Novell Doc: Designer 3.0.1 for Identity Manager 3.6 Administration Guide

16.7 Configuring TLS for eDir-to-eDir Drivers

16.7.1 Prerequisites

Identity Vaults exist in your physical network tree as well as in the Modeler.
Each Identity Vault is set up. Otherwise, you are prompted for setup information when you try to create certificates.
Each driver set is associated with a server.
Using the eDir-to-eDir driver’s General property page, verify that each driver has a name and a deploy context. The context might be inherited from the driver set.
The eDir-to-eDir drivers have been deployed. Otherwise, Designer cannot create certificates.

To find out whether the driver has been deployed:
- 1. Right-click the eDir-to-eDir driver.
- 2. Click Live > Deploy.
- 3. In the eDir-eDir Driver Deployment dialog box, click No.
If the driver has been deployed, the Compare Status field in the Deployment Summary dialog box displays Equal or Unequal. Otherwise, the field displays Not Deployed.

After objects have been deployed, the objects should show as equal unless passwords are set in eDirectory that are not set in Designer. Designer does not deploy passwords unless they are specifically set in Designer. This exception prevents overwriting passwords in eDirectory because Designer cannot import them.

16.7.2 Enabling TLS

Launch the TLS Configuration dialog box.

A common way to launch the dialog box is to right-click the eDir-to-eDir application, then click Secure Connection Settings.

Other launch points:
- Select the eDir-to-eDir application, then click Model > eDir-to-eDir > Secure Connection Settings.
- Right-click eDir-to-eDir in the Outline view, then click Secure Connection Settings.
- Right-click an eDir-to-eDir driver, click Properties > Driver Configuration > Authentication, then click Configure TLS.
  
  The Configure TLS button displays only on eDir-to-eDir driver pages.
Click Enable SSL/TLS.
(Optional) Use the Advanced TLS Configuration to select key size, hash algorithm, and validity period.

The validity period is important for when a certificate has expired and you need to overwrite or create a new one.
Select a direction of trust.

These options apply to certificates that Novell creates for eDirectory. The options do not apply to third-party security certificates.

The default is Mutual Trust, which is considered to be the most secure.

Unless you want to use the certificate for authentication, the option that you select doesn’t matter. If only encryption is important, you can select any one of the three options.

If authentication is important, select the option that gives you the appropriate trust.

Scenario: JJ Infrastructure Tree Trusts JT ID Vault. JJ Infrastructure Tree is the organizational Certificate Authority. JJ Infrastructure Tree signed a certificate and placed it in JT IDVault. JT ID Vault trusts JJ Infrastructure Tree. The two vaults synchronize data through a secure connection.

If the two vaults break their trusted relationship, JJ Infrastructure Tree can prevent sensitive data from being synchronized by revoking its certificate.

Scenario: JT ID Vault Trusts JJ Infrastructure Tree. JJ Infrastructure Tree creates two certificates. One is placed in JJ Infrastructure Tree, and the other is placed in JT ID Vault. The two vaults synchronize data through a secure connection.

If the two vaults break their trusted relationship, JJ Infrastructure Tree can prevent sensitive data from being synchronized by revoking its certificate.

Scenario: Mutual Trust. JT ID Vault and JJ Infrastructure Tree both sign certificates.
Click OK.

After you click OK, Designer does the following:
- Modifies both eDirectory drivers.
- Locks the User ID field, which displays on the driver configuration’s Authentication page, because both drivers must use that field.

You can enable or configure TLS without immediately deploying the drivers. You can turn the settings on. However, you can’t create SSL/TLS certificates unless the drivers have been deployed into their respective Identity Vaults. If you enable SSL/TLS but want to create certificates later, you can do so. When you later deploy the eDir-to-eDir drivers, Designer guides you through steps to automatically create certificates.

16.7.3 Creating Certificates

A driver’s Properties page enables you to configure a driver so that you can deploy it. Similarly, the Enable SSL/TLS option enables you to set up your configuration for TLS and then, when you are ready, create and deploy the certificates. When you deploy a configured driver set or select Create eDir-to-eDir Certificates, Designer creates the certificates in the directory.

This section assumes that you have enabled and configured SSL/TLS for the deployed eDir-to-eDir drivers.

Right-click the eDir2eDir application.
Click Live > Create eDir-to-eDir Certificates.

You can also do one of the following:

Right-click the eDir2eDir object in the Outline view, then click Create eDir-to-eDir Certificates.
The first time that you enable and configure SSL/TLS on driver’s Authentication tab, click OK, then follow prompts. A Create Certificates dialog box appears. Click Yes.

Scenario: Enabling TLS. TLS has not been enabled. Sandy selects Live > Create eDir-to-eDir Certificates. Designer prompts Sandy to enable SSL/TLS. Sandy clicks OK, enables TLS, selects a direction of trust, and clicks OK. Designer creates certificates.

Scenario: Deploying eDir-to-eDir Drivers. Sandy has configured the eDir-to-eDir drivers and the driver set. A context displays in the driver set’s Deploy Context field. Sandy is ready to deploy the driver set.

Sandy right-clicks the driver set, then clicks Live > Deploy Driver Set. Designer prompts Sandy to deploy both eDirectory drivers. (Otherwise, Designer can't successfully create certificates.) Sandy clicks Yes. Designer builds a deployment summary, then lists items that are associated with the Identity Vaults and will be deployed. To deploy the drivers, Sandy clicks Deploy.

Because the driver set is already configured, Designer creates the certificates.

For additional information on eDir-to-eDir certificates, see eDir-to-eDir SSL/TLS in Preferences.