You can configure mutual authentication to ensure secure communication between the Remote Loader and the Identity Manager engine. Mutual authentication uses certificates for handshake instead of passwords. The Remote Loader and the Identity Manager engine authenticate each other by exchanging and validating the public key certificate or digital certificate issued by the trusted Certificate Authorities (CAs) or self-signed certificates. If mutual authentication succeeds, the Remote Loader authenticates to the engine. Synchronization traffic occurs after both the Remote Loader and the Identity Manager engine establish trust that they are communicating with an authorized entity.
Perform the following tasks to configure mutual authentication:
For mutual authentication to work properly, you need a server certificate for the engine and a client certificate for the Remote Loader. You can export the certificates from eDirectory or import them from a third-party vendor. In most cases, you will export a server certificate from eDirectory with no further investment. In some cases, you might want to export a third-party client certificate for the Remote Loader.
A certificate object in the Identity Vault is called Key Material Object (KMO). This object securely contains both the certificate data including the public key and the private key associated with the certificate used for SSL connections. For mutual authentication, you need two KMOs, each for the engine and the Remote Loader.
You can export an existing KMO or create a new KMO and then export it. The process of creating a client KMO and a server KMO is different.
To create a server KMO:
Log in to NetIQ iManager.
In the left side pane, click NetIQ Certificate Server, then select the server certificate.
Select the server to own the certificate that you created.
Specify a nickname for the certificate. For example, serverkmo.
Select Standard in the certificate creation method, then click Next.
Review the summary, click Finish, then click Close.
To create a client KMO:
Log in to NetIQ iManager.
In the left side pane, click NetIQ Certificate Server, then select the server certificate.
Select the server to own the certificate that you created.
Specify a nickname for the certificate. For example, clientkmo
Select Custom in the certificate creation method, then click Next.
Leave the default Organizational Certificate Authority unchanged, then click Next.
Unselect Enable Extended key usage, then click Next.
Accept the rest of the certificate defaults.
Review the summary, click Finish, then click Close.
Export the KMOs from eDirectory that the engine and the Remote Loader will use for authenticating with each other.
To export the KMO for the Identity Manager engine, run the DirXML Command Line (dxcmd) utility:
dxcmd -user <admin DN> -password <password of admin> -exportcerts <kmoname> <server|client> <java|native|dotnet> <output dir>
where
user specifies the name of a user with administrative rights to the driver.
password specifies the password of the user with administrative rights to the driver.
exportcerts exports the certificates and private/public keys from eDirectory. You must specify whether you are exporting a server or a client certificate, the type of driver that will use the certificate, and a destination folder where the command will store this information.
For example, dxcmd -user admin.sa.system -password novell -exportcerts serverkmo server java '/home/certs'
This command generates the serverkmo_server.ks file in the /home/certs/ directory. The default password for the keystore is dirxml.
When running the dxcmd command for exporting the KMO for the Remote Loader, the following considerations apply:
The dxcmd utility runs in LDAP mode. When you use it for the first time, it prompts for specifying the choice of trusting the certificate from eDirectory. Depending on your environment, you can choose to trust the certificate only for the current session, for the current and future sessions, trust all certificates, or select not to trust the certificate.
If the Remote Loader is running on the Identity Manager server, run the command in either LDAP or dot format. If the Remote Loader is installed on a separate server, run the command only in LDAP format.
Specify the -host parameter in the command to resolve the server IP address or hostname to be able to authenticate with the Identity Manager server.
Run the command using the following syntax:
dxcmd -dnform ldap -host <IP address of the host> -user <admin DN> -password <password of admin> -exportcerts <kmoname> <client> <java|native|dotnet> <output dir>
Table 20-1 Examples for different types of drivers
|
Type of Driver |
Command |
Output |
|---|---|---|
|
Java Driver |
dxcmd -dnform ldap -host 194.99.90.218 -user cn=admin,ou=sa,o=system -password novell -exportcerts clientkmo client java '/home/certs' |
clientkmo_client.ks file in the /home/certs/ directory The default password for the keystore is dirxml. |
|
Native Driver |
dxcmd -dnform ldap -host 194.99.90.218 -user cn=admin,ou=sa,o=system -password novell -exportcerts clientkmo client native 'C:\certs' |
clientkmo_clientcert.pem, clientkmo_clientkey.pem, and trustedcert.b64 files in the C:\certs directory |
|
.NET Driver |
dxcmd -dnform ldap -host 194.99.90.218 -user cn=admin,ou=sa,o=system -password novell -exportcerts clientkmo client dotnet 'C:\certs' |
clientkmo_clientcert.pfx and trustedcert.b64 files in the C:\certs directory |
To use third party certificates with the Remote Loader, you need to export a certificate in the .pfx file and a trusted root file in Base 64 format and then convert the .pfx certificate to the format that the driver uses. For example, a native driver requires the private key and the certificate key in .pem format while a Java driver requires the keystore in .jks format. The .NET driver uses the file in .pfx format. So you need not convert the file for a .NET driver.
