Skip Navigation Links | |
Exit Print View | |
Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide |
Part I Installing Identity Synchronization for Windows
6. Synchronizing Existing Users and User Groups
Specifying a Configuration Password
Requiring Trusted SSL Certificates
SSL and 3DES Keys Protection Summary
Persistent Storage Protection Summary
Creating Configuration Directory Credentials
To Create a New User Other Than admin
Message Queue Client Certificate Validation
To Validate the Message Queue Client Certificate
Message Queue Self-Signed SSL Certificate
Access to the Message Queue Broker
Configuration Directory Certificate Validation
Restricting Access to the Configuration Directory
Securing Replicated Configurations
Enabling SSL in Directory Server
To Enable SSL in Directory Server
Retrieving the CA Certificate from the Directory Server Certificate Database
Retrieving the CA Certificate from the Directory Server (using dsadm command on Solaris platform)
Enabling SSL in the Active Directory Connector
Retrieving an Active Directory Certificate
Adding Active Directory Certificates to the Connector's Certificate Database
To Add Active Directory Certificate to the Connector's Certificate Database
Adding Active Directory Certificates to Directory Server
To Add the Active Directory CA certificate to the Directory Server Certificate Database
Adding Directory Server Certificates to the Directory Server Connector
To Add the Directory Server Certificates to the Directory Server Connector
9. Understanding Audit and Error Files
Part II Identity Synchronization for Windows Appendixes
A. Using the Identity Synchronization for Windows Command Line Utilities
B. Identity Synchronization for Windows LinkUsers XML Document Sample
C. Running Identity Synchronization for Windows Services as Non-Root on Solaris
D. Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows
E. Identity Synchronization for Windows Installation Notes for Replicated Environments
Identity Synchronization for Windows automatically retrieves Active Directory SSL certificates over SSL and imports them into the Connector’s certificate database using the same credentials you provided for the Connector.
However; if an error occurs (for example, invalid credentials or no SSL certificates were found), you can retrieve an Active Directory CA certificate and add it to the Connector certificate database. See the following sections for instructions:
If an error occurs, you can use certutil (a program that ships with Windows 2000/2003) or LDAP to retrieve an Active Directory certificate, as described in the following sections.
Note - The certutil command discussed in this section is not the same as the certutil command that ships with the Directory Server and discussed previously in this publication.
C:\>certutil -ca.cert cacert.bin
ldapsearch -h CR-hostname -D administrator_DN -w administrator_password -b "cn=configuration,dc=put,dc=your,dc=domain,dc=here" "cacertificate=*"
Where the administrator_DN might look like:
cn=administrator,cn=users,dc=put,dc=your,dc=domain,dc=here
In this example, the domain name is: put.your.domain.name.here.
Several entries will match the search filter. You probably need the entry using cn=Certification Authorities, cn=Public Key Services in its DN.
-----BEGIN CERTIFICATE----- MIIDvjCCA2igAwIBAgIQDgoyk+Tu14NGoQnxhmNHLjANBgk qhkiG9w0BAQUFADCBjjEeMBwGCSqGSIb3DQEJARYPYmVydG 9sZEBzdW4uY29tMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV FgxDzANBgNVBAcTBkF1c3RpbjEZMBcGA1UEChMQU3VuIE1p Y3Jvc3lzdGVtczEQMA4GA1UECxMHaVBsYW5ldDEUMBIGA1U EAxMLUmVzdGF1cmFudHMwHhcNMDIwMTExMDA1NDA5WhcNMT IwMTExMDA1OTQ2WjCBjjEeMBwGCSqGSIb3DQEJARYPYmVyd G9sZEBzdW4uY29tMQswCQYDVQQGEwJVUELMAkGA1UECBMCV FgxDzANBgNVBAcTBkF1c3RpbjEZMBcGA1UEChMQU3VuIE1p Y3Jvc3lzdGVtczEQMA4GA1UECxMHaVBsYW5ldDEUMBIGA1U EAxMLUmVzdGF1cmFudHMwXDANBgkqhkiG9w0BAQEFAANLAD BIAkEAyekZa8gwwhw3rLK3eV/12St1DVUsg31LOu3CnB8cM HQZXlgiUgtQ0hm2kpZ4nEhwCAHhFLD3iIhIP4BGWQFjcwID AQABo4IBnjCCAZowEwYJKwYBBAGCNxQCBAYeBABDAEEwCwY DVR0PBAQDAgFGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBB YEFJ5Bgt6Oypq7T8Oykw4LH6ws2d/IMIIBMgYDVR0fBIIBK TCCASUwgdOggdCggc2GgcpsZGFwOi8vL0NOPVJlc3RhdXJh bnRzLENOPWRvd2l0Y2hlcixDTj1DRFAsQ049UHVibGljJTI wS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZm lndXJhdGlvbixEQz1yZXN0YXVyYW50cyxEQz1jZW50cmFsL RPXN1bixEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9u TGlzdD9iYXNlP29iamVjdGNsYXNzPWNSTERpc3RyaWJ1dGl vblBvaW50ME2gS6BJhkdodHRwOi8vZG93aXRjaGVyLnJlc3 RhdXJhbnRzLmNlbnRyYWwuc3VuLmNvbS9DZXJ0RW5yb2xsL 1Jlc3RhdXJhbnRzLmNybDAQBgkrBgEEAYI3FQEEAwIBADAN BgkqhkiG9w0BAQUFAANBAL5R9R+ONDdVHWu/5Sd9Tn9dpxN 8oegjS88ztv1HD6XSTDzGTuaaVebSZV3I+ghSInsgQbH0gW 4fGRwaI BvePI4= -----END CERTIFICATE-----
Use this procedure only if you enabled SSL for the Active Directory Connector after installing the Connector or if invalid credentials were provided during installation.
If the certificate was retrieved using certutil, type:
<ISW-server-root>\shared\bin\certutil.exe -A -d . -n ad-ca-cert -t C,, -i \cacert.bin
If the certificate was retrieved using LDAP, type:
<ISW-server-root>\shared\bin\certutil.exe -A -d . -n ad-ca-cert \ -t C,, -a -i \ad-cert.txt
ISW-server-root is the path where ISW-hostname directory is present
On Solaris, the certificate can be imported using the dsadm command in the following manner:
/opt/SUNWdsee/ds6/bin/dsadm add-cert -C <DS-server-root>/slapd-<hostname>/ ad-ca-cert cacert.bin
where ad-ca-cert is the name of the certificate assigned after the import and cacert.bin is the certificate about to be imported
Note - Because the Directory Server certutil.exe is installed automatically when you install Directory Server, you will not be able to add a CA certificate to a connector installed on a machine with no Directory Server.
At a minimum, you must install the Sun Java System Server Basic Libraries and Sun Java System Server Basic System Libraries from the Directory Server package on the server where the Active Directory Connector is installed. (You do not have to install the Administration Server or Directory Server components.)
In addition, be sure to select the JRE subcomponent from the Console (to ensure your ability to uninstall).