The communication between IDM Azure AD Driver and Exchange Service is secured via SSL. We need to create and import a Server Certificate into the root certificate store of the Windows Server where Exchange Service is deployed.
IDM Exchange Service is a multi-tenant REST-based Windows service to support Microsoft Exchange Online services. With the help of this service, the Azure AD Driver is able to provision or deprovision user mailboxes, mail users, create or remove distribution lists and security groups on Office 365 Exchange Online. The service can be configured independent of the driver on a separate Windows server. A single instance of the service can be used to work with several Azure AD Driver instances. This service helps in converting driver REST calls to Exchange Online cmdlets that help manage Exchange Online. The service is capable of running on a user configured port. Although the service can be installed independent of the driver, it requires an instance of the Azure AD Driver to work properly. On startup, the driver initializes the service by sending the Office 365 Exchange domain, user name, and password. The initialization of a driver works when the system time on the servers running the engine and the service are synchronized. The service cannot be used with any other REST client tool.
Note: The following procedure assumes eDirectory as the Certificate Authority (CA).
Following the steps below will help to establish a secure connection between Exchange Service and IDM Azure AD Driver.
Assuming you have already installed the Identity Manager Exchange Service. For detailed steps on installation refer https://www.netiq.com/documentation/identity-manager-46-drivers/msazure_ad/data/b1hxmlh2.html
In the first step we need to create a Server certificate as we are considering eDirectory server as the CA.
The nickname should be the same that you specified forwhile installing Identity Manager Exchange Service.
Now let’s Import the server certificate from the connected eDirectory server and save it to a file in the pfx format.
Select the certificate by nickname and select Export Private Key as shown below:
To save the certificate to a file, clickand rename as Exchangeazure.pfx (renaming is just for better understanding and not mandatory step)
Now start the Identity Manager Exchange Service from Services.msc where all windows services will reside.
As a verification step to check if the Exchange Service is running successfully open the following Exchange Service URL in your browser:
Replace the<Exchange_Service>with your Windows server ip address and :Port with the specified port number while installing Exchange Service.
After pasting the URL on browser it should look like below:
This step confirms that Exchange Service is installed and running successfully.
Now we should obtain the public certificate and import it into the keystore of the IDM server where Azure AD Driver is running.
keytool -import -file <path to the Exchange cert file>\<ExchangeazurePublic.cer> -keystore <mykeystore> -alias <aliasname>
The <aliasname> should be the same as the Nickname provided earlier in Step 1 which is here “Exchangeazure”
<mykeystore> is any name we can provide to the java keystore.
Now this completes the steps to be followed to secure the connection between Exchange Service and IDM Azure AD driver
Note: To download Azure powershell module: https://bposast.vo.msecnd.net/MSOPMW/Current/amd64/AdministrationConfig-en.msi
Thanks for reading 🙂
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.