6.2 Configuring Mutual Authentication

Use the following procedure to configure mutual authentication between the Bidirectional eDirectory driver and the Identity Vault:

  1. Complete Step 1 through Step 9 in Importing the Certificate into the Client’s Certificate Store.

  2. Create a user certificate that the driver can use:

    1. In iManager, log in to the connected eDirectory server with administrator rights.

    2. In the left pane of the Roles and Tasks tab, select NetIQ Certificate Server > Create User Certificate > Browse > Driver Authenticate User option, then click Next.

    3. Specify the Nickname, then select Custom, and then click Next.

    4. Click Finish.

  3. Import the user cert.pfx file:

    1. In iManager, log in to the connected eDirectory server as the driver’s authenticated user.

    2. In the left pane of the Roles and Tasks tab, select NetIQ Certificate Access > User Certificates > Nickname, then click Export.

      The Nickname must be same as the one specified in Step 2.

      You are recommended to use Java 1.8 keytool or later.

    3. Specify the private key password for the certificate, then click Next.

    4. Save the cert.pfx file to a local file system.

  4. Copy the cert.pfx file to any directory on the same file system that has the Identity Vault files.

  5. Add the private key to the keystore by using the following command at the command line:

    keytool -importkeystore -srckeystore cert.pfx -srcstoretype PKCS12 -destkeystore mykeystore -alias AliasName

    The AliasName must be the same as Nickname that you specified for the user certificate. Ensure that you use the same keystore file that you used for the SSL configuration in Step 2.

  6. Adjust the driver’s configuration as needed.

  7. Change the LDAP options of the connected eDirectory server to enable mutual authentication with the Identity Vault:

    1. In iManager, log in to the connected eDirectory server with administrator rights.

    2. In the left pane of the Roles and Tasks tab, select LDAP > LDAP Options > View LDAP Server, then select the connected eDirectory server from the list of servers with which you want to enable mutual authentication

    3. In the Connections tab, specify the connection information, then click OK.

    4. Change the Set Client Certificate option to Requested, then click OK. Leave other settings as the defaults.

      To communicate only with mutual authentication, set this option to Required.

    5. Click Apply, then click OK.

  8. Start the driver.