4.4 Enabling SSL

To enable SSL there are two different components that must be configured to completely secure the communication channel.

4.4.1 Enabling an SSL Connection from the Role Mapping Administrator to the Identity Vault

You can configure the Role Mapping Administrator to have an SSL connection to the Identity Vault. The following explains how to configure the Role Mapping Administrator to use SSL.

  1. Select Use SSL during the configuration of the Role Mapping Administrator.

  2. Specify the LDAP port for SSL on the Identity Vault during the configuration of the Role Mapping Administrator.

  3. If you have a self-signed certificate, proceed to Step 5. Otherwise, continue with Step 4 to create a self-signed certificate in iManager.

  4. Export a self-signed certificate from the certificate authority in the Identity Vault:

    1. From iManager, in the Roles and Tasks view, click Directory Administration > Modify Object.

    2. Select the certificate authority object for the Identity Vault, then click OK.

      It is usually found in the Security container and is named something like TREENAME CA.Security.

    3. Click Certificate > Self Signed Certificate.

    4. Click Export.

    5. When you are asked if you want to export the private key with the certificate, click No, then click Next.

    6. Select either File in binary DER format or File in Base64 format for the certificate, then click Next.

      The Role Mapping Administrator uses a Java-based keystore or trust store, so you can choose either format.

    7. Click Save the exported certificate.

    8. Browse to a location on your computer where you want to save the file, then click Save.

      or

      Click Save to save the file to the default location.

      Different browsers act differently.

    9. Click Close.

  5. Import the self-signed certificate into the Role Mapping Administrator’s trust store.

    1. Use the keytool executable that is included with any Java JDK*.

      For more information on keytool, see Keytool - Key and Certificate Management Tool.

    2. Import the certificate into the Role Mapping Administrator’s trust store or by entering the following command at a command prompt:

      keytool -import -file name_of_cert_file -trustcacerts -noprompt 
      -keystore filename -storepass password        
      

      For example:

      keytool -import -file tree_ca_root.b64 -trustcacerts -noprompt -keystore cacerts -storepass changeit
      

      The trusted certificate must be imported into the trust store of the JRE* that launches the Role Mapping Administrator.

4.4.2 Enabling SSL for a Browser to Access the Role Mapping Administrator

To finish enabling SSL, you need to configuring Tomcat for an SSL connection. For more information, see the Apache* Tomcat Documentation Web site.

  1. Create a certificate with the following command.

    JDK_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

    The default file name is $HOME/.keystore, which is the default keystore for Tomcat.

  2. Edit the server.xml file to enable Tomcat for TLS communication. The file is located in /installation_directory/tomcat/conf/serrver.xml.

  3. Locate the following section of the server.xml and unremark the section to enable SSL for Tomcat.

    <Connector port="8444" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/path_to_keystore" keystorePass="password" />
    

    Add the correct path to the keystore file and the correct password for your environment.

  4. Restart Tomcat.