SSL

Depending on your configuration, SSL can be used in two places. Between the Active Directory driver and your domain controller, and between the remote loader running the Active Directory Driver and Identity Manager. The following table outlines where SSL connections can be used for each of the installation scenarios discussed in Planning Your Installation:

Scenario SSL Connections Available

Single Server

No SSL connections are necessary.

Dual Servers - Identity Manager and Driver on Same Machine

An SSL connection can be established between the Active Directory driver and the domain controller.

Dual Servers - Identity Manager and Driver on Separate Machines

An SSL connection can be established between Identity Manager and the remote remote loader running the Active Directory Driver.

Triple Servers

An SSL connection can be established between the Active Directory driver and the domain controller.

An SSL connection can also be established between Identity Manager and the remote loader running the Active Directory Driver.


SSL Connection Between the Active Directory Driver and the Domain Controller

In order to make SSL connections to an Active Directory domain controller, you must be set up to use SSL. This involves setting up a certificate authority, then creating, exporting, and importing the necessary certificates.

Most organizations already have a certificate authority. In this case, you need to export a valid certificate, then import it to the certificate store on your domain controller. The server hosting the driver shim must trust the root certificate authority to which the issuing certificate authority of this certificate chains.

If you do not have a certificate authority in your organization, one must be established. The tools necessary to do this are provided by Novell, Microsoft, and several other 3rd parties. Establishing a certificate authority is beyond the scope of this guide. More information can be found at:

Once you have a certificate authority, for LDAP SSL to operate successfully, the LDAP server must have the appropriate server authentication certificate installed and the server hosting the driver shim must trust the authority that issued those certificates. Both the server and the client must support 128-bit encryption.

The following steps outline this procedure:

  1. Generate a certificate which meets the Active Directory LDAP service requirements listed below. This certificate permits the LDAP service on the domain controller to listen for, and automatically accept, SSL connections for both LDAP and global catalog traffic.

    :  This information appears in the Microsoft Knowledge Base Article 321051, How to Enable LDAP over SSL with a Third-Party Certificate Authority. Consult this document for the latest requirements and additional information.

    • The LDAPS certificate is located in the Local Computer's Personal certificate store (programmatically known as the computer's MY certificate store).
    • A private key matching the certificate is present in the Local Computer's store and is correctly associated with the certificate. The private key must not have strong private key protection enabled.
    • The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (also known as OID).
    • The Active Directory fully qualified domain name (for example, DC01.DOMAIN.COM) of the domain controller must appear in one of the following places:
      • The Common Name (CN) in the Subject field.
      • DNS entry in the Subject Alternative Name extension.
    • Certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.

  2. Export this certificate in one of the following standard certificate file formats supported by Windows 2000:

    • Personal Information Exchange (PFX, also called PKCS #12)
    • Cryptographic Message Syntax Standard (PKCS #7)
    • Distinguished Encoding Rules (DER) Encoded Binary X.509
    • Base64 Encoded X.509

  3. Install this certificate on the domain controller. The following links contain instructions for each supported platform:

    Follow the instructions listed under Import the Certificate Into the Local Computer Store.

  4. Ensure that a trust relationship is established between the server hosting the driver shim and the root certificate authority which issued the certificate. The server hosting the driver shim must trust the root certificate authority to which the issuing certificate authority chains.

    For more information about establishing trust for certificates, see the "Policies to establish trust of root certification authorities" topic in Windows 2000 Server Help.

  5. In iManager, edit the driver properties and change the Use SSL (yes/no) option to yes.

  6. Restart the driver. When the driver restarts, an SSL connection is negotiated between the domain controller and the server running the Active Directory driver shim.


SSL Connection Between the Remote Loader and Identity Manager

Establishing an SSL connection between the Remote Loader and Identity Manager is discussed in the "Using the Remote Loader Service" section of the Novell Nsure Identity Manager 2 Administration Guide.