Describes how to make a secure LDAP bind from IDMGR to AD when AD is the user store and Siteminder is not in use.
Here's the steps:
Exporting the Microsoft Active Directory Certificate
To export the Microsoft Active Directory certificate:
- Click Start, Programs, Administrative Tools, and Certification Authority.
- Right-click the Certification Authority that you create, and then select Properties.
- On the General tab, click View Certificate.
- On the Details tab, click Copy To File.
- Use the wizard to create a certificate (.cer) file using base-64 encoding.
Importing the Microsoft Active Directory Certificate
To import the Microsoft Active Directory certificate into the certificate store of the Identity Manager server:
- Copy the certificate to the Identity Manager server.
- Change to the directory where you copy the certificate file, and then enter a command similar to the following:
keytool -import -alias alias -file cer_file -keystore my_cacerts -storepass password
In this command:
- alias is the alias for the certificate (for example, the server name)
- cer_file is the full path and name of the certificate (.cer) file
- my_cacerts is the full path and name of the certificate store (the default is cacerts)
The path of the certificate store depends on the application server as shown in the following table.
|Application Server ||Certificate Store Location |
|JBoss Application Server ||JAVA_HOME \jre\lib\security\cacerts |
|BEA WebLogic ||BEA_HOME \java\jre\lib\security\cacerts |
|IBM WebSphere ||WS_HOME \java\jre\lib\security\cacerts WS_HOME \etc\DummyServerTrustFile.jks |
For IBM WebSphere, you must also copy the jnet.jar, jsee.jar, jcert.jar files to the WS_HOME\java\jre\lib\ext directory.
- password is the keystore password (the default is changeit)
keytool -import -alias thorADCert -file c:\thor\ActiveDir.cer -keystore C:\mydir\java\jre\lib\security\cacerts -storepass changeit
Changeit is the default password for the cacerts file stored in the Sun JVM. This may change depending on the JVM that you are using.
- In the command prompt window, when you are prompted to specify whether or not you want to trust this certificate, enter YES.
- To confirm whether or not the certificate has been imported successfully, enter a command similar to the following:
keytool -list -alias alias -keystore mycacerts -storepass password
In the example given in Step 2, to confirm that the certificate has been successfully imported, use the following command and look for the certificate name, thorADCert,that you provide while importing the certificate into the keystore:
keytool -list -alias thorADCert -keystore C:\mydir\java\jre\lib\security\cacerts -storepass changeit
- Perform this step only if you are registering the certificate file in a new certificate store.
Add the following line in the jre\lib\security\java.security file:
In this line, N is a number that is not in use in the file.
- Restart JBoss
At this point you are ready to create the user directory in idmmanage by file/wizard and click on the checkbox for a secure connection.