Overview

The following items can help you understand eDirectory driver security:

• The driver uses SSL sockets to provide authentication and a secure connection. SSL uses digital certificates to allow the parties to an SSL connection to authenticate one another. Identity Manager in turn uses Novell Certificate Server certificates for secure management of sensitive data.
• To use the driver, you must have the Novell^® Certificate Server^TM running in each tree. We recommend that you use the Certificate Authority from one of the trees containing the driver to issue the certificates used for SSL. If your tree does not have a Certificate Authority, you will need to create one. You can use an external Certificate Authority.
• The Novell implementation of SSL that the driver uses is based on Novell Secure Authentication Services (SAS) for eDirectory 8.6.2, and NTLS for eDirectory 8.7.x. These must be installed and configured on the server on which the driver is to run, which is usually done automatically by eDirectory.
• To configure driver security, it is necessary to create and reference certificates in the eDirectory trees that will be connected using the driver. Certificate objects in eDirectory are called Key Material Objects (KMOs) because they securely contain both the certificate data (including the public key) and the private key associated with the certificate.

  A minimum of two KMOs (one KMO per tree) must be created for use with the DirXML Driver for eDirectory. This section explains using a single KMO per tree.

  The NDS2NDS Driver Certificate wizard sets up the KMOs.

• For more information:
  • For an overview of Novell Certificate Server, see the Novell Certificate Server online documentation.
  • For more information on CAs, and in particular for information about setting up Certificate Authorities in your trees, see Setting Up Novell PKI Services.

Procedure

This section explains using a single KMO per tree. Before you begin, find out the tree name or IP address of the destination server.

To configure your eDirectory system to handle secure Identity Manager data transfers:

1. Launch iManager and authenticate to your first tree.

2. Click DirXML Utilities > NDS2NDS Driver Certificates.

3. At the Welcome page, enter the requested information for the first tree.

   Default values are provided using objects in the tree that you authenticated to when you launched iManager. You must enter or confirm the following information:

   • Driver DN: Type the distinguished name of the eDirectory driver, for example, EDir-Workforce.Employee Provisioning.Services.YourOrgName
   • The tree name: Enter the IP address for the Workforce Tree.
   • A username for an account with Admin privileges, for example, Admin.
   • The password for the user.
   • The user's context, for example Services.YourOrgName

4. Click Next.

   The wizard uses the information you entered to authenticate to the first tree, verify the driver DN, and verify that the driver is associated with a server.

5. Enter the requested information for the second tree.

   At the Welcome page, enter the requested information for the first tree.

   Enter or confirm the following information:

   • Driver DN: Type the distinguished name of the eDirectory driver, for example, EDir-Account.DriverSet.YourOrgName
   • The tree name: Type the tree name or IP address for the Account Tree.
   • A username for an account with Admin privileges, for example, Admin.
   • The password for the user.
   • The user's context, for example, London.YourOrgName

6. Click Next.

   The wizard uses the information you entered to authenticate to the second tree, verify the driver DN, and verify that the driver is associated with a server.

7. Review the information on the Summary Page, and click Finish.

   If KMOs already existed for these trees, the wizard deletes them and then does the following:

   • Exports the trusted root of the CA in tree one.
   • Creates KMO objects.
   • Issues a certificate signing request.
   • Places certificate key pair names in the drivers' Authentication ID.