Complete the following steps:
Retrieve the private key in .pem format from the .pfx file.
Enter a command, such as openssl pkcs12 -in servercert.pfx -nocerts -out serverkey.pem –nodes
Retrieve the certificate key in .pem format from the .pfx file.
Enter a command, such as openssl pkcs12 -in servercert.pfx -nokeys -out servercert.pem
Create a Java keystore from the .pfx file. Enter a command, such as keytool -importkeystore -srckeystore servercert.pfx -srcstoretype pkcs12 -destkeystore servercert.jks -deststoretype JKS.
As a final step, specify the information in the Remote Loader configuration file depending on the type of the driver. For more information, see Enabling a Driver for Mutual Authentication.
You enable a driver communication for mutual authentication by performing the following tasks:
You can configure the driver by using KMO or keystore in Designer or iManager.
In Designer, you can configure the driver during the initial driver creation process or configure it after creating the driver.
To configure a driver in Designer:
Open your project in Designer.
In the palette of the Modeler view, select the driver that you want to create.
Drag the icon for the driver onto the Modeler view.
Follow the steps in the installation wizard.
In the Remote Loader window, select yes.
Host name: Specify the hostname or IP address of the server where the driver’s Remote Loader service is running. For example, enter hostname=192.168.0.1. If you do not specify a value for this parameter, the value defaults to localhost.
Port: Specify the port number where the Remote Loader is installed and is running for this driver. The default port number is 8090.
KMO: Specify the Key Name of the KMO that contains the keys and certificate that the Remote Loader uses for an SSL connection. For example, enter kmo=serverkmo. If you are configuring mutual authentication using KMO, you must specify a value for this parameter. You also need to specify a value for the Root File parameter in the Other parameters section. Root File should contain the trusted root certificate of Remote Loader in b64 format.
Other parameters: Specify the settings for the Remote Loader that you want to use. You include information about mutual authentication communication in this parameter. Any parameters specified must use a key-value pair format, as follows:paraName1=paraValue1 paraName2=paraValue2
For example, use the following syntax for keystore:
UseMutualAuth=true keystore='/home/certs/serverkmo_server.ks' storepass='dirxml' keypass='dirxml' key='serverkmo'
For example, use the following syntax for kmo:
useMutualAuth=true rootFile='/home/cacert.b64'
IMPORTANT:Ensure that the rootFile generated is in b64 format.
Set Password: Enables you to set or change an application password.
Delete Password: Deletes the password to the application.
Click Next.
Follow the rest of the instructions in the wizard until you finish installing the driver.
Review the summary of tasks that will be completed to create the driver, then click Finish.
Alternatively, you can configure the driver after creating it by performing the following steps:
In the Outline view of Designer, right-click the driver.
Select Properties.
In the navigation pane, select Driver Configuration.
Select Authentication.
Under Remote Loader authentication section, specify the information required to configure mutual authentication between the Remote Loader and the Identity Manager engine.
Use the following syntax for kmo:
hostname=xxx.xxx.xxx.xxx port=xxxx useMutualAuth=true kmo=certificatename rootFile=<absolute path to the file>
For example:
hostname=192.168.0.1 port=8090 useMutualAuth=true kmo=serverkmo rootFile='/home/cacert.b64'
Use the following syntax for keystore:
hostname=xxx.xxx.xxx.xxx port=xxxx useMutualAuth=true keystore=<absolute path to the keystore file> storepass=<keystore password> key=<alias name> keypass= <password for the key>
For example:
hostname=192.99.90.17 port=8097 useMutualAuth=true keystore='/home/certs/serverkmo_server.ks' storepass='dirxml' key='serverkmo' keypass='dirxml'
To modify the configuration in iManager:
Launch iManager.
From Overview, select the Identity Manager Driver object.
In the properties of the Driver object, complete the following steps:
For Driver Module, select Connect to Remote Loader.
For Driver Object Password, specify the password that the Remote Loader uses to authenticate with the engine.
This password must match the password for the driver object defined in the Remote Loader.
