Skip Navigation Links | |
Exit Print View | |
![]() |
Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide |
Part I Installing Identity Synchronization for Windows
6. Synchronizing Existing Users and User Groups
Specifying a Configuration Password
Requiring Trusted SSL Certificates
SSL and 3DES Keys Protection Summary
Persistent Storage Protection Summary
Creating Configuration Directory Credentials
To Create a New User Other Than admin
Message Queue Client Certificate Validation
To Validate the Message Queue Client Certificate
Message Queue Self-Signed SSL Certificate
Access to the Message Queue Broker
Configuration Directory Certificate Validation
Restricting Access to the Configuration Directory
Securing Replicated Configurations
Enabling SSL in Directory Server
To Enable SSL in Directory Server
Retrieving the CA Certificate from the Directory Server Certificate Database
Retrieving the CA Certificate from the Directory Server (using dsadm command on Solaris platform)
Enabling SSL in the Active Directory Connector
Retrieving an Active Directory Certificate
Adding Active Directory Certificates to the Connector's Certificate Database
To Add Active Directory Certificate to the Connector's Certificate Database
Adding Active Directory Certificates to Directory Server
To Add the Active Directory CA certificate to the Directory Server Certificate Database
Adding Directory Server Certificates to the Directory Server Connector
To Add the Directory Server Certificates to the Directory Server Connector
9. Understanding Audit and Error Files
Part II Identity Synchronization for Windows Appendixes
A. Using the Identity Synchronization for Windows Command Line Utilities
B. Identity Synchronization for Windows LinkUsers XML Document Sample
C. Running Identity Synchronization for Windows Services as Non-Root on Solaris
D. Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows
E. Identity Synchronization for Windows Installation Notes for Replicated Environments
Follow these steps to enable SSL in a Directory Server using a self-signed certificate.
Note - These abbreviated procedures are for your convenience. Refer to the Sun Directory Server Enterprise Edition 7.0 Administration Guide for more information.
On Windows, use the certutil version bundled with Identity Synchronization for Windows 6.0 within the ISW-host-name\shared\bin folder.
On Solaris, certutil is installed in /usr/sfw/bin by default.
On Linux, certutil is installed in /opt/sun/private/bin by default.
Refer to the following procedure to enable SSL in Directory Server:
/opt/SUNWdsee/ds6/bin/dsadm create -p non-ldap-port-P ldap-secure-port <DS-server-root>/slapd-<hostname>
/opt/SUNWdsee/ds6/bin/dsadm start <DS-server-root>/slapd-<hostname>
/opt/SUNWdsee/ds6/bin/dsadm add-selfsign-cert -S "cn=<machine name with domain>,O=<preferred root suffix>"/<DS-server-root>/slapd-<hostname>/<certificate name>
Where S = Create an individual certificate and add it to database, the second variable represents the path of Directory Server instance and the last variable is for the certificate alias.
/opt/SUNWdsee/ds6/bin/dsconf set-server-prop -p non-ldap-port ssl-rsa-cert-name:<certificate name>
/opt/SUNWdsee/ds6/bin/dsadm restart /<DS-server-root>/slapd-<hostname>/
/opt/SUNWdsee/ds6/bin/dsadm stop /<DS-server-root>/slapd-<hostname>/
/opt/SUNWdsee/ds6/bin/dsadm remove-cert /<DS-server-root>/slapd-<hostname>/ defaultCert
where the first variable represents the slapd-path and the second variable represents the alias of the certificate. In case you want to export the above default certificate, following is the command
/opt/SUNWdsee/ds6/bin/dsadm export-cert -o /<any path>/slapd-cert.export /<DS-server-root>/slapd-<hostname>/ <original default cert alias>
where o=output file (/<any path>/slapd-cert.export), the second variable represents the slapd-path and the third variable represents the certificate alias.
Ensure that you have enabled SSL in Directory Server. To export the Directory Server certificate to a temporary file so that you can import it into the certificate database of the Directory Server Connector, issue the following command:
<ISW-server-root>\shared\bin\certutil.exe -L -d . -P slapd-hostname- -n server-cert -a \ > C:\s-cert.txt
ISW-server-root is the path where ISW-hostname directory is present.
These examples are run in the alias directory immediately below the server root. Otherwise, Directory Server will not find the certificate database.
Ensure that you have enabled SSL in Directory Server. To retrieve the CA certificate issue the following command:
/opt/SUNWdsee/ds6/bin/dsadm export-cert -o /<any path> /slapd-cert.export /<DS-server-root>/slapd-<hostname>/ <original default cert alias>