8 Replies Latest reply: Mar 10, 2013 7:05 PM by Saurabh Tripathi RSS

    AD connector

    993551
      For AD connector with OIM.
      Is ssl required between OIM and connector server and AD and connector server?
      In case we install connector server on the same host as AD? Is this ok?
      Can someone explain which paths require ssl?
        • 1. Re: AD connector
          BikashBagaria
          With the ICF connectors you donot need SSL , also it does not matter if you install the connector server on the AD DC or some jump box. All you need is that the connector server should be part of the domain/forest.

          -Bikash
          • 2. Re: AD connector
            BikashBagaria
            In case you want more, read through this: http://docs.oracle.com/cd/E22999_01/doc.111/e20347/intro.htm#CEGFFIJH

            -Bikash
            • 3. Re: AD connector
              993551
              Thanks Bikash. For doing recon from AD, are there special OU to be created on OIM. Hope all details are available in the Connector document/guide.
              • 4. Re: AD connector
                BikashBagaria
                Doing recon and OUs in OIM are different and not related to each other. I would suggest going through the connector doc and understand the process. The doc has quite good information.

                -Bikash
                • 5. Re: AD connector
                  991448
                  Below are th high level steps for SSL set up between OIM and AD :-


                  Shutdown OIM
                  Export Certificate from AD Server, as RootCertificate


                  Copy exported AD Certificate to the

                  $MW_HOME/iamhome/remote_manager/config t

                  cd certificates folder and modify the install.sh file – change references to the environment specific certificate, passwords and environment names as appropriate.

                  #/bin/bash

                  # Add AD Cert to Weblogic KeyStore

                  # Copy the AD Domain Root certicate as RootCertificate-CAP.Uat.cer

                  # Add AD Cert to Java KeyStore

                  # Import OIM certificate for Remote Manager to Domain Keystore
                  # Copy the xlserver.cert file from the $OIM_ORACLE_HOME/../remote manager's home/config directory

                  In a cluster:-


                  Once completed, copy certificate folder to other nodes in the cluster and re-execute.


                  2.     Modify AD IT Resource

                  Log into OIM Web Console and modify the AD IT Resource to communicate with AD over a secure connection.

                  Advanced  Manage IT Resources  Search and Select AD  Edit

                  Modify the following parameters

                       
                  Port Number (SSL Port for AD Service)     636
                  Use SSL     yes
                       

                  Save,

                  3.     Restart OIM

                  Edited by: 988445 on Mar 9, 2013 8:31 PM
                  • 6. Re: AD connector
                    Saurabh Tripathi
                    Hi,

                    SSL is required between OIM to connector server where as connector server to AD it's not mandatory.

                    Thanks,
                    Saurabh
                    • 7. Re: AD connector
                      993551
                      Hello Saurabh,

                      Please see Bikash post (copied below) which says ssl is not required. I understand ssl not mandatory between AD and conn server.
                      But not clear if required between OIM and conn server?

                      "With the ICF connectors you donot need SSL , also it does not matter if you install the connector server on the AD DC or some jump box. All you need is that the connector server should be part of the domain/forest."
                      • 8. Re: AD connector
                        Saurabh Tripathi
                        Hi,

                        I read the post ... we did it for the AD connector. In the connector doc (http://docs.oracle.com/cd/E22999_01/doc.111/e20347.pdf) sec 1.3 Connector Architecture : It is mentioned properly :


                        The earlier version of this connector represented a high-level connector with many configuration settings and lookup definitions that were
                        used to customize the provisioning process. In addition, using SSL certificate for securing communication between Oracle Identity Manager and the
                        target system was mandatory. In contrast, the current version of the connector provides low-level operations by using the
                        Connector Framework and the consumer application is responsible for setting up the provisioning process. By using the internal mechanism of ADSI and the .NET Framework, the default communication between the .NET Connector Server and
                        Microsoft Active Directory is "secure."

                        Thanks,