SSL Configuration for the Direct Connector

Installations using the AD or ADAM Direct connector must generate and install an SSL certificate under AD/ADAM and then build a java key store for IdentityIQ that trusts the AD/ADAM SSL certificate.

These are the basic steps for building that java key store and configuring IdentityIQ to use it.

1. On a Domain Controller, log in as an administrator and open Internet Explorer. Navigate to Tools > Internet Options > Content and click Certificates.

2. Switch to the Trusted Root Certificate Authorities Tab and select the certificate issued by your Active Directory integrated Certificate Server. Click Export.

3. Choose Base-64 encoded X.509(.CER) as the Export File Format.

4. Specify file name for the exported certificate.

5. Finish the export and copy the exported.cer file to the Java client machine.

6. At the client machine run the following command from the jdk bin directory:

   keytool -import -alias [aliasname] -keystore [keystore filename] -file [fully qualified certificate filename]

   The key store (jks) file is created in the bin directory where the keytool command is found. The name of the file is the name you specified following the -keystore parameter, such as myCaCerts.jks.

7. Create the Application in IdentityIQ using the appropriate direct connector (Active Directory or LDAP - ADAM). Select Use SSL and provide all the required values. Save the application (do not click Test Connection yet).

8. Assuming that the keystore is created in /tomcat/apache-tomcat-7.0.47/, enter the following in catalina.sh:

   -Djavax.net.ssl.trustStore=/tomcat/apache-tomcat-7.0.47/myCaCerts.jks
   -Djavax.net.ssl.trustStorePassword=password

9. Restart the Tomcat server.

10. Return to the Application Definition in the UI and click Test Connection to verify that the SSL connection is properly configured.