes

A.  Using the Identity Synchronization for Windows Command Line Utilities

B.  Identity Synchronization for Windows LinkUsers XML Document Sample

C.  Running Identity Synchronization for Windows Services as Non-Root on Solaris

D.  Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows

E.  Identity Synchronization for Windows Installation Notes for Replicated Environments

Index

Hardening Your Security

This section depicts potential security weaknesses in the current release of the product and recommendations as to how to extend and harden security outside the product’s default configuration. It includes the following:

Configuration Password

The configuration password is used to protect sensitive configuration information but the installation program does not enforce any password policy for this password; be sure that this password follows some strict guidelines choose a complex password that is not easily guessed and follow standard policy guidelines for strong passwords.

For example, it should be at least eight characters long, include upper case letters, lower case letters, and non-alphanumeric characters. It should not include your name, initials, or dates.

Creating Configuration Directory Credentials

To access the Directory Server where the product’s configuration directory resides, your credentials must be in the Configuration Administrators group. However, if you need to create credentials other than admin for any reason, consider the following:

The installation program requires you to provide credentials for a user stored in the Console administrative subtree. However, the Core installation program will not expand users other than admin into “uid=admin,ou=Administrators, ou=TopologyManagement, o=NetscapeRoot”. Therefore, you must specify the entire DN during Core installation.

To Create a New User Other Than admin

  1. Create a user in:
    ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
  2. Add the new credentials to the Configuration Administrators group.
  3. Set ACIs to allow only this user or all users in the Configuration Administrators group to access the Directory Server where the product’s configuration directory is stored.
  4. Specify entire DN during Core installation.

    For more information about managing access controls in the Directory Server, see Chapter 6, Directory Server Access Control, in Sun Directory Server Enterprise Edition 7.0 Administration Guide

Message Queue Client Certificate Validation

By default, clients of the Message Queue, such as the connectors and system manager, accept any SSL certificate that the Message Queue broker returns.

To Validate the Message Queue Client Certificate

  1. To override this setting and force Message Queue clients to validate the Message Queue broker’s certificate, edit:

    installation_root/resources/WatchList.properties

  2. Add the following to the JVM arguments of each process in Watchlist.properties :

    -Djavax.net.ssl.trustStore=keystore_path-DimqSSLIsHostTrusted=false

  3. Restart the Identity Synchronization for Windows daemon or service.

    The javax.net.ssl.trustStore property should point to a JSEE keystore that trusts the broker certificate, for example, /etc/imq/keystore can be used on the machine where Core was installed because this is the same keystore used by the broker.

Message Queue Self-Signed SSL Certificate

By default, the Message Queue broker uses a self-signed SSL certificate. To install a different certificate, use the keytool utility that ships with Java to modify the broker’s keystore (/var/imq/instances/isw-broker/etc/keystore on Solaris, /var/opt/sun/mq/instances/isw-broker/etc/keystore on Linux, and mq_installation_root /var/instances/isw-broker/etc/keystore on Windows 2000). The alias of the certificate must be imq.

Access to the Message Queue Broker

By default, the Message Queue uses dynamic ports for all services except for its port mapper. To access the broker trough a firewall or restrict the set of hosts that can connect to the broker, the broker should use fixed ports for all services.

This can be achieved by setting the imq.service_name protocol_type .port broker configuration properties. Refer to the Sun Java System Message Queue Administration Guide for more information.

Configuration Directory Certificate Validation

The system manager accepts any certificate when connecting to the product’s configuration directory over SSL; the Message Queue broker accepts any certificate when connecting to the product’s configuration directory over SSL. Currently, there is no way to make either the system manager or the Message Queue broker validate the product’s configuration directory SSL certificates.

Restricting Access to the Configuration Directory

When Core is installed, the process of adding information to the Directory Server where the product’s configuration directory is stored does not include adding any access control information. To restrict access to only configuration Administrators, the following ACI can be used:

(targetattr = "*")
(target = "ldap://ou=IdentitySynchronization,
ou=Services,dc=example,dc=com")
(version 3.0;acl "Test";deny (all)
(groupdn != "ldap://cn=Configuration Administrators,
ou=Groups, ou=TopologyManagement, o=NetscapeRoot");)

For more information about managing access controls in the Directory Server, see Chapter 6, Directory Server Access Control, in Sun Directory Server Enterprise Edition 7.0 Administration Guide

Copyright © 2009, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next