How to create a secure (SSL) AD Remote Loader Connection

  • 7005413
  • 26-Apr-2012
  • 11-Apr-2019

Environment

Novell Identity Manager - Remote Loader

Situation

How do you secure the communications between the Identity Manager (IDM) engine and a remote loader for Active Directory (AD) running on a Window Server?

Resolution

Prerequisite:  Verify the Tree CA is valid
1.  With iManager, login to the Identity Vault where your AD driver is running.
2.  Edit the Properties of the Certificate Authority under your security container. (Novell Certificate Server Role, Configure Certificate Authority task) 
3.  Check the expiration dates of your OU=xxx certificate and Self Signed certificates by clicking on them.  If they are expired or about to expire will want to recreate your Certificate Authority by deleting it and recreating it. (by Default the CA is valid for 10 years)  Note: Deleting the CA and recreating it may affect other services using the tree CA Certificates.


Steps to Create Remote Loader Certificate in eDirectory
4.  With iManager, login to the Identity Vault where your AD driver is running.
5.  In iManager, select the Novell Certificate Access role, Server Certificates task.  Make sure your IDM server running the AD driver is highlighted and selected above, showing the certificates associated with that server.   If not, browse to the correct server.
6.  Next we are going to create a new server certificate, valid to the length of the Tree CA certificate.  (so you don't have to redo this every 2 years).  Click the new link above the existing certificates.  Then make sure the correct server is specified, and give it a NickName (name) like RemoteLoaderCert, and select the Custom creation method, then click NEXT.


7.  Leave the default option of Organizational certificate authority checked and click NEXT.

 
 
8.  Leave all the key size and usage options on the default settings and click NEXT.


 
9.  On the Specify certificate parameters, change the Validity period to Maximum.  This will set the expiration date to the expiration date of the Tree Certificate Authority.   Then click NEXT.



10.  Leave Your organizations certificate selected (default) as the trusted root certificate and click NEXT.



11.  You should be at the summary screen, like the one below.
 
 
Just to review, the only thing that was changed was selecting Custom Certificate, and setting the Expiration Date to Maximum.   All of the rest of the options were default options.
 
Click FINISH to complete the server certificate creation process.    You should receive a Success message like the one below.


Assign the Certificate to the Driver
12.   Assign the Certificate just created to the AD driver.   Edit the properties of the AD driver.  (Select the Identity Manager role, Identity Manager Overview, search for your driver set, click on it and left click the red or geeen status light on the driver and select edit properties.)   Once you are in the properties of the driver, select Driver Configuration, and scroll down the the Authentication section.  Under the Remote Loader connection parameters, append kmo='RemoteLoaderCert' to the hostname and port settings.  (or the correct name of your certificate just created in step 7).  NOTE:  The kmo parameter is the shortname (without the server name appended to the back) and MUST be included in single quotes as shown or it will NOT connect.
 
 
Click OK to save the changes, and when prompted to restart your driver, click OK.

Export the Certificate and copy to Remote Loader Server:
13.  In iManager, under the NetIQ Certificate Access role, Server Certificates task, check the certificate you just created (RemoteLoaderCert) and click EXPORT


14.   Select the Tree Certificate Authority (NOT the RemoteLoaderCert), uncheck export private key if it is checked, and set the export format to BASE64 and click NEXT.


15.  Click Save the exported certificate, to save the certificate file.



16.  Rename the cert.b64 file to match your certificate name (RemoteLoaderCert.b64), and copy it over to the remote loader server.   Place it in the c:\Novell\RemoteLoader\64bit directory or similar.

Configure the Remote Loader to use the Certificate:
17.  On the Windows AD server running the remote loader.  Open the IDM Remote Loader Console (c:\Novell\RemoteLoader\64bit\rlconsole.exe)
18. Stop the remote loader instance you want to secure, and edit the properties of the remote loader instance.
19.  Select (check) the Use an SSL Connection, under the Secure Socket Layer (SSL) section near the bottom and browse to your RemoteLoaderCert.b64 file (or similar name) and select it.
 
 
Then click OK to save the changes and start the remote loader instance.
 
12.  Test your secure AD remote loader channel and see it is working by making a change in eDirectory (your Identity Vault) and see if syncs across or viewing the IDM Dashboard.   You can turn on tracing on the remote loader side (In the RemoteLoader Console, highlight the Remote Loader Instance, and click Trace On) and look for green messages (not red) as well to give an indication it is syncing.
 
Happy Secure Syncing!!!

Additional Information

Make sure you are running the most current remote loader (addriver.dll) on your Windows AD server.  There are known issues connecting to a remote loader on a Windows 2008 AD server, when running older remote loader versions.
 
You will need the Novell Certificate Server and Identity Manager Plugins installed in iManager to see the Roles and tasks described above.

Related Technical Information Documents: