This article will try to detail the process of setting up a working SSL-encrypted connection with the LDAP-driver to Sun DSEE 6.3 running on Windows. I assume the reader has experience with IDM/eDirectory/iManager. If you are interested what those commands that you find in this document really do I recommend downloading the DSEE documentation set.
The reason I wrote this is because I needed to get a test environment working for the LDAP-driver together with Sun DSEE and I had some trouble trying to set up the SSL part because the LDAP-driver documentation details the steps for the Netscape Directory Server which is what DSEE was called a couple of versions ago. According to Father Ramon in the IDM forum:
“Sun DSEE is rename/derived from Sun Java System Directory, which was rename/derived from Sun One Directory Server, which was renamed rename/derived from iPlanet Directory Server (a collaboration between Sun and Netscape), which was rename/derived from Netscape Directory Server. “
In this example I have a two VMware machines, one is running SLES 10 SP1 with eDirectory 8.8.2 and IDM 3.5.1, it has IP-address 192.168.0.100, the other one is running Windows Server 2003 with Active Directory and Sun DSEE 6.3 with IP 192.168.0.101.
Now we’ll get to the process of setting up the driver, first I had to install the IDM Remote Loader on the Windows machine, I won’t detail the install since it’s already well documented and mostly consists of clicking Next… After installing the Remote Loader you might want to patch the LDAP-driver with the latest patch from Novell.
In the Remote Loader Console I clicked on Add and created a Remote Loader instance with the following configuration:
Description: SunDSEE Driver: com.novell.nds.dirxml.driver.ldap.LDAPDriverShim Config File: C:\Novell\RemoteLoader\SunDSEE-Config.txt IP Address: 192.168.0.101 Connection Port – Metadirectory Server: 8090 Command Port – Local host communication only: 8000 Remote Loader Password: Remote Driver Object Password: Driver Use an SSL Connection: No Trace Level: 3 Trace File: C:\Novell\RemoteLoader\SunDSEE-Trace.log Maximum Disk Space Allowed for all Trace Logs (Mb): 100 Establish a Remote Loader service for this driver instance: Yes
How to install Sun DSEE 6.3 on Windows Server 2003
This part will tell you step by step how to install DSEE on Windows.
Surf to the Sun DSEE download page:
Download Directory Server Enterprise Edition 6.x, version 6.3, Native Package (PKG) for Windows Server 2003.
You will be presented with an option to download the Patch Only Install and the Base Full Install DSEE 6.0, download both because you must first install DSEE 6.0 and then patch it to 6.3.
After downloading and extracting the files run setup.bat from the java_es-5_identsuite-windows-x86 folder.
I selected that I wanted the wizard to configure the Java Enterprise System automatically during installation.
I then had to select the components to install, I chose only the Directory Server Enterprise Edition 6.0:
After the components selection you must enter a password for the Java ES administrator, the password must be at least 8 characters long:
At the end of the installation I de-selected “Click here to start the servers of configured products.” as I didn’t want to start any services because I had to patch DSEE to v6.3.
Patching DSEE to v6.3
During this process I had three command line windows open as it made the process easier.
Open a CMD prompt and go to
dsadm.exe stop "C:\Program Files\Sun\JavaES5\DSEE\var\dscc6\dcc\ads"
After that open the task manager and kill the
process. (If it’s running)
Open another CMD prompt and go to
Now you’ll need download some patches and install them.
Surf to the Sun support site:
Download the Sun patch 126910-02 and install it, this is needed to be able to install the other patches.
Download the Sun patch 126183-07 and install it, this will patch “cacao”.
According to the documentation cacao is the “common agent container”.
CD back to
Download the patch 125311-07 if you didn’t do it in the beginning and install it, this will patch DSEE to v6.3.
Open up another CMD prompt and CD to
In your first CMD window (C:\Program Files\Sun\JavaES5\DSEE\ds6\bin) type:
dsadm.exe start "C:\Program Files\Sun\JavaES5\DSEE\var\dscc6\dcc\ads"
If you get an error that the directory does not exist you can change back to the
directory and run:
or you can wait and do it later through the web browser.
Back in your
This will start the common container agent.
When the installation has completed open a web browser and surf to:
https://IP of your DSEE server:6789
This will get you to the Java Web Console which you use to access the management tool for the DSEE, the Directory Service Control Center (DSCC), think iManager and you’ll get the picture.
You will need to login with a user that has administrative rights to the server OS, in my case Administrator.
Next, click on the DSCC link at the bottom.
If you did not run the “dsccsetup.exe initialize” command then you will be asked to initialize DSCC, enter a password.
A pop up window will open and the DSCC will initialize it’s configuration. When it’s done click Close and Continue. Now you are in the Control Center which you use to administer DSEE using a GUI. There is also a command line tool called “dsadm”.
