The reason I wrote this is because I needed to get a test environment working for the LDAP-driver together with Sun DSEE and I had some trouble trying to set up the SSL part because the LDAP-driver documentation details the steps for the Netscape Directory Server which is what DSEE was called a couple of versions ago. According to Father Ramon in the IDM forum:
“Sun DSEE is rename/derived from Sun Java System Directory, which was rename/derived from Sun One Directory Server, which was renamed rename/derived from iPlanet Directory Server (a collaboration between Sun and Netscape), which was rename/derived from Netscape Directory Server. “
In this example I have a two VMware machines, one is running SLES 10 SP1 with eDirectory 8.8.2 and IDM 3.5.1, it has IP-address 192.168.0.100, the other one is running Windows Server 2003 with Active Directory and Sun DSEE 6.3 with IP 192.168.0.101.
Now we'll get to the process of setting up the driver, first I had to install the IDM Remote Loader on the Windows machine, I won't detail the install since it's already well documented and mostly consists of clicking Next... After installing the Remote Loader you might want to patch the LDAP-driver with the latest patch from Novell.
In the Remote Loader Console I clicked on Add and created a Remote Loader instance with the following configuration:
Description: SunDSEE
Driver: com.novell.nds.dirxml.driver.ldap.LDAPDriverShim
Config File: C:\Novell\RemoteLoader\SunDSEE-Config.txt
IP Address: 192.168.0.101
Connection Port – Metadirectory Server: 8090
Command Port – Local host communication only: 8000
Remote Loader Password: Remote
Driver Object Password: Driver
Use an SSL Connection: No
Trace Level: 3
Trace File: C:\Novell\RemoteLoader\SunDSEE-Trace.log
Maximum Disk Space Allowed for all Trace Logs (Mb): 100
Establish a Remote Loader service for this driver instance: Yes
How to install Sun DSEE 6.3 on Windows Server 2003
This part will tell you step by step how to install DSEE on Windows.
Surf to the Sun DSEE download page:
http://www.sun.com/software/products/directory_srvr_ee/get1.jsp
Download Directory Server Enterprise Edition 6.x, version 6.3, Native Package (PKG) for Windows Server 2003.
You will be presented with an option to download the Patch Only Install and the Base Full Install DSEE 6.0, download both because you must first install DSEE 6.0 and then patch it to 6.3.
After downloading and extracting the files run setup.bat from the java_es-5_identsuite-windows-x86 folder.
I selected that I wanted the wizard to configure the Java Enterprise System automatically during installation.
I then had to select the components to install, I chose only the Directory Server Enterprise Edition 6.0:
After the components selection you must enter a password for the Java ES administrator, the password must be at least 8 characters long:
At the end of the installation I de-selected “Click here to start the servers of configured products.” as I didn't want to start any services because I had to patch DSEE to v6.3.
Patching DSEE to v6.3
During this process I had three command line windows open as it made the process easier.
Open a CMD prompt and go to
C:\Program Files\Sun\JavaES5\DSEE\ds6\bin
Type
dsadm.exe stop "C:\Program Files\Sun\JavaES5\DSEE\var\dscc6\dcc\ads"
After that open the task manager and kill the
bin-nsldap.exeprocess. (If it's running)
Open another CMD prompt and go to
C:\Program Files\Sun\JavaES5\share\cacao_2\bin
Type:
cacaoadm prepare-uninstall
Now you'll need download some patches and install them.
Surf to the Sun support site:
http://sunsolve.sun.com
Download the Sun patch 126910-02 and install it, this is needed to be able to install the other patches.
Download the Sun patch 126183-07 and install it, this will patch “cacao”.
According to the documentation cacao is the "common agent container".
CD to
C:\Program Files\Sun\JavaES5\share\cacao_2
Type:
configure.bat
CD back to
C:\Program Files\Sun\JavaES5\share\cacao_2\bin
Type:
cacaoadm.bat rebuild-dependencies
Download the patch 125311-07 if you didn't do it in the beginning and install it, this will patch DSEE to v6.3.
