This content has been marked as final. Show 8 replies
With the ICF connectors you donot need SSL , also it does not matter if you install the connector server on the AD DC or some jump box. All you need is that the connector server should be part of the domain/forest.1 person found this helpful
Thanks Bikash. For doing recon from AD, are there special OU to be created on OIM. Hope all details are available in the Connector document/guide.
Doing recon and OUs in OIM are different and not related to each other. I would suggest going through the connector doc and understand the process. The doc has quite good information.
Below are th high level steps for SSL set up between OIM and AD :-
Export Certificate from AD Server, as RootCertificate
Copy exported AD Certificate to the
cd certificates folder and modify the install.sh file – change references to the environment specific certificate, passwords and environment names as appropriate.
# Add AD Cert to Weblogic KeyStore
# Copy the AD Domain Root certicate as RootCertificate-CAP.Uat.cer
# Add AD Cert to Java KeyStore
# Import OIM certificate for Remote Manager to Domain Keystore
# Copy the xlserver.cert file from the $OIM_ORACLE_HOME/../remote manager's home/config directory
In a cluster:-
Once completed, copy certificate folder to other nodes in the cluster and re-execute.
2. Modify AD IT Resource
Log into OIM Web Console and modify the AD IT Resource to communicate with AD over a secure connection.
Advanced Manage IT Resources Search and Select AD Edit
Modify the following parameters
Port Number (SSL Port for AD Service) 636
Use SSL yes
3. Restart OIM
Edited by: 988445 on Mar 9, 2013 8:31 PM
SSL is required between OIM to connector server where as connector server to AD it's not mandatory.
Please see Bikash post (copied below) which says ssl is not required. I understand ssl not mandatory between AD and conn server.
But not clear if required between OIM and conn server?
"With the ICF connectors you donot need SSL , also it does not matter if you install the connector server on the AD DC or some jump box. All you need is that the connector server should be part of the domain/forest."
I read the post ... we did it for the AD connector. In the connector doc (http://docs.oracle.com/cd/E22999_01/doc.111/e20347.pdf) sec 1.3 Connector Architecture : It is mentioned properly :
The earlier version of this connector represented a high-level connector with many configuration settings and lookup definitions that were
used to customize the provisioning process. In addition, using SSL certificate for securing communication between Oracle Identity Manager and the
target system was mandatory. In contrast, the current version of the connector provides low-level operations by using the
Connector Framework and the consumer application is responsible for setting up the provisioning process. By using the internal mechanism of ADSI and the .NET Framework, the default communication between the .NET Connector Server and
Microsoft Active Directory is "secure."