Skip Navigation Links | |
Exit Print View | |
Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide |
Part I Installing Identity Synchronization for Windows
6. Synchronizing Existing Users and User Groups
Specifying a Configuration Password
Requiring Trusted SSL Certificates
SSL and 3DES Keys Protection Summary
Persistent Storage Protection Summary
Creating Configuration Directory Credentials
To Create a New User Other Than admin
Message Queue Client Certificate Validation
To Validate the Message Queue Client Certificate
Message Queue Self-Signed SSL Certificate
Access to the Message Queue Broker
Configuration Directory Certificate Validation
Restricting Access to the Configuration Directory
Securing Replicated Configurations
Enabling SSL in Directory Server
To Enable SSL in Directory Server
Retrieving the CA Certificate from the Directory Server Certificate Database
Retrieving the CA Certificate from the Directory Server (using dsadm command on Solaris platform)
Enabling SSL in the Active Directory Connector
Retrieving an Active Directory Certificate
Adding Active Directory Certificates to the Connector's Certificate Database
To Add Active Directory Certificate to the Connector's Certificate Database
Adding Active Directory Certificates to Directory Server
To Add the Active Directory CA certificate to the Directory Server Certificate Database
Adding Directory Server Certificates to the Directory Server Connector
To Add the Directory Server Certificates to the Directory Server Connector
9. Understanding Audit and Error Files
Part II Identity Synchronization for Windows Appendixes
A. Using the Identity Synchronization for Windows Command Line Utilities
B. Identity Synchronization for Windows LinkUsers XML Document Sample
C. Running Identity Synchronization for Windows Services as Non-Root on Solaris
D. Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows
E. Identity Synchronization for Windows Installation Notes for Replicated Environments
Use the idsync certinfo utility to determine what certificates are required based on the current Identity Synchronization for Windows SSL settings. Execute idsync certinfo to retrieve information about what certificates are required in each certificate database.
Note - You must be sure that when you are configuring the Directory Server source for SSL, both the preferred and secondary Directory Server source certificates are trusted by the replica Directory Server for all Directory subcomponents or Plug-ins.
If Identity Synchronization for Windows tries to establish SSL connections (with the trust all certificates setting enabled), and the server’s hostname does not match the hostname provided in the certificate presented by the server during the SSL negotiation phase, the Identity Synchronization for Windows Connector will refuse to establish the connection.
The directory source hostname in the Identity Synchronization for Windows configuration must always match the hostname embedded in the certificate used by that directory source.
Arguments describes the arguments you can use with the idsync certinfo subcommand.
Table 8-4 certinfo Arguments
|
The following example uses idsync certinfo to search for system components designated to run under SSL communications. The results of this example identifies two connectors (CNN101 and CNN100) and provides instructions as to where to import the appropriate CA certificate.
:\Program Files\Sun\MPS\isw- hostname\bin idsync certinfo -h CR-hostname -p 389 -D "cn=Directory Manager" -w dirmanager -s dc=example,dc=com -q password Connector: CNN101 Certificate Database Location: C:\Program Files\Sun\MPS\isw- hostname\etc\CNN101 Get ’Active Directory CA’ certificate from Active Directory and import into Active Directory Connector certificate db for server ldaps::/ hostname.example.com:636 Connector: CNN100 Certificate Database Location: C:\Program Files\Sun\MPS\isw- hostname\etc\CNN100 Export ’Directory Server CA’ certificate from Directory Server certificate db and import into Directory Server Connector certificate db ldaps://hostname.example.com:636 Export ’Active Directory CA’ certificate from Active Directory Server hostname.example.sun.com:389 and import into Directory Server Server certificate db for server ldaps://hostname.example.com:638 SUCCESS