Open up another CMD prompt and CD to
C:\Program Files\Sun\JavaES5\DSEE\dscc6\bin
Type:
dsccsetup console-unreg
Type:
dsccsetup console-reg
In your first CMD window (C:\Program Files\Sun\JavaES5\DSEE\ds6\bin) type:
dsadm.exe start "C:\Program Files\Sun\JavaES5\DSEE\var\dscc6\dcc\ads"
If you get an error that the directory does not exist you can change back to the
C:\Program Files\Sun\JavaES5\DSEE\ds6\bindirectory and run:
dsccsetup.exe initialize
or you can wait and do it later through the web browser.
Back in your
C:\Program Files\Sun\JavaES5\share\cacao_2\bindirectory type:
cacaoadm.bat start
This will start the common container agent.
When the installation has completed open a web browser and surf to:
https://IP of your DSEE server:6789
This will get you to the Java Web Console which you use to access the management tool for the DSEE, the Directory Service Control Center (DSCC), think iManager and you'll get the picture.
You will need to login with a user that has administrative rights to the server OS, in my case Administrator.
Next, click on the DSCC link at the bottom.
If you did not run the "dsccsetup.exe initialize" command then you will be asked to initialize DSCC, enter a password.
A pop up window will open and the DSCC will initialize it's configuration. When it's done click Close and Continue. Now you are in the Control Center which you use to administer DSEE using a GUI. There is also a command line tool called "dsadm".
We are going to click on the Directory Servers tab and then on New Server...
A new window will open where we are going to enter the details of our new DSEE instance.
If you are running another LDAP server on the same machine that uses the default 389/636 port combination you have to enter another port number, in my case 1389 and 1636. The Instance Path is where the database files will be located, it must not exist.
If the server is a AD domain controller you need to enter the Runtime User ID in the following format:
DOMAIN\USERNAME
These are the settings I used:
Host: Know Host: <MY SERVERNAME>
LDAP Port: 1389
LDAP Secure Port: 1636
Instance Path: c:\sundsee
Directory Manager DN: cn=Directory Manager
Runtime User ID: <mydomain>\administrator
DSCC Agent Port: Default (11162)
If you get an error when you click next, such as that the DSCC agent could not be contacted do the following:
Open a cmd.exe process on your server where DSEE will be running, and go to:
C:\Program Files\Sun\JavaES5\share\cacao_2\bin
Run:
cacoadm status
If you get the following message: default instance is DISABLED at system startup.
default instance is not running.
Run:
cacaoadm start
Go back to DSCC and try to click Next again.
You will be asked to accept a default certificate, do it and click Next:
When the installation is complete click on the Suffixes tab in DSCC and then on New Suffix...
This is like creating a new tree in eDirectory (I think...)
In step 2 select “Do Not Replicate Suffix”
In step 2.1 select your server.
In step 3 select Use Default Settings
In step 4 select Use Default Database Location
In step 5 select Initialize by Importing Sample Data (160 entries)
Now that I've created the instance and the suffix I wanted to test connectivity by authenticating using an LDAP browser, I used Apache Directory Studio to connect to my server on the SSL port 1636 with the “cn=Directory Manager” as username, you could say that's the admin user, I also had to specify the base DN, in my case that was the DN of the suffix, o=Atlas.
The next step is to configure the DSEE services to start automatically when Windows starts.
First create an empty text file named
password.txtand place it under C:\
Edit it and enter the password of the administrator user, in my case of the domain administrator, IDM360\Administrator. Just the password, nothing else.
Now from the
C:\Program Files\Sun\JavaES5\share\cacao_2\bindirectory run this command:
cacaoadm.bat enable -i default -f c:\password.txt
This will create a new service, in my case it was named Common Agent Container 2 (864cfa27:default) but I was not able to start it.
