5.1 Configuring Secure Data Transfers

All eDirectory driver communication is secured through SSL. To configure your eDirectory drivers to handle secure data transfers, run the NDS-to-NDS Driver Certificate Wizard in iManager.

You can also configure your eDirectory drivers through Designer. For information about configuring eDirectory drivers through Designer, see Designer 4.0.1 for Identity Manager 4.0.1 Administration Guide

5.1.1 Understanding Secure Connections via the eDirectory Driver

The following items can help you understand how secure connections are established when using the eDirectory driver:

  • The driver uses SSL sockets to provide authentication and a secure connection. SSL uses digital certificates to allow the parties to an SSL connection to authenticate one another. Identity Manager in turn uses NetIQ Certificate Server certificates for secure management of sensitive data.

  • To use the driver, you must have the NetIQ Certificate Server running in each tree. We recommend that you use the certificate authority from one of the trees containing the driver to issue the certificates used for SSL. If your tree does not have a certificate authority, you need to create one. You can use an external certificate authority. For information about NetIQ Certificate Server, see the NetIQ Certificate Server 3.3 Documentation Web site.

  • The NetIQ implementation of SSL that the driver uses is based on NetIQ Secure Authentication Services (SAS) and NTLS for eDirectory. These must be installed and configured on the server where the driver runs. eDirectory usually does this automatically.

  • To configure driver security, it is necessary to create and reference certificates in the eDirectory trees that will be connected using the driver. The two SSL types for securing the connection are Key Material Objects (KMOs) and Keystore.

  • Certificate objects in eDirectory are called KMO because they securely contain both the certificate data (including the public key) and the private key associated with the certificate.

    A minimum of two KMOs (one KMO per tree) must be created for use with the eDirectory drivers. This section explains using a single KMO per tree.

    The NDS-to-NDS Driver Certificate Wizard sets up the KMOs.

5.1.2 Establishing Secure Connections Using KMO

To configure your Identity Vault system to handle secure Identity Manager data transfers:

  1. Find out the tree name or IP address of the destination server.

  2. Launch iManager and authenticate to your first tree.

  3. Click to display the Identity Manager Administration page.

  4. In the Administration list, click NDS-to-NDS Driver Certificates to launch the wizard.

  5. At the Welcome page, enter the requested information for the first tree.

    Default values are provided by using objects in the tree that you authenticated to when you launched iManager. You must enter or confirm the following information:

    Driver DN: Specify the distinguished name of the eDirectory driver (for example, eDirectoryDriver.DriverSet1.Services.Novell).

    Tree: Verify the name of the current tree; if it is not correct, enter the correct name.

    Username: Specify the username for an account with Admin privileges in the current tree (for example, Admin).

    Password: Specify the password for the user.

    Context: Specify the user’s context (for example Services.Novell).

  6. Click Next.

    The wizard uses the information you entered to authenticate to the first tree, verify the driver DN, and verify that the driver is associated with a server.

  7. Specify the requested information for the second tree:

    Driver DN: Specify the distinguished name of the eDirectory driver (for example, eDirectoryDriver.DriverSet2.Novell).

    Tree: Specify the name of the second tree.

    Alternatively, specify the IP address of the server in the second tree running the eDirectory driver. This server must hold partition replicas of the Username (specified in Step 5), the driver set, and the server object.

    Username: Specify the username for an account with Admin privileges in the second tree (for example, Admin).

    Password: Specify the password for the user.

    Context: Specify the user’s context (for example Users.Novell).

  8. Click Next.

    The wizard uses the information you entered to authenticate to the second tree, verify the driver DN, and verify that the driver is associated with a server.

  9. Review the information on the Summary Page, then click Finish.

    If KMOs already existed for these trees, the wizard deletes them and then does the following:

    • Exports the trusted root of the CA in the first tree.

    • Creates KMO objects.

    • Issues a certificate signing request.

    • Places certificate key pair names in the drivers’ Authentication IDs (see Section A.1.3, Authentication).

5.1.3 Establishing Secure Connections Using Keystore

You need to import the trusted root certificate into a certificate store (also called a keystore) that the driver can use.

  1. Create a server certificate in iManager.

    1. In the Roles and Tasks view, click NetIQ Certificate Server > Create Server Certificate.

    2. Browse to and select the server object where the eDirectory driver is installed.

    3. Specify a certificate nickname.

    4. Select Standard as the creation method, then click Next.

    5. Click Finish, then click Close.

  2. Export the certificate.

    1. In the Roles and Tasks view, click NetIQ Certificate Access > server certificates.

    2. Select the certificate that you created in Step 1 and click Export.

    3. Select the KMO object from the certificates drop down list.

    4. Check Export private key.

    5. Provide a password and click Next.

    6. Save the certificate to a file.

  3. Add the exported certificate to a keystore by using the following command at the command line:

    keytool -importkeystore -srckeystore <file saved in step 2> -srcstoretype PKCS12 -destkeystore new.keystore -alias <kmo name provided in Step 1>

  4. Import the trusted root certificate from the connected eDirectory server and save it to a file in der format.

    1. In iManager, log in to the connected eDirectory server with administrator rights.

    2. In the left pane of the Roles and Tasks tab, select NetIQ Certificate Access > Server Certificates, then select any server certificate.

    3. Click Export.

    4. Select OU=Organizational CA certificate from drop down menu for the Certificate option.

    5. Select der as the Export format, then click Next.

    6. Save the file to a local file system.

  5. Add the .der file to the keystore created in Step 3 by using the following command at the command line:

    keytool -import -file PATH_OF_DERFile\PublicKeyCert.der -keystore KEYSTOERPATH\new.keystore -storepass keystorepass

    NetIQ recommends that you use Java 1.6 keytool. The command might not work with versions earlier than Java 1.6.

  6. When you are asked to trust this certificate, select Yes, then click Enter.

  7. Copy the new.keystore file to any directory on the same file system that has the Identity Vault files.

  8. In iManager, select Identity Manager > Identity Manager Overview.

  9. Search for drivers.

  10. Click the eDirectory driver object, then click it again in the Identity Manager Driver Overview page.

  11. In the Driver Settings, select the SSL Type as Keystore.

  12. In the Keystore Path parameter, enter the complete path to the keystore file.

  13. Enable the driver’s SSL parameter and adjust the other SSL parameters as needed.

    For information, see Section A.1.5, Driver Parameters.