The communication between IDM Azure AD Driver and Exchange Service is secured via SSL. We need to create and import a Server Certificate into the root certificate store of the Windows Server where Exchange Service is deployed.

Introduction to IDM Exchange Service

 
IDM Exchange Service is a multi-tenant REST-based Windows service to support Microsoft Exchange Online services. With the help of this service, the Azure AD Driver is able to provision or deprovision user mailboxes, mail users, create or remove distribution lists and security groups on Office 365 Exchange Online. The service can be configured independent of the driver on a separate Windows server. A single instance of the service can be used to work with several Azure AD Driver instances. This service helps in converting driver REST calls to Exchange Online cmdlets that help manage Exchange Online. The service is capable of running on a user configured port. Although the service can be installed independent of the driver, it requires an instance of the Azure AD Driver to work properly. On startup, the driver initializes the service by sending the Office 365 Exchange domain, user name, and password. The initialization of a driver works when the system time on the servers running the engine and the service are synchronized. The service cannot be used with any other REST client tool.

Note: The following procedure assumes eDirectory as the Certificate Authority (CA).

Following the steps below will help to establish a secure connection between Exchange Service and IDM Azure AD Driver.

Assuming you have already installed the Identity Manager Exchange Service. For detailed steps on installation refer https://www.netiq.com/documentation/identity-manager-46-drivers/msazure_ad/data/b1hxmlh2.html

Step 1:

In the first step we need to create a Server certificate as we are considering eDirectory server as the CA.

  • Now open iManager and log in to the connected eDirectory server with administrator rights.
  • Click on Roles and Tasks > NetIQ Certificate Server > Create Server Certificate.

Rolesandtasks2

  • Select the server and provide a nickname for the certificate.
  • The nickname should be the same that you specified for Certificate Alias while installing Identity Manager Exchange Service.

create server certificate3

  • Then click Next, then click Finish to complete the certificate creation.

Step 2:

Now let’s Import the server certificate from the connected eDirectory server and save it to a file in the pfx format.

  • Open iManager and log in to the connected eDirectory server with administrator rights.
  • Click Roles and Tasks > NetIQ Certificate Access > Server Certificates, then select the server certificate you have created. Click Export.

 

server certificate

  • Select the certificate by nickname and select Export Private Key as shown below:

    export server certificate

  • Enter the password and click Next.
  • To save the certificate to a file, click Save the exported certificate and rename as Exchangeazure.pfx (renaming is just for better understanding and not mandatory step)

Step 3:

  • We have to import the saved certificate to the trusted store of the Windows server on which the Identity Manager Exchange Service will run.
  • Copy the Exchangeazure.pfx file to the Windows server

Azure Certificate

  • Click Start > Run> mmc.
  • Click File > Add/Remove Snap-in as shown below:

Addremove snapin

  • Select Certificates and click Add to import this snap-in by choosing Computer account.
  • Click Finish.
  • Navigate to Certificates(Local Computer) > Trusted Root Certification Authorities.
  • Right-click and then select All Tasks > Import.

import certificarte

 

  • On the Welcome to the Certificate Import Wizard page, click Next.
  • Click Browse and select the eDirectory Server certificate you exported to the Windows server earlier.
  • Specify the password and click Next.

import certificarte

Enterpassword

  • Click Finish to import the certificate into the trust store.

Now start the Identity Manager Exchange Service from Services.msc where all windows services will reside.

 

As a verification step to check if the Exchange Service is running successfully open the following Exchange Service URL in your browser:

https://<Exchange_Service>:Port/ExchServer

Replace the<Exchange_Service>with your Windows server ip address and :Port with the specified port number while installing Exchange Service.

After pasting the URL on browser it should look like below:

ExchServiceRunning

This step confirms that Exchange Service is installed and running successfully.

Step 4:

Now we should obtain the public certificate and import it into the keystore of the IDM server where Azure AD Driver is running.

  • Again, Click Start > Run> mmc.
  • Click File > Add/Remove Snap-in as shown below:
  • Select Certificates and click Add to import this snap-in by choosing Computer account.
  • Click Finish.
  • Navigate to Certificates(Local Computer) > Trusted Root Certification Authorities.
  • Select the certificate (Exchagneazure.pfx) which was imported earlier Right click on the certificate All Tasks > Export.

export certificatte

  • Click Next twice and provide a name and location for the certificate to click Finish .The certificate gets saved in the given location

export wizard

 

  • Once the certificate is saved in .CER extension (EX: ExchangeazurePublic.cer) move it to the eDirectory Server where IDM Azure AD driver is running.
  • Add the exported key /certificate to the driver keystore by using the following Java keytool command:
keytool -import -file <path to the Exchange cert file>\<ExchangeazurePublic.cer> -keystore <mykeystore> -alias <aliasname>

The <aliasname> should be the same as the Nickname provided earlier in Step 1 which is here “Exchangeazure

<mykeystore> is any name we can provide to the java keystore.

Now this completes the steps to be followed to secure the connection between Exchange Service and IDM Azure AD driver

Thanks for reading :)

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
vkarthik
By: vkarthik
Jun 16, 2017
9:45 am
Reads:
613
Score:
5
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Sentinel Supported Troubleshooting Workflow