I had to go to the Domain Controller Security Policy under Administrative Tools on the Control Panel, select Local Policies, User Rights Assignment, Log on as a service and add my user to that list, then I ran the gpupdate command and I was able to start my new service!
Now, to enable the DSEE instance and the DSCC instance to start as a service CD to the
C:\Program Files\Sun\JavaES5\DSEE\ds6\bindirectory.
Type the following commands, change c:\sundsee to the path of your installed instance:
dsadm stop c:\sundsee
dsadm enable-service c:\sundsee
dsadm.exe stop "C:\Program Files\Sun\JavaES5\DSEE\var\dscc6\dcc\ads"
dsadm.exe enable-service "C:\Program Files\Sun\JavaES5\DSEE\var\dscc6\dcc\ads"
Now I had two more services:
Directory Server 6.3 (C:/Program Files/Sun/JavaES5/DSEE/var/dscc6/dcc/ads)
Directory Server 6.3 (c:/sundsee)
Enabling the retro changelog which is needed by the LDAP driver:
Type the following command when you are located in the
C:\Program Files\Sun\JavaES5\DSEE\ds6\bindirectory:
dsconf set-server-prop -h 192.168.0.101 -P 1636 retro-cl-enabled:on
Restart the directory server using DSCC or the command line.
Next I need to configure the DSEE to accept SSL-connections from the IDM LDAP-driver.
Logon to the DSCC, select Directory Servers, click on the server, in my case IDM36:1389
Click on the Security tab. If you get an error about authentication like I did click on it to update the credentials and type in the username in the format: DOMAIN\USERNAME, in my case: IDM360\Administrator.
Click on the Certificates tab.
We will now generate a new certificate request.
Click on Request CA-Signed, a new window will open.
I just entered the CN as LdapDriverCert and clicked OK.
You'll get a new window with the certificate request:
Select the entire text from -----BEGIN to after the REQUEST and save it to a file such as LdapDriverCertCSR.txt.
Step 2 is to use iManager to issue the certificate using the eDirectory CA.
Logon to iManager, click on Novell Certificate Server > Issue Certificate
In the filename field browse to the LdapDriverCertCSR.txt file.
Click Next.
Select SSL or TLS as key type.
I also selected Extended key type: Any
Click Next.
I selected the certificate type as Certificate Authority and Path length as Unspecified.
Select a validity period and click Next.
Select: Save to: File in Base64 format
Save the file LdapDriverCertCSR.b64 to your computer.
Next go back to DSCC and click on Add next to the Request CA-Signed button.
Enter a certificate name and open the b64 file in a text editor, copy and paste the entire content into the new DSCC window where it says certificate.
Now go back to iManager, switch to the View Objects view, Browse > Security, click on your CA and click Modify Object, click on Certificates, check Self Signed Certificate, click Export, don't export the private key (uncheck it). Select BASE64 format. Click Next.
Save it as TrustedRoot.b64
Now, back again to DSCC, click on the CA Certificates tab, click Add.
A new window will open.
Enter a name that will identify your trees CA certificate. Open your TrustedRoot.b64 and copy and paste the content into the Certificate field.
When you are done it will look something like this:
It will tell you that you need to restart the DSEE service. Do it.
Now click on the Security tab in DSCC and on the General page change the SSL Settings. There is an option called Certificate:, change it from Default Certificate to LdapDriverCert (the name you gave your eDirectory signed certificate.) Click Save, you will get a message telling you to restart the service, do it again.
Now I have to proceed with the step that is labeled “7.6.2 Importing into the Client's Certificate Store” in the LDAP Driver documentation.
It details the steps needed to import the eDirectory trusted root certificate into a keystore that the driver uses.
