You must ensure that data transfers securely between the Remote Loader and the Identity Manager engine. NetIQ recommends using Transport Layer Security/Secure Socket Layer (TLS/SSL) protocols for communication. To support TLS/SSL connections, you need an appropriate self-signed certificate in a keystore file or KMO. This section explains how to create, export, and store that certificate.
NOTE:Use the same version of SSL on the servers hosting the Identity Manager engine and the Remote Loader. If the versions of SSL on the server and the Remote Loader do not match, the server returns a SSL3_GET_RECORD:wrong version number error message. This message is only a warning, and communication between the server and Remote Loader is not interrupted. However, the error might cause confusion.
The Remote Loader opens a client socket and listens for connections from the remote interface shim. The remote interface shim and the Remote Loader perform an SSL handshake to establish a secure channel. Then the remote interface shim authenticates to the Remote Loader. If the authentication of the remote interface shim succeeds, the Remote Loader authenticates to the remote interface shim. Only when both sides are satisfied that they are communicating with an authorized entity does synchronization traffic occur.
The process for establishing SSL connections between a driver and the Identity Manager engine depends on the type of driver:
For a native driver, such as the Active Directory driver, point to a base64 encoded certificate. For more information, see Managing Self-Signed Server Certificates.
For a Java driver, you must create a keystore. For more information, see Creating a Keystore File when Using SSL Connections.
For a .NET driver, point to a base64 encoded certificate. For more information, see Managing Self-Signed Server Certificates.
NOTE:The Remote Loader allows for custom connection methods between the Remote Loader and the remote interface shim that is hosted on the Identity Manager server. To configure a custom connection module, see the documentation that comes with the module for information regarding what is expected and allowed in the connection string.
You can create and export a self-signed server certificate to ensure secure communication between the Remote Loader and the Identity Manager engine. For additional security, you can configure stronger ciphers for SSL communication as specified by Suite B. This communication requires the use of ECDSA (Elliptic Curve Digital Signature Algorithm) certificates for encrypting the data. When Suite B is enabled, Remote Loader uses TLS 1.2 as a communication protocol. For more information about Suite B, see Suite B Cryptography.
You can export a newly created certificate or use an existing certificate.
NOTE:When a server joins a tree, eDirectory creates the following default certificates:
SSL CertificateIP
SSL CertificateDNS
Suite B compliant certificates
Log in to NetIQ iManager.
To create a new certificate, complete the following steps:
Click NetIQ Certificate Server > Create Server Certificate.
Select the server to own the certificate.
Specify a nickname for the certificate. For example, remotecert.
NOTE:NetIQ recommends that you avoid using spaces in the certificate nickname. For example, use remotecert instead of remote cert.
Also, make a note of the certificate nickname. This nickname is used for the KMO name in the driver’s remote connection parameters.
Select the certificate creation method, then click Next.
You have the following options:
Standard: This option creates a server certificate object using the largest possible key size and signs the public key certificate with your Organizational CA.
Custom: This option creates a server certificate object using the settings you specify. It allows you to set a number of customized settings for the Server Certificate object. Select this option to create ECDSA certificates for Suite B communication.
Import: This option creates a server certificate object using the keys and certificates from a PKCS12 (PFX) file. You can use this option in conjunction with the Export feature to backup and restore a Server Certificate or to move a Server Certificate object from one server to another.
Specify the certificate parameters.
Accept the rest of the certificate defaults.
Review the summary, click Finish, then click Close.
To export a certificate, complete the following steps:
In iManager, navigate to Roles and Tasks > NetIQ Certificate Access > Server Certificates.
Browse and select the created certificate or the server created certificate (for example, SSL CertificateDNS).
Click Export.
Select the CA Certificate as OU=organization CA.O=TREEANAME from the drop down menu.
Select the Export Format as BASE64 from the drop down menu.
NOTE:When the Remote Loader is running on a Windows 2012 R2 64-bit server, the certificate must be in Base64 format. If you use the DER format, the Remote Loader fails to connect to the Identity Manager engine.
Click Next.
Click Save, then click Close.
To use SSL connections between a Java driver and the Identity Manager engine, you must create a keystore. A keystore is a Java file that contains encryption keys and, optionally, certificates. If you want to use SSL between the Remote Loader and the Identity Manager engine, and you are using a Java shim, you need to create a keystore file. The following sections explain how to create a keystore file:
To create a keystore on any platform, you can enter the following at the command line:
keytool -import -alias trustedroot -file self-signed_certificate_name -keystore filename -storepass keystorepass
The filename can be any name. For example, rdev_keystore.
In Linux environments, use the create_keystore file, which is a shell script that calls the Keytool utility. The file is installed with rdxml, located by default in the install_directory/dirxml/bin directory. The create_keystore file is also included in the dirxml_jremote.tar.gz file, found in the \dirxml\java_remoteloader directory.
NOTE:On UNIX computers, when the self-signed certificate is used to create the keystore, the certificate can be exported in Base64 or binary DER format.
Enter the following at the command line:
create_keystore self-signed_certificate_name keystorename
For example, type one of the following
create_keystore tree-root.b64 mystore create_keystore tree-root.der mystore
The create_keystore script specifies a hard-coded password of “dirxml” for the keystore password. This is not a security risk because only a public certificate and public key are stored in the keystore.
On Windows computers, run the Keytool utility, located by default in the c:\novell\remoteloader\jre\bin directory.