We are going to click on the Directory Servers tab and then on New Server…
A new window will open where we are going to enter the details of our new DSEE instance.
If you are running another LDAP server on the same machine that uses the default 389/636 port combination you have to enter another port number, in my case 1389 and 1636. The Instance Path is where the database files will be located, it must not exist.
If the server is a AD domain controller you need to enter the Runtime User ID in the following format:
These are the settings I used:
Host: Know Host: <MY SERVERNAME> LDAP Port: 1389 LDAP Secure Port: 1636 Instance Path: c:\sundsee Directory Manager DN: cn=Directory Manager Runtime User ID: <mydomain>\administrator DSCC Agent Port: Default (11162)
If you get an error when you click next, such as that the DSCC agent could not be contacted do the following:
Open a cmd.exe process on your server where DSEE will be running, and go to:
If you get the following message: default instance is DISABLED at system startup.
default instance is not running.
Go back to DSCC and try to click Next again.
You will be asked to accept a default certificate, do it and click Next:
When the installation is complete click on the Suffixes tab in DSCC and then on New Suffix…
This is like creating a new tree in eDirectory (I think…)
In step 2 select “Do Not Replicate Suffix”
In step 2.1 select your server.
In step 3 select Use Default Settings
In step 4 select Use Default Database Location
In step 5 select Initialize by Importing Sample Data (160 entries)
Now that I’ve created the instance and the suffix I wanted to test connectivity by authenticating using an LDAP browser, I used Apache Directory Studio to connect to my server on the SSL port 1636 with the “cn=Directory Manager” as username, you could say that’s the admin user, I also had to specify the base DN, in my case that was the DN of the suffix, o=Atlas.
The next step is to configure the DSEE services to start automatically when Windows starts.
First create an empty text file named
and place it under C:\
Edit it and enter the password of the administrator user, in my case of the domain administrator, IDM360\Administrator. Just the password, nothing else.
Now from the
directory run this command:
cacaoadm.bat enable -i default -f c:\password.txt
This will create a new service, in my case it was named Common Agent Container 2 (864cfa27:default) but I was not able to start it.
I had to go to the Domain Controller Security Policy under Administrative Tools on the Control Panel, select Local Policies, User Rights Assignment, Log on as a service and add my user to that list, then I ran the gpupdate command and I was able to start my new service!
Now, to enable the DSEE instance and the DSCC instance to start as a service CD to the
Type the following commands, change c:\sundsee to the path of your installed instance:
dsadm stop c:\sundsee dsadm enable-service c:\sundsee dsadm.exe stop "C:\Program Files\Sun\JavaES5\DSEE\var\dscc6\dcc\ads" dsadm.exe enable-service "C:\Program Files\Sun\JavaES5\DSEE\var\dscc6\dcc\ads"
Now I had two more services:
Directory Server 6.3 (C:/Program Files/Sun/JavaES5/DSEE/var/dscc6/dcc/ads) Directory Server 6.3 (c:/sundsee)
Enabling the retro changelog which is needed by the LDAP driver:
Type the following command when you are located in the
dsconf set-server-prop -h 192.168.0.101 -P 1636 retro-cl-enabled:on
Restart the directory server using DSCC or the command line.
Next I need to configure the DSEE to accept SSL-connections from the IDM LDAP-driver.
Logon to the DSCC, select Directory Servers, click on the server, in my case IDM36:1389
Click on the Security tab. If you get an error about authentication like I did click on it to update the credentials and type in the username in the format: DOMAIN\USERNAME, in my case: IDM360\Administrator.
Click on the Certificates tab.
We will now generate a new certificate request.
Click on Request CA-Signed, a new window will open.
I just entered the CN as LdapDriverCert and clicked OK.
You’ll get a new window with the certificate request:
Select the entire text from —–BEGIN to after the REQUEST and save it to a file such as LdapDriverCertCSR.txt.
Step 2 is to use iManager to issue the certificate using the eDirectory CA.
Logon to iManager, click on Novell Certificate Server > Issue Certificate
In the filename field browse to the LdapDriverCertCSR.txt file.
Select SSL or TLS as key type.
I also selected Extended key type: Any
I selected the certificate type as Certificate Authority and Path length as Unspecified.
Select a validity period and click Next.
Select: Save to: File in Base64 format
Save the file LdapDriverCertCSR.b64 to your computer.
Next go back to DSCC and click on Add next to the Request CA-Signed button.
Enter a certificate name and open the b64 file in a text editor, copy and paste the entire content into the new DSCC window where it says certificate.
Now go back to iManager, switch to the View Objects view, Browse > Security, click on your CA and click Modify Object, click on Certificates, check Self Signed Certificate, click Export, don’t export the private key (uncheck it). Select BASE64 format. Click Next.