For this I'm using a Java based GUI tool named KeyTool IUI that can be downloaded from here:
http://yellowcat1.free.fr/index_ktl.html
You need to have JRE 1.6 installed to start it, after extracting the ZIP-file I had to edit the
run_ktl.batfile and remove the REM before
set HOME_JAVA=C:\Program Files\Java\jdk1.6.0\jre\bin\javaand changed the path to the JRE directory installed on my machine:
C:\Program Files\Java\jre1.6.0_07\bin\java(You'll have to make sure you enter the path on YOUR machine)
After starting the program click on Create > Keystore
Click on the disk icon and browse to the directory where you want to store the keystore. I chose to store it under
C:\Novell\RemoteLoader
The click on the Keystore password icon and enter a password for the keystore. I chose changeit
Now we have to import the trusted root certificate, I had to rename my .B64 file containing the trusted root to .PEM
In KeyTool IUI go to
Import > Keystore's entry > Trusted Certificate > Regular certificate
Under Source browse for the .PEM file, under Target browse for the Keystore file and enter the password for the keystore.
You'll be asked to enter an alias for the certificate and then you'll have to confirm that you trust it.
When you're done it should look something like this:
Configuring the LDAP driver in Designer
I assume you know how to use Designer to configure a driver, this is the configuration I used:
The configuration is pretty straight forward, I entered the following data:
Driver name: LDAP
Placement Type: Mirror
eDirectory Container: Sun
LDAP Container: O=atlas
LDAP Server: 192.168.0.101 : 1636
LDAP Authentication DN: cn=Directory Manager
Use SSL: Yes
Configure Data Flow: Bi-Directional
Driver is Local/Remote: Remote
Remote Host Name and Port: 192.168.0.101 : 8900
Driver Password: Driver
Remote Password: Remote
Keystore Path: C:\Novell\RemoteLoader\ldapdriver.jks
Use SSL Mutual Authentication: No
Polling Interval in Seconds: 20
Publication Method: Changelog
Entries to Process on Startup: Previously unprocessed
Changelog Max Batch Size: 1000
After deploying the driver and setting the security equivalence my driver started nicely. If you have any problems raise the trace level on the Remote Loader to see what's happening when it tries to connect.
Now we have the driver running and syncing BUT what if I don't want to use the eDirectory generated certificate for my Sun DSEE server? What if I want to use DSEE own certificate?
Well, I'll explain how to accomplish that too.
Using DSEE certificates in the driver instead of the eDirectory certificates
Download OpenSSL Light from here and install it:
http://www.slproweb.com/products/Win32OpenSSL.html
You may also need to install the Visual C 2008 runtime from here:
http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF
We are going to use openssl.exe to extract the public key from the DSEE certificate since I don't know how to export just the public key (tips are welcome).
Now we are going to export the Sun DSEE default certificate, yes more import/export...
In DSCC, Security, Certificates, check Default Certificate (or the one you want to use), More Certificate Actions, Export
My Export Path was: C:\suncert
You'll be asked to set a PKCS#12 password.
Now you have a PKCS12 file that contains both the private and the public key.
In DSCC, Security > General > Certificate: change back from LdapDriverCert (or whatever you named your eDirectory generated certificate) to Default Certificate or another cert. you want to use. Save and restart the DSEE service.
After that we run the command:
openssl pkcs12 -in c:\suncert -out sunpublickey.pem -clcerts -nokeys
This command extracts the public key from our DSEE certificate.
Now open that .PEM file in a text editor and remove everything from the beginning so you just have something that begins with -----BEGIN CERTIFICATE----- and so on. Save the file. Now use KeyTool IUI to import the .PEM file into our keystore file (Import > Keystore's entry > Trusted Certificate > Regular Certificate).
When you're done restart the driver to test if it works as it should.
So there you have it, how to set up your own test environment instance of Sun DSEE and configure the IDM LDAP-driver for SSL communications in two ways, with the eDirectory generated certificate or with the DSEE generated certificate.
Remember, if you are running the remote loader as I am there are two connections that you may need to secure, the one from IDM to the Remote Loader, you can activate SSL on that too and it's really easy. Then there is the connection from the driver shim and the LDAP server which what this document is about.
Support
Documentation
Learning Services
Partner Programs
