Communication between the Engine side (Remote Interface Shim) and the Remote Loader

  • 7000875
  • 08-Jul-2008
  • 26-Apr-2012


Novell Identity Manager 3.5.1
Novell Identity Manager - Remote Loader


How does communication between the IDM engine (Remote Interface Shim) and the Remote Loader happen?


1.  The Remote Loader listens on the configured TCP/IP port for a single  client connection.

2.  The Remote Interface shim (which is part of the IDM engine) establishes a client TCP connection to the  Remote Loader.

3.  If TLS/SSL is configured then the TLS/SSL handshake is initiated by the  Remote Loader with the Remote Loader acting as client and the Remote  Interface shim acting as server for the TLS/SSL handshake (this is the  reverse of the TCP/IP connection). The handshake "sense" is reversed so that  the only key data that needs to be stored on the Remote Loader machine is the  Public Key Certificate of the Engine side. If the Remote Loader acted as  server for the TLS/SSL handshake then the Remote Loader would need a Private  Key as well as a Public Key.

4.  The Remote Loader handshake is performed with the following steps:

  a.  The Remote Interface shim sends the following XML document to the Remote  Loader:
      <handshake version="1.0">
      <password>password characters</password>
  b.  The Remote Loader computes the SHA-1 hash of the received password and  compares it to the stored SHA-1 hash of the Remote Loader password.  If the  hash bytes do not match then the Remote Loader sends an error status document  and closes the TCP/IP connection.
  c.  The Remote Loader uses the received plain text password to construct the  decryption key for the encrypted, stored Driver Object password. The Remote  Loader obtains the plain text Driver Object password and sends the following  XML document to the Remote Interface shim:
      <handshake version="1.0">
      <password>password characters</password>

   d.  The Remote Interface shim sends an XDS <check-password> command containing  the received password to the Engine. The Engine calls eDirectory to check the  password against the DirXML-Driver object's password. If the password does not  match then the Remote Interface shim sends an error status document and  closes the TCP/IP connection.

5.  Once the connection is established and both sides are authenticated to  each other via the Remote Loader handshake then XML documents that transmit  events (in the case of the Publisher channel) and commands (in the case of  the Subscriber channel) are sent in both directions.