5.1 Securing Driver Communication

The driver communicates over SSL with Azure AD and Identity Manager Exchange Service.

IMPORTANT:The connection accepts certificates only from a Java keystore. Make sure that the keystore for the certificates is a Java keystore.

The following sections provide instructions for creating a secure connection:

5.1.1 Securing Communication with Azure AD Graph

To set up SSL between the driver and Azure AD graph REST endpoints, perform the following steps:

  1. Open the following URL from your browser:

    https://graph.windows.net/

  2. Obtain the public certificate and import it into the keystore.

    For example, if you are using Mozilla Firefox, perform the following steps:

    1. In the address bar, click and then click next to graph.windows.net.

    2. Select Certificate (Valid). The certificate is displayed.

    3. Click Certification Path. The Certification Path displays the hierarchical structure of the structure of all the certificates.

    4. Select the root certificate (the top most parent certificate), and click View Certificate. The root certificate is displayed.

    5. To save the certificate to your system, click Details > Copy to File > Next > Next.

    6. Enter a filename for the certificate and save it to a location as required.

    7. Add the exported key to the driver keystore using the following Java keytool command:

      You might have to create a new keystore(.jks file), if one such file doesn’t exist already. This keystore file will contain the public certificate of the Azure graph endpoint and the exchange service certificate.

      keytool -import -file <path to the graph cert file>\<certname.crt> -keystore <mykeystore> -alias <aliasname>

      For example: keytool -import -file azuread.crt -keystore azuread.jks -alias azuread.

      NOTE:

      • Ensure to place the new keystore in IDM Server. In case of Remote Loader place the keystore file in the system where the Azure AD driver is running.

      • Ensure that you follow the above steps to import all the certificates into the keystore.

5.1.2 Securing Communication with Identity Manager Exchange Service

To set up SSL between the driver and Identity Manager Exchange Service, you need to create and import a server certificate into the root certificate store of the Windows server where the service is deployed. The following procedure assumes eDirectory as the Certificate Authority (CA).

  1. Create a server certificate.

    1. In iManager, log in to the connected eDirectory server with administrator rights.

    2. Click Roles and Tasks > NetIQ Certificate Server > Create Server Certificate.

    3. Select the server and provide a nickname for the certificate.

      The nickname is same that you specified for Certificate Alias (example azuread as shown in previous section) while installing Identity Manager Exchange Service.

    4. Click Next, then click Finish to complete the certificate creation.

  2. Export the server certificate from the connected eDirectory server and save it to a file in the pfx format.

    1. In iManager, log in to the connected eDirectory server with administrator rights.

    2. Click Roles and Tasks > NetIQ Certificate Access > Server Certificates, then select any server certificate.

    3. Click Export.

    4. Select the certificate by nickname and select Export Private Key.

    5. Enter the password and click Next.

    6. To save the certificate to a file, click Save the exported certificate.

  3. Import the certificate to the trusted store of the Windows server on which you will run Identity Manager Exchange Service.

    1. Copy the .pfx file to the Windows server.

    2. Click Start > Run> mmc.

    3. Click File > Add/Remove Snap-in.

    4. Select Certificates and click Add to import this snap-in by choosing Computer account.

    5. Click Finish.

    6. Navigate to Certificates > Trusted Root Certification Authorities.

    7. Right-click and then select All Tasks > Import.

    8. On the Welcome to the Certificate Import Wizard page, click Next.

    9. Click Browse and select the eDirectory certificate you exported in Step 2.

    10. Specify the password and click Next.

    11. Click Finish to import the certificate into the trust store.

  4. Start Identity Manager Exchange Service. For more information, see Verifying and Starting the Identity Manager Exchange Service.

  5. Open the following Exchange service URL from your browser:

    https://<Exchange_Service>:Port/ExchServer

  6. Obtain the public certificate and import it into the same keystore which was created and placed in IDM Server as mentioned in Step 2.g (for example, the keystore azuread as shown in the example for the Step 2.g).

    For example, perform the following steps to obtain a public certificate on Google Chrome:

    1. Click from the address bar and then click Details.

    2. In the Security tab, click View Certificate.

    3. In the Details tab, click Copy to File.

    4. In the Certificate Import Wizard, click Next.

    5. Select DER encoded binary and click Next.

    6. Click Browse and navigate to the directory where you want to save the certificate.

    7. Specify a name for the certificate and click Next.

    8. Click Finish to complete the export.

    9. Add the exported key to the driver keystore by using the following Java keytool command:

      keytool -import -file <path to the exchange cert file>\<certname.cer> -keystore <mykeystore> -alias <aliasname>

      NOTE:Ensure the keystore alias names are different for Azure AD Graph and the Exchange Service.