If you generate a custom certificate and private key for the Identity Manager Instrumentation, it is important to protect them because the location and name of the custom certificates are hardcoded. The certificate and key files should only be accessible by the Identity Manager Instrumentation, which loads locally on the server.
The following sections review the steps to protect custom certificates on each Identity Audit server platform.
On Windows, the custom certificate and private key files are also protected by file system trustees. The eDirectory instrumentation certificate files to protect are \windows_directory\dxicert.pem and \windows_directory\dxipkey.pem.
To limit access to the private key files:
Grant the auditor user full object rights to the key files.
Give the SYSTEM account read rights to the key files.
Do not allow inherited rights from any file to be propagated to the key files.
NOTE:The owner of a file can always change the rights. System administrators can take ownership of a file. Do not grant excessive numbers of users Administrator rights to the server.
On Linux and Solaris, the private key is stored in /etc/dxipkey.pem.
To limit access to the private key file:
Grant the root user rights to the file.
You can also grant rights to the auditor and the root group. Do not grant read rights to other users of the system.
Assign mode 0400 to the file; verify that the owner of the file is root.
If you have granted rights to the auditor and the root group, assign mode 0440 to the file.