How to create a secure connection to AD from IDM when AD is the corporate user store?

Document ID : KB000022576
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Describes how to make a secure LDAP bind from IDMGR to AD when AD is the user store and Siteminder is not in use.

Solution:

Here's the steps:

Exporting the Microsoft Active Directory Certificate

To export the Microsoft Active Directory certificate:

  1. Click Start, Programs, Administrative Tools, and Certification Authority.

  2. Right-click the Certification Authority that you create, and then select Properties.

  3. On the General tab, click View Certificate.

  4. On the Details tab, click Copy To File.

  5. Use the wizard to create a certificate (.cer) file using base-64 encoding.

Importing the Microsoft Active Directory Certificate

To import the Microsoft Active Directory certificate into the certificate store of the Identity Manager server:

  1. Copy the certificate to the Identity Manager server.

  2. Change to the directory where you copy the certificate file, and then enter a command similar to the following:

    keytool -import -alias alias -file cer_file -keystore my_cacerts -storepass password

    In this command:

    • alias is the alias for the certificate (for example, the server name)

    • cer_file is the full path and name of the certificate (.cer) file

    • my_cacerts is the full path and name of the certificate store (the default is cacerts)

      The path of the certificate store depends on the application server as shown in the following table.

      Application Server Certificate Store Location
      JBoss Application Server JAVA_HOME \jre\lib\security\cacerts
      BEA WebLogic BEA_HOME \java\jre\lib\security\cacerts
      IBM WebSphere WS_HOME \java\jre\lib\security\cacerts WS_HOME \etc\DummyServerTrustFile.jks


      Note:

      For IBM WebSphere, you must also copy the jnet.jar, jsee.jar, jcert.jar files to the WS_HOME\java\jre\lib\ext directory.

    • password is the keystore password (the default is changeit)

      For example:

      keytool -import -alias thorADCert -file c:\thor\ActiveDir.cer -keystore C:\mydir\java\jre\lib\security\cacerts -storepass changeit

      Note:

      Changeit is the default password for the cacerts file stored in the Sun JVM. This may change depending on the JVM that you are using.

  3. In the command prompt window, when you are prompted to specify whether or not you want to trust this certificate, enter YES.

  4. To confirm whether or not the certificate has been imported successfully, enter a command similar to the following:

    keytool -list -alias alias -keystore mycacerts -storepass password

    In the example given in Step 2, to confirm that the certificate has been successfully imported, use the following command and look for the certificate name, thorADCert,that you provide while importing the certificate into the keystore:

    keytool -list -alias thorADCert -keystore C:\mydir\java\jre\lib\security\cacerts -storepass changeit

  5. Perform this step only if you are registering the certificate file in a new certificate store.

    Add the following line in the jre\lib\security\java.security file:

    security.provider.N=com.sun.net.ssl.internal.ssl.Provider

    In this line, N is a number that is not in use in the file.

  6. Restart JBoss

    At this point you are ready to create the user directory in idmmanage by file/wizard and click on the checkbox for a secure connection.