1.5 Securing Driver Communication through HTTPS

If the remote Web service that you are accessing allows HTTPS connections, you can configure the driver to take advantage of this increased security.

IMPORTANT: Only certificates from a Java keystore are accepted. Make sure that the keystore for the certificates is a Java keystore.

1.5.1 Configuring the Publisher Channel

The Publisher channel publishes the information from the connected application to the Identity Vault. To establish a secured connection for the Publisher Channel, you need a keystore or a KMO containing a certificate issued by the certificate authority that signed the server’s certificate.

  1. Create a server certificate in iManager.:

    1. In the Roles and Tasks view, click NetIQ Certificate Server > Create Server Certificate.

    2. Browse to and select the server object where the driver is installed.

    3. Specify a certificate nickname.

    4. Select Standard as the creation method, then click Next.

    5. Click Finish, then click Close.

  2. Export a self-signed certificate from the certificate authority in eDirectory:

    1. In the Roles and Tasks view, click Directory Administration > Modify Object.

    2. Select your tree’s certificate authority object, then click OK.

      It is usually found in the Security container and is named something like TREENAME CA.Security.

    3. Click Certificate > Self Signed Certificate.

    4. Click Export.

    5. When asked if you want to export the private key with the certificate, click No, then click Next.

    6. Based on the client to be accessing the Web service, select either File in binary DER format or File in Base64 format for the certificate, then click Next.

      If the client uses a Java-based keystore or trust store, then you can choose either format.

    7. Click Save the exported certificate to a file.

    8. Click Save, then browse to a known location on your computer.

    9. Click Save, then click Close.

  3. Import the self-signed certificate into the client’s trust store:

    The steps to import the certificate vary depending on the client that connects to the Publisher channel’s HTTPS listener. If the client uses a typical Java keystore, you can perform the following steps to create the keystore:

    1. Use the keytool executable that is included with any Java JDK.

      For more information on keytool, see Keytool - Key and Certificate Management Tool.

    2. Enter the following command at a command prompt:

      keytool -import -file name_of_cert_file -trustcacerts -noprompt 
-keystore filename -storepass password

      For example:

      keytool -import -file tree_ca_root.b64 -trustcacerts -noprompt -keystore dirxml.keystore -storepass novell

  4. Configure the Publisher channel to use the server certificate you created in Step 1:

    1. In iManager, in the Roles and Tasks view, click Identity Manager > Identity Manager Overview.

    2. Locate the driver set containing the driver, then click the driver’s icon to display the Identity Manager Driver Overview page.

    3. In the Identity Manager Driver Overview page, click the driver’s icon again, then scroll to Publisher Settings.

    4. In the KMO name setting, specify the certificate nickname you used in Step 1.

  5. Click Apply, then click OK.

1.5.2 Configuring the Subscriber Channel

The Subscriber channel sends information from the Identity Vault to the connected application. To establish a secured connection for the Subscriber channel, you need a trust store containing a certificate issued by the certificate authority that signed the server’s certificate. See Configuring the Publisher Channel for an example.

  1. Make sure that you have a server certificate signed by a trusted certificate authority.

  2. Import the certificate into your trust store or create a new trust store by entering the following command at the command prompt:

    keytool -import -file name_of_cert_file -trustcacerts -noprompt -keystore filename -storepass password

    For example:

    keytool -import -file tree_ca_root.b64 -trustcacerts -noprompt -keystore dirxml.keystore -storepass novell

    For more information on keytool, see Keytool - Key and Certificate Management Tool.

  3. Configure the Subscriber channel to use the trust store you created in Step 2:

    1. In iManager, in the Roles and Tasks view, click Identity Manager > Identity Manager Overview.

    2. Locate the driver set containing the driver, then click the driver’s icon to display the Identity Manager Driver Overview page.

    3. On the Identity Manager Driver Overview page, click the driver’s icon again, then scroll to Subscriber Settings.

    4. In the Keystore File setting, specify the path to the trust store you created in Step 2.

  4. Click Apply, then click OK.