All eDirectory driver communication is secured through SSL. To configure your eDirectory system to handle secure Identity Manager data transfers, run the NDS2NDS wizard in Novell iManager.
The following items can help you understand eDirectory driver security:
The driver uses SSL sockets to provide authentication and a secure connection. SSL uses digital certificates to allow the parties to an SSL connection to authenticate one another. Identity Manager in turn uses Novell Certificate Server certificates for secure management of sensitive data.
To use the driver, you must have the Novell Certificate Server running in each tree. We recommend that you use the Certificate Authority from one of the trees containing the driver to issue the certificates used for SSL. If your tree does not have a Certificate Authority, you need to create one. You can use an external Certificate Authority.
The Novell implementation of SSL that the driver uses is based on Novell Secure Authentication Services (SAS) for eDirectory and NTLS for eDirectory 8.7. x. These must be installed and configured on the server where the driver runs. eDirectory usually does this automatically.
To configure driver security, it is necessary to create and reference certificates in the eDirectory trees that will be connected using the driver. Certificate objects in eDirectory are called Key Material Objects (KMOs) because they securely contain both the certificate data (including the public key) and the private key associated with the certificate.
A minimum of two KMOs (one KMO per tree) must be created for use with the Identity Manager Driver for eDirectory. This section explains using a single KMO per tree.
The NDS2NDS Driver Certificate Wizard sets up the KMOs.
For more information:
For an overview of Novell Certificate Server, see the Novell Certificate Server online documentation.
For more information on CAs, and in particular for information about setting up Certificate Authorities in your trees, see Setting Up Novell PKI Services.
To configure your Identity Vault system to handle secure Identity Manager data transfers:
Find out the tree name or IP address of the destination server.
Launch iManager and authenticate to your first tree.
Click > .
At the Welcome page, enter the requested information for the first tree.
Default values are provided using objects in the tree that you authenticated to when you launched iManager. You must enter or confirm the following information:
Driver DN: Type the distinguished name of the eDirectory driver (for example, EDir-Workforce.Employee Provisioning.Services.YourOrgName).
The tree name: Specify the IP address for the Workforce Tree.
A username for an account with Admin privileges (for example, Admin).
The password for the user.
The user’s context (for example Services.YourOrgName).
Click .
The wizard uses the information you entered to authenticate to the first tree, verify the driver DN, and verify that the driver is associated with a server.
Specify the requested information for the second tree.
At the Welcome page, enter the requested information for the first tree.
Specify or confirm the following information:
Driver DN: Type the distinguished name of the eDirectory driver (for example, EDir-Account.DriverSet.YourOrgName).
The tree name: Type the tree name or IP address for the Account Tree.
A username for an account with Admin privileges (for example, Admin).
The password for the user.
The user’s context (for example, London.YourOrgName).
Click .
The wizard uses the information you entered to authenticate to the second tree, verify the driver DN, and verify that the driver is associated with a server.
Review the information on the Summary Page, then click .
If KMOs already existed for these trees, the wizard deletes them and then does the following:
Exports the trusted root of the CA in the first tree.
Creates KMO objects.
Issues a certificate signing request.
Places certificate key pair names in the drivers’ Authentication IDs.