6.1 Understanding Security in the Identity Applications Environment

It is typical for X.509 certificates to be used in a variety of places in the identity applications environment, as shown in the following diagram.

All communication between the identity applications and the Identity Vault is secure, using Transport Layer Security, by default. The installation of the Identity Vault (eDirectory) certificate into the Tomcat application server keystore is done automatically during installation time. Unless you specify otherwise, the installer places a copy of the eDirectory certificate in the JRE’s default cacerts store. For more information, see the NetIQ Identity Manager Setup Guide for Linux or NetIQ Identity Manager Setup Guide for Windows.

The server certificate needs to be in several places, if communications are to be secure, as shown in the diagram. Different setup steps might be needed depending on whether you intend to use a self-signed certificate in the various places in the diagram shown with a Application Server cert box, or you intend to use a certificate issued by a trusted certificate authority (CA) such as Verisign.