41.5 Enabling SSL Between Sentinel and Identity Manager Components

You can create and export a self-signed server certificate to ensure secure communication between Sentinel and Identity Manager components. Use a signed certificate issued by a valid Certificate Authority.

41.5.1 Enabling SSL between Sentinel and Identity Manager Engine/Remote Loader

  1. To create a new certificate, complete the following steps:

    1. Log in to iManager.

    2. Click NetIQ Certificate Server > Create Server Certificate.

    3. Select the appropriate server.

    4. Specify a nickname for the server.

    5. Accept the rest of the certificate defaults.

  2. To export the server certificate to .pfx format, complete the following steps:

    1. In iManager, select Directory Administration > Modify Object.

    2. Browse to and select the Key Material Object (KMO) object.

    3. Click Certificates > Export.

    4. Specify a password.

    5. Save the server certificate as a PKCS#12. For example, certificate.pfx.

  3. Extract the private key from the exported certificate to dxipkey.pem file using the following command.

    openssl pkcs12 -in certificate.pfx -nocerts -out dxipkey.pem –nodes

  4. Extract the certificate to dxicert.pem file.

    openssl pkcs12 -in certificate.pfx -nokeys -out dxicert.pem

  5. To export the CA certificate of the eDirectory server created in Step 1 to Base64 format, complete the following steps:

    1. In iManager, navigate to Roles and Tasks > NetIQ Certificate Access > User Certificates.

    2. Browse and select the created certificate.

    3. Click Export.

    4. Select the CA Certificate as OU=organizationCA.O=TREENAME from the drop-down menu.

    5. Select the Export Format as BASE64 from the drop-down menu.

    6. Click Next and save the certificate. For example, cacert.b64.

  6. Import the CA certificate to a keystore using the following command:

    keytool -import -alias <alias name> -file <b64 file> -keystore <keystore file> –noprompt

    For example,

    keytool -import -alias trustedroot -file cacert.b64 -keystore idmKeystore.ks –noprompt

  7. To import the certificate into the trust store of Audit Connector, complete the following steps:

    1. Log in to the Sentinel Main interface as an administrator.

    2. In the main ESM display, locate the Audit Server.

    3. Right-click the Audit Server, then click Edit.

    4. In the Security tab, select Strict.

      NOTE:By default, it is configured to use Open (insecure) mode to allow initial connectivity. However, when you are using it in a production environment, ensure that you set the mode to Strict.

    5. Click Import and navigate to the certificate you created in Step 6. For example, idmkeystore.ks.

    6. Click Open and then click Save.

    7. Restart Audit Server.

  8. Restart Identity Manager services.

41.5.2 Enabling SSL between Sentinel and Identity Applications

  1. To create a new certificate, complete the following steps:

    1. Log in to iManager.

    2. Click NetIQ Certificate Server > Create User Certificate.

    3. Select the appropriate user.

    4. Specify a nickname for the user.

    5. In Creation Method, select Custom.

    6. Accept the rest of the certificate defaults.

    7. Click Next.

    8. In Custom Extensions, Select New DER Encoded Extensions.

    9. Browse to \products\RBPM\ext.der custom extension.

    10. (Optional) Specify the e-mail address.

    11. Review the certificate parameters and click Finish.

  2. To export the user certificate, complete the following steps:

    1. Click NetIQ Certificate Access > User Certificates.

    2. Select the user certificate that is imported in Step 1.

    3. Select the valid user certificate and click Export.

    4. Specify a password.

    5. Save the user certificate as a PKCS12. For example, certificate.pfx.

  3. Extract the private key from the exported certificate to key.pem file using the following command.

    openssl pkcs12 -in certificate.pfx -nocerts -out key.pem –nodes

  4. Extract the certificate to cert.pem file.

    openssl pkcs12 -in certificate.pfx -nokeys -out cert.pem

  5. Stop Tomcat.

  6. Add the private key and certificate to the configupdate utility.

    1. Open the configupdate utility.

    2. Click Show Advanced Options.

    3. In the NetIQ Sentinel Digital Signature Certificate field, copy the cert.pem.

    4. In the NetIQ Sentinel Digital Signature Private Key field, navigate to the location where you have extracted the private key (key.pem) and import the key.

    5. Save the changes to the configupdate utility.

  7. Restart Tomcat.

  8. To export the CA certificate of the eDirectory server created in Step 1 to Base64 format, complete the following steps:

    1. In iManager, navigate to Roles and Tasks > NetIQ Certificate Access > User Certificates.

    2. Select the created certificate.

    3. Click Export and clear the Export private key check box.

    4. Select the Export Format as BASE64 from the drop-down menu.

    5. Click Next and save the certificate. For example, cacert.b64.

  9. Import the CA certificate to a keystore using the following command:

    keytool -import -alias <alias name> -file cacert.b64 -keystore <keystore file> –noprompt

    For example,

    keytool -import -alias trustedroot -file cacert.b64 -keystore idmKeystore.ks –noprompt

  10. To import the certificate into the trust store of Audit Connector, complete the following steps:

    1. Log in to the Sentinel Main interface as an administrator.

    2. In the main ESM display, locate the Audit Server.

    3. Right-click the Audit Server, then click Edit.

    4. In the Security tab, select Strict.

      NOTE:By default, it is configured to use Open (insecure) mode to allow initial connectivity. However, when you are using it in a production environment, ensure that you set the mode to Strict.

    5. Click Import and navigate to the certificate you created in Step 9. For example, idmKeystore.ks.

    6. Click Open and then click Save.

    7. Restart Audit Server.

  11. Restart Identity Applications.