Save it as TrustedRoot.b64
Now, back again to DSCC, click on the CA Certificates tab, click Add.
A new window will open.
Enter a name that will identify your trees CA certificate. Open your TrustedRoot.b64 and copy and paste the content into the Certificate field.
When you are done it will look something like this:
It will tell you that you need to restart the DSEE service. Do it.
Now click on the Security tab in DSCC and on the General page change the SSL Settings. There is an option called Certificate:, change it from Default Certificate to LdapDriverCert (the name you gave your eDirectory signed certificate.) Click Save, you will get a message telling you to restart the service, do it again.
Now I have to proceed with the step that is labeled “7.6.2 Importing into the Client’s Certificate Store” in the LDAP Driver documentation.
It details the steps needed to import the eDirectory trusted root certificate into a keystore that the driver uses.
For this I’m using a Java based GUI tool named KeyTool IUI that can be downloaded from here:
You need to have JRE 1.6+ installed to start it, after extracting the ZIP-file I had to edit the
file and remove the REM before
set HOME_JAVA=C:\Program Files\Java\jdk1.6.0\jre\bin\java
and changed the path to the JRE directory installed on my machine:
(You’ll have to make sure you enter the path on YOUR machine)
After starting the program click on Create > Keystore
Click on the disk icon and browse to the directory where you want to store the keystore. I chose to store it under
The click on the Keystore password icon and enter a password for the keystore. I chose changeit
Now we have to import the trusted root certificate, I had to rename my .B64 file containing the trusted root to .PEM
In KeyTool IUI go to
Import > Keystore's entry > Trusted Certificate > Regular certificate
Under Source browse for the .PEM file, under Target browse for the Keystore file and enter the password for the keystore.
You’ll be asked to enter an alias for the certificate and then you’ll have to confirm that you trust it.
When you’re done it should look something like this:
Configuring the LDAP driver in Designer
I assume you know how to use Designer to configure a driver, this is the configuration I used:
The configuration is pretty straight forward, I entered the following data:
Driver name: LDAP Placement Type: Mirror eDirectory Container: Sun LDAP Container: O=atlas LDAP Server: 192.168.0.101 : 1636 LDAP Authentication DN: cn=Directory Manager Use SSL: Yes Configure Data Flow: Bi-Directional Driver is Local/Remote: Remote Remote Host Name and Port: 192.168.0.101 : 8900 Driver Password: Driver Remote Password: Remote Keystore Path: C:\Novell\RemoteLoader\ldapdriver.jks Use SSL Mutual Authentication: No Polling Interval in Seconds: 20 Publication Method: Changelog Entries to Process on Startup: Previously unprocessed Changelog Max Batch Size: 1000
After deploying the driver and setting the security equivalence my driver started nicely. If you have any problems raise the trace level on the Remote Loader to see what’s happening when it tries to connect.
Now we have the driver running and syncing BUT what if I don’t want to use the eDirectory generated certificate for my Sun DSEE server? What if I want to use DSEE own certificate?
Well, I’ll explain how to accomplish that too.
Using DSEE certificates in the driver instead of the eDirectory certificates
Download OpenSSL Light from here and install it:
You may also need to install the Visual C++ 2008 runtime from here:
We are going to use openssl.exe to extract the public key from the DSEE certificate since I don’t know how to export just the public key (tips are welcome).
Now we are going to export the Sun DSEE default certificate, yes more import/export…
In DSCC, Security, Certificates, check Default Certificate (or the one you want to use), More Certificate Actions, Export
My Export Path was: C:\suncert
You’ll be asked to set a PKCS#12 password.
Now you have a PKCS12 file that contains both the private and the public key.
In DSCC, Security > General > Certificate: change back from LdapDriverCert (or whatever you named your eDirectory generated certificate) to Default Certificate or another cert. you want to use. Save and restart the DSEE service.
After that we run the command:
openssl pkcs12 -in c:\suncert -out sunpublickey.pem -clcerts -nokeys
This command extracts the public key from our DSEE certificate.
Now open that .PEM file in a text editor and remove everything from the beginning so you just have something that begins with —–BEGIN CERTIFICATE—– and so on. Save the file. Now use KeyTool IUI to import the .PEM file into our keystore file (Import > Keystore’s entry > Trusted Certificate > Regular Certificate).
When you’re done restart the driver to test if it works as it should.
So there you have it, how to set up your own test environment instance of Sun DSEE and configure the IDM LDAP-driver for SSL communications in two ways, with the eDirectory generated certificate or with the DSEE generated certificate.
Remember, if you are running the remote loader as I am there are two connections that you may need to secure, the one from IDM to the Remote Loader, you can activate SSL on that too and it’s really easy. Then there is the connection from the driver shim and the LDAP server which what this document is about.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.