JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Installing Identity Synchronization for Windows

1.  Understanding the Product

2.  Preparing for Installation

3.  Installing Core

4.  Configuring Core Resources

5.  Installing Connectors

6.  Synchronizing Existing Users and User Groups

7.  Removing the Software

8.  Configuring Security

Security Overview

Specifying a Configuration Password

Using SSL

Requiring Trusted SSL Certificates

Generated 3DES Keys

SSL and 3DES Keys Protection Summary

Message Queue Access Controls

Directory Credentials

Persistent Storage Protection Summary

Hardening Your Security

Configuration Password

Creating Configuration Directory Credentials

To Create a New User Other Than admin

Message Queue Client Certificate Validation

To Validate the Message Queue Client Certificate

Message Queue Self-Signed SSL Certificate

Access to the Message Queue Broker

Configuration Directory Certificate Validation

Restricting Access to the Configuration Directory

Securing Replicated Configurations

Using idsync certinfo

Arguments

Usage

Enabling SSL in Directory Server

To Enable SSL in Directory Server

Retrieving the CA Certificate from the Directory Server Certificate Database

Retrieving the CA Certificate from the Directory Server (using dsadm command on Solaris platform)

Enabling SSL in the Active Directory Connector

Retrieving an Active Directory Certificate

Using Window's Certutil

Using LDAP

Adding Active Directory Certificates to the Connector's Certificate Database

To Add Active Directory Certificate to the Connector's Certificate Database

Adding Active Directory Certificates to Directory Server

To Add the Active Directory CA certificate to the Directory Server Certificate Database

Adding Directory Server Certificates to the Directory Server Connector

To Add the Directory Server Certificates to the Directory Server Connector

9.  Understanding Audit and Error Files

Part II Identity Synchronization for Windows Appendixes

A.  Using the Identity Synchronization for Windows Command Line Utilities

B.  Identity Synchronization for Windows LinkUsers XML Document Sample

C.  Running Identity Synchronization for Windows Services as Non-Root on Solaris

D.  Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows

E.  Identity Synchronization for Windows Installation Notes for Replicated Environments

Index

Enabling SSL in Directory Server

Follow these steps to enable SSL in a Directory Server using a self-signed certificate.

Note - These abbreviated procedures are for your convenience. Refer to the Sun Directory Server Enterprise Edition 7.0 Administration Guide for more information.

To Enable SSL in Directory Server

Refer to the following procedure to enable SSL in Directory Server:

  1. Create a DS instance

    /opt/SUNWdsee/ds6/bin/dsadm create -p non-ldap-port-P ldap-secure-port <DS-server-root>/slapd-<hostname>

  2. Start the instance

    /opt/SUNWdsee/ds6/bin/dsadm start <DS-server-root>/slapd-<hostname>

  3. Create a self-signed certificate

    /opt/SUNWdsee/ds6/bin/dsadm add-selfsign-cert -S "cn=<machine name with domain>,O=<preferred root suffix>"/<DS-server-root>/slapd-<hostname>/<certificate name>

    Where S = Create an individual certificate and add it to database, the second variable represents the path of Directory Server instance and the last variable is for the certificate alias.

  4. Set the server properties to this certificate

    /opt/SUNWdsee/ds6/bin/dsconf set-server-prop -p non-ldap-port ssl-rsa-cert-name:<certificate name>

  5. Restart the DS

    /opt/SUNWdsee/ds6/bin/dsadm restart /<DS-server-root>/slapd-<hostname>/

  6. Now stop the DS and remove the default certificate (this ensures that the above generated certificate will be the default certificate)

    /opt/SUNWdsee/ds6/bin/dsadm stop /<DS-server-root>/slapd-<hostname>/

  7. Now remove the default certificate

    /opt/SUNWdsee/ds6/bin/dsadm remove-cert /<DS-server-root>/slapd-<hostname>/ defaultCert

    where the first variable represents the slapd-path and the second variable represents the alias of the certificate. In case you want to export the above default certificate, following is the command

    /opt/SUNWdsee/ds6/bin/dsadm export-cert -o /<any path>/slapd-cert.export /<DS-server-root>/slapd-<hostname>/ <original default cert alias>

    where o=output file (/<any path>/slapd-cert.export), the second variable represents the slapd-path and the third variable represents the certificate alias.

Retrieving the CA Certificate from the Directory Server Certificate Database

Ensure that you have enabled SSL in Directory Server. To export the Directory Server certificate to a temporary file so that you can import it into the certificate database of the Directory Server Connector, issue the following command:

<ISW-server-root>\shared\bin\certutil.exe -L -d . 
-P slapd-hostname- -n server-cert -a \ > C:\s-cert.txt

ISW-server-root is the path where ISW-hostname directory is present.

These examples are run in the alias directory immediately below the server root. Otherwise, Directory Server will not find the certificate database.

Retrieving the CA Certificate from the Directory Server (using dsadm command on Solaris platform)

Ensure that you have enabled SSL in Directory Server. To retrieve the CA certificate issue the following command:

/opt/SUNWdsee/ds6/bin/dsadm export-cert -o /<any path>
/slapd-cert.export /<DS-server-root>/slapd-<hostname>/
<original default cert alias>
Copyright © 2009, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next