5.1 Configuring Secure Data Transfers

All eDirectory driver communication is secured through SSL. To configure your eDirectory drivers to handle secure data transfers, run the NDS-to-NDS Driver Certificate Wizard in iManager.

5.1.1 Understanding Secure Connections via the eDirectory Driver

The following items can help you understand how secure connections are established when using the eDirectory driver:

  • The driver uses SSL sockets to provide authentication and a secure connection. SSL uses digital certificates to allow the parties to an SSL connection to authenticate one another. Identity Manager in turn uses Novell Certificate Server certificates for secure management of sensitive data.

  • To use the driver, you must have the Novell® Certificate Server™ running in each tree. We recommend that you use the Certificate Authority from one of the trees containing the driver to issue the certificates used for SSL. If your tree does not have a Certificate Authority, you need to create one. You can use an external Certificate Authority. For information about Novell Certificate Server, see the Novell Certificate Server 3.3 Documentation Web site.

  • The Novell implementation of SSL that the driver uses is based on Novell Secure Authentication Services (SAS) and NTLS for eDirectory. These must be installed and configured on the server where the driver runs. eDirectory usually does this automatically.

  • To configure driver security, it is necessary to create and reference certificates in the eDirectory trees that will be connected using the driver. Certificate objects in eDirectory are called Key Material Objects (KMOs) because they securely contain both the certificate data (including the public key) and the private key associated with the certificate.

    A minimum of two KMOs (one KMO per tree) must be created for use with the eDirectory drivers. This section explains using a single KMO per tree.

    The NDS-to-NDS Driver Certificate Wizard sets up the KMOs.

5.1.2 Setting Up a KMO

To configure your Identity Vault system to handle secure Identity Manager data transfers:

  1. Find out the tree name or IP address of the destination server.

  2. Launch iManager and authenticate to your first tree.

  3. Click to display the Identity Manager Administration page.

  4. In the Administration list, click NDS-to-NDS Driver Certificates to launch the wizard.

  5. At the Welcome page, enter the requested information for the first tree.

    Default values are provided by using objects in the tree that you authenticated to when you launched iManager. You must enter or confirm the following information:

    • Driver DN: Specify the distinguished name of the eDirectory driver (for example, eDirectoryDriver.DriverSet1.Services.Novell).

    • Tree: Verify the name of the current tree; if it is not correct, enter the correct name.

    • Username: Specify the username for an account with Admin privileges in the current tree (for example, Admin).

    • Password: Specify the password for the user.

    • Context: Specify the user’s context (for example Services.Novell).

  6. Click Next.

    The wizard uses the information you entered to authenticate to the first tree, verify the driver DN, and verify that the driver is associated with a server.

  7. Specify the requested information for the second tree.

    • Driver DN: Specify the distinguished name of the eDirectory driver (for example, eDirectoryDriver.DriverSet2.Novell).

    • Tree: Specify the name of the second tree.

    • Username: Specify the username for an account with Admin privileges in the second tree (for example, Admin).

    • Password: Specify the password for the user.

    • Context: Specify the user’s context (for example Users.Novell).

  8. Click Next.

    The wizard uses the information you entered to authenticate to the second tree, verify the driver DN, and verify that the driver is associated with a server.

  9. Review the information on the Summary Page, then click Finish.

    If KMOs already existed for these trees, the wizard deletes them and then does the following:

    • Exports the trusted root of the CA in the first tree.

    • Creates KMO objects.

    • Issues a certificate signing request.

    • Places certificate key pair names in the drivers’ Authentication IDs (see Section A.1.3, Authentication).