JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Installing Identity Synchronization for Windows

1.  Understanding the Product

2.  Preparing for Installation

3.  Installing Core

4.  Configuring Core Resources

5.  Installing Connectors

6.  Synchronizing Existing Users and User Groups

7.  Removing the Software

8.  Configuring Security

Security Overview

Specifying a Configuration Password

Using SSL

Requiring Trusted SSL Certificates

Generated 3DES Keys

SSL and 3DES Keys Protection Summary

Message Queue Access Controls

Directory Credentials

Persistent Storage Protection Summary

Hardening Your Security

Configuration Password

Creating Configuration Directory Credentials

To Create a New User Other Than admin

Message Queue Client Certificate Validation

To Validate the Message Queue Client Certificate

Message Queue Self-Signed SSL Certificate

Access to the Message Queue Broker

Configuration Directory Certificate Validation

Restricting Access to the Configuration Directory

Securing Replicated Configurations

Using idsync certinfo

Arguments

Usage

Enabling SSL in Directory Server

To Enable SSL in Directory Server

Retrieving the CA Certificate from the Directory Server Certificate Database

Retrieving the CA Certificate from the Directory Server (using dsadm command on Solaris platform)

Enabling SSL in the Active Directory Connector

Retrieving an Active Directory Certificate

Using Window's Certutil

Using LDAP

Adding Active Directory Certificates to the Connector's Certificate Database

To Add Active Directory Certificate to the Connector's Certificate Database

Adding Active Directory Certificates to Directory Server

To Add the Active Directory CA certificate to the Directory Server Certificate Database

Adding Directory Server Certificates to the Directory Server Connector

To Add the Directory Server Certificates to the Directory Server Connector

9.  Understanding Audit and Error Files

Part II Identity Synchronization for Windows Appendixes

A.  Using the Identity Synchronization for Windows Command Line Utilities

B.  Identity Synchronization for Windows LinkUsers XML Document Sample

C.  Running Identity Synchronization for Windows Services as Non-Root on Solaris

D.  Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows

E.  Identity Synchronization for Windows Installation Notes for Replicated Environments

Index

Using idsync certinfo

Use the idsync certinfo utility to determine what certificates are required based on the current Identity Synchronization for Windows SSL settings. Execute idsync certinfo to retrieve information about what certificates are required in each certificate database.

Note - You must be sure that when you are configuring the Directory Server source for SSL, both the preferred and secondary Directory Server source certificates are trusted by the replica Directory Server for all Directory subcomponents or Plug-ins.

If Identity Synchronization for Windows tries to establish SSL connections (with the trust all certificates setting enabled), and the server’s hostname does not match the hostname provided in the certificate presented by the server during the SSL negotiation phase, the Identity Synchronization for Windows Connector will refuse to establish the connection.

The directory source hostname in the Identity Synchronization for Windows configuration must always match the hostname embedded in the certificate used by that directory source.

Arguments

Arguments describes the arguments you can use with the idsync certinfo subcommand.

Table 8-4 certinfo Arguments

Argument
Description
-h CR-hostname
Specifies the configuration directory hostname. This argument defaults to the values specified during Core installation.
-p CR-port-no
Specifies the configuration directory LDAP port number. (Default is 389)
-D bind-DN
Specifies the configuration directory bind distinguished name (DN). This argument defaults to the values specified during Core installation.
-w bind-password | -
Specifies the configuration directory bind password. The - value reads the password from standard input (STDIN).
-s rootsuffix
Specifies the configuration directory rootsuffix. Where rootsuffix is a distinguished name such as dc=example,dc=com. This argument defaults to the values specified during Core installation.
-q configuration_password
Specifies the configuration password. The - value reads the password from standard input (STDIN).

Usage

The following example uses idsync certinfo to search for system components designated to run under SSL communications. The results of this example identifies two connectors (CNN101 and CNN100) and provides instructions as to where to import the appropriate CA certificate.

:\Program Files\Sun\MPS\isw-
hostname\bin idsync certinfo -h
CR-hostname -p 389 -D 
"cn=Directory Manager" -w dirmanager -s dc=example,dc=com
 -q password
Connector: CNN101
Certificate Database Location: C:\Program Files\Sun\MPS\isw-
hostname\etc\CNN101
Get ’Active Directory CA’ certificate from Active Directory 
and import into Active Directory Connector certificate db
for server ldaps::/
hostname.example.com:636
Connector: CNN100 Certificate Database Location:
C:\Program Files\Sun\MPS\isw-
hostname\etc\CNN100
Export ’Directory Server CA’ certificate
from Directory Server certificate db and
import into Directory Server Connector certificate db
ldaps://hostname.example.com:636
Export ’Active Directory CA’ certificate
from Active Directory Server
hostname.example.sun.com:389 
and import into Directory Server Server certificate db
for server ldaps://hostname.example.com:638
SUCCESS
Copyright © 2009, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next