For Remote Loader Connection Parameters, specify the information required to connect to the Remote Loader.
Use the following syntax for kmo:
hostname=xxx.xxx.xxx.xxx port=xxxx useMutualAuth=true kmo=certificatename rootFile=<absolute path to the file>
For example:
hostname=192.168.0.1 port=8090 useMutualAuth=true kmo=serverkmo rootFile='/home/cacert.b64'
Use the following syntax for keystore:
hostname=xxx.xxx.xxx.xxx port=xxxx useMutualAuth=true keystore=<absolute path to the keystore file> storepass=<keystore password> key=<alias name> keypass= <password for the key>
For example:
hostname=192.99.90.17 port=8097 useMutualAuth=true keystore='/home/certs/serverkmo_server.ks' storepass='dirxml' key='serverkmo' keypass='dirxml'
(Optional) For Remote Loader Password, specify the password required for the Identity Manager engine (or Remote Loader shim) to authenticate to the Remote Loader.
Click Apply, then click OK.
You must configure the driver instance in the Remote Loader configuration file. Ensure that you specify the absolute path to the directory that stores the key file, certificate file, and the root file in the Remote Loader configuration file for a driver.
Modify the Remote Loader configuration file for a driver to include the content for enabling mutual authentication. The file is located in the /opt/novell/dirxml/doc directory.
To modify the configuration:
Log in to the server where you installed the driver and Remote Loader.
Stop the Remote Loader.
For example, enter the following command:
rdxml -config /home/drivershim.conf -uIn a text editor, open the Remote Loader configuration file for the driver.
Add the content required for enabling mutual authentication to the file.
For example, for a Java driver, add this entry:
-connection "port=8090 useMutualAuth=true keystore='/home/certs/clientkmo_client.ks' storepass='dirxml' key='clientkmo' keypass='dirxml'"
For example, for a Native driver, add this entry:
-connection "useMutualAuth=true port=8090 rootfile='/home/certs/trustedcert.b64' certfile='/home/certs/clientkmo_clientcert.pem' keyfile='/home/certs/clientkmo_clientkey.pem' keypass='dirxml' certform=PEM keyform=PEM"
Save and close the file.
Restart the driver.
In the Remote Loader Console, select the driver instance from Description column.
Click Stop.
Enter the password for the Remote Loader, then click OK.
Click Edit.
To modify the configuration information for enabling mutual authentication, complete the following steps:
Select Mutual Authentication.
For a native driver, specify the path to the key file that stores the certificate for authentication. The key file must be in Base 64 format.
Specifies the path to the file that stores the key for authentication. The key file must be in Base 64 format. For example, clientkmo_clientkey.pem file in the C:\certs\ directory created by dxcmd in Exporting a Certificate from eDirectory.
Specifies the password for the private key used for authentication.
Specifies the file where the certificates are stored. The certificate file must be in Base 64 format. For example, clientkmo_clientcert.pem in the C:\certs\ directory created by dxcmd in Exporting a Certificate from eDirectory.
Specifies the name of the file that contains the trusted root certificate of the issuer of the certificate that the remote interface shim uses. The trusted root file must be in Base 64 format. For example, trustedcert.b64 files in the C:\certs\ directory created by dxcmd in Exporting a Certificate from eDirectory.
For a Java driver, specify the path of the keystore file that contains the certificate. The keystore file must contain at least one public/private key pair.
Specifies the path to the Java keystore file you want to use for authentication. The keystore file contains encryption keys and certificates. The keystore file must contain at least one public/private key pair. For example, clientkmo_client.ks in the C:\certs\ directory created by dxcmd in Exporting a Certificate from eDirectory.
Specifies the name of the public/private key pair in the keystore file that you want to use for symmetric key generation. For example, clientkmo.
Specifies the password used to load the keystore file.
Specifies the password for the private key stored in the keystore. Identity Manager uses this key for encrypting the SSL communication.
For a .NET driver, specify the path to the key file that stores the certificate for authentication.
Specifies the path to the file that stores the key for authentication. For example, clientkmo_clientcert.pfx in the in the C:\certs\ directory created by dxcmd in Exporting a Certificate from eDirectory.
Specifies the password for the private key used for authentication.
Specifies the name of the file that contains the trusted root certificate of the issuer of the certificate that the remote interface shim uses. The trusted root file must be in Base 64 format. For example, trustedcert.b64 file in the C:\certs\ directory created by dxcmd in Exporting a Certificate from eDirectory.
Click OK.
Click OK.