How to configure Dirxml 1.1a with Remote Loader to use SSL

  • 3487914
  • 23-Jan-2007
  • 16-Mar-2012

Environment

Novell Active Directory Driver
DirXML 1.1 Remote Loader
DirXML 1.1a Remote Loader

Situation

How to configure Dirxml 1.1a with Remote Loader to use SSL

Resolution

Before you begin, be sure to stop the remote loader service and stop the AD-Driver.

The following steps are to be done within ConsoleOne.

A.Create a new Key Material Server Certificate.

1. Select the container in the eDirectory tree where you want to create the certificate.
2. Right click container and select New | Object... | NDSPKI:Key Material
3. Click OK
4. Select a server to host the certificate.
5. Enter a certificate name. NOTE: If you use spaces in the name of the certificate you will need to put the certificate name in quotes in Step C3.
6. Use the Standard creation method (default).
5. Click Next and you will see a summary screen outlining what have you have specified. If all is correct click Finish to create the object.

B.Export the trusted root certificate as a Base64 file.

1. You can export this from either the Organizational CA or the NDSPKI:Key Material object created in Step A.

Organizational CA

a. Right click on the Organizational CA under the Security container.
b. Select Properties ...
c. Select Certificates | Self Signed Certificate tab.

export the NDSPKI:Key Material object

a. Right click on the NDSPKI:Key Material object created in Step A
b. Select Properties ...
c. Select Certificates | Trusted Root Certificate tab.

2. Click Export
3. Leave No selected (default) and click Next.
4. Choose 'File in Base64 format', note where the file will be saved, and click Next.
5. Click Finish to export file.

C. Configure the ADDriver to use the NDSPKI:Key Material object created in Step A.

1. Right click on the ADDriver object and select Properties ...
2. Select the DirXML | Driver Configuration | Authentication tab.
3. Append to the 'Remote Loader Connection Parameters' the name of the NDSPKI:Key Material object (see bolded text in example below).

hostname=xxx.xxx.xxx.xxx port=xxxx kmo=

Where the 'KMO Object name' is the name of the NDSPKI:Key Material object created in Step A.

NOTE:If you use spaces in the name of the certificate you will need to put the certificate name in quotes (e.g. kmo="SSL MY DIRXML SERVER"). If there are no space in the name you DO NOT need the quotations.

NOTE: Only have one space after the IP address or DNS name and only one space after the port number. These should be the only two spaces in the entire field, excluding any that have quotation marks as mentioned above.

4. Click OK to close the Properties window.

D.Configure Remote Loader to use SSL.

1. Double-click on the 'Dirxml RemoteLoader Configuration Wizard' icon on the desktop of the Windows server that is running Remote Loader.
2. Click Next
3. Enter a 'Command port number:' or accept the default.Note:If this is a previously installed instance of Remote Loader change the port number to match the inital port value.
4. Click Next.
5. If this is a new Remote Loader configuration select the appropriate driver, otherwise leave current value.
6. Click Next.
7. Do not modify the 'Port number' and 'Address' values.
8. Click 'Use SSL' and browse to the 'Trusted root file:' created in Step B.
9. Click Next.
10. If desired, enter 'Trace level:' and 'Trace file:' and click Next.
11. Click Next.
12. Enter passwords and click Next.
13. Click Finish to complete the Wizard.

E.Restart the remote loader service, and then restart the AD-DRIVER.

Before starting the driver make sure that the Remote Loader trace says, "Waiting for DirXML to connect on 'TCP server socket, port XXXX, address localhost, using SSL'..."

.

Additional Information

NOTE: The 'Use SSL' parameter that is found under the driver parameter's tab does not need to be set for SSL to work between Remote Loader and the engine. This parameter is used to setup SSL between the driver shim and AD.

Formerly known as TID# 10083691

Feedback service temporarily unavailable. For content questions or problems, please contact Support.