Communication with Active Directory over SSL can be configured in a number of ways. The following steps describe how to enable secure communication with AD using Microsoft's Certificate Services
Install Active Directory Certificate Services
- Go to the Server Manager and select "Add Role"
- From role selection screen below, select "Active Directory Certificate Services" and click Next
- Select Cerification Authority from Role Services screen
- Next you will asked to select the type of CA you want to install. Select "Enterprise"
- If this is the first CA that you are installing, select "Root CA" from the screen below.
- If this is your first CA, then select "Create a new private key"
- Next select the type of cryptography that will be used by the CA
- Provide a name that will be used to identitify this CA.
- Click on Finish when you are done.
- Reboot your windows server.
- Validate that you certificate has been published to Active using a command similar to the one below. You can find this command in your Windows Event Viewer
Export the Root Certificate
To enable SSL between the Identity Manager and AD, you will the root certificate from the CA that you just installed. To export the Root CA, run the following command from a windows console
certutil -ca.cert winidm-rootca.cer
Import the Server Certificate
For an application server to trust your directory's certificate, the certificate must be imported into your Java runtime environment. The JDK stores trusted certificates in a file called a keystore. The default keystore file is called cacerts and it lives in the jre\lib\security sub-directory of your Java installation. In the following examples, we will use the winidm-rootca.cer that we generated above from the directory server. You will need to alter the instructions below to match the the actual names of your certificate and the path of your cacerts file.
Linux
Windows