IBM Directory Integrator 5.1.2: Readme Addendum
Note Before using this information and the product it supports, read the general information under Notices on page 5.
Preface This Readme file contains information about the IBM Directory Integrator 5.1.2. This file contains information about changes and fixes that occurred to the documentation after it was placed on the product image. This file is in English only. This file can also be found at http://publib.boulder.ibm.com/tividd/td/tdprodlist.html iii
iv IBM Directory Integrator 5.1.2: Readme Addendum
Contents Preface............... iii Product description.......... 1 Notices............... 5 Opensource licenses............ 7 Trademarks............... 7 IBM Directory Integrator and Microsoft Active Directory SSL configuration... 3 v
vi IBM Directory Integrator 5.1.2: Readme Addendum
Product description IBM Directory Integrator manages the technicalities of connecting to and interacting with the various data sources that you want to integrate, abstracting away the details of their APIs, transports, protocols and formats. Instead of focusing on data, IBM Directory Integrator lifts your view to the information level, enabling you to concentrate on the business and information management logic needed to perform each exchange. IBM Directory Integrator enables you to build and maintain libraries of integration logic and components that can be reused to address new challenges. Development projects across your organization can all share IBM Directory Integrator assets, resulting in independent projects (even point solutions) that immediately fit into a coherent integrated infrastructure. For more information about IBM Directory Integrator 5.1.2, refer to IBM Directory Integrator 5.1.2: Readme in root_directory/docs. 1
2 IBM Directory Integrator 5.1.2: Readme Addendum
IBM Directory Integrator and Microsoft Active Directory SSL configuration Do the following to configure SSL for IBM Directory Integrator and Microsoft Active Directory: 1. Install Certificate Services on Windows 2000 Server and an Enterprise Certificate Authority in the Active Directory Domain. Details are available at http://www.ntfaq.com/articles/index.cfm?articleid=14923. Make sure you install an Enterprise Certificate Authority. 2. Start the Certificate Server Service. This creates a virtual directory in Internet Information Service (IIS) that enables you to distribute certificates. 3. Create a Security (Group) Policy to direct Domain Controllers to get an SSL certificate from the Certificate Authority (CA). a. Open the Active Directory Users and Computers Administrative tool. b. Under the domain, right-click on Domain Controllers. c. Select Properties. d. In the Group Policy tab, click to edit the Default Domain Controllers Policy. e. Go to Computer Configuration >Windows Settings >Security Settings >Public Key Policies. f. Right click Automatic Certificate Request Settings. g. Select New. h. Select Automatic Certificate Request. i. Run the wizard. Select the Certificate Template for a Domain Controller. j. Select your Enterprise Certificate Authority as the CA. Selecting a third-party CA works as well. k. Complete the wizard. l. All Domain Controllers now automatically request a certificate from the CA, and support LDAP using SSL on port 636. 4. Retrieve the Certificate Authority Certificate to the machine on which you installed IBM Directory Integrator. Note: You must install IIS before installing the certificate server. a. Open a Web browser on the machine on which you installed IBM Directory Integrator. b. Go to http://<server_name>/certsrv/ (where <server_name> is the name of the Windows 2000 server). You are asked to log in. c. Select the task Retrieve the CA certificate or certificate revocation list. d. Click Next. e. The next page automatically highlights the CA certificate. Click Download CA certificate. f. A new download window opens. Save the file to the hard drive. 5. Create a certificate store using keytool. Use keytool.exe to create the certificate store and import the CA certificate into this store. 3
Note: Keytool.exe is located in the IBM Directory Integrator directory under /_jvm/bin Use the following command: _jvm\bin\keytool -import -file certnew.cer -keystore <keystore_name>.jks -storepass <password> -alias <keyalias_name> For example, assume the following values: Keystorename = idi.jks Password = secret Keyalias name = AD_CA The command looks like the following: C:\Program Files\IBM\IBMDirectoryIntegrator>_jvm\bin\keytool -import -file certnew.cer -keystore idi.jks -storepass secret -alias AD_CA To verify the contents of your keystore, type the following: C:\Program Files\IBM\IBMDirectoryIntegrator>_jvm\bin\keytool -list -keystore idi.jks -storepass secret This results in the following: Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry: ad_ca, Mon Nov 04 22:11:46 MST 2002, trustedcertentry, Certificate fingerprint (MD5): A0:2D:0E:4A:68:34:7F:A0:21:36:78:65:A7:1B:25:55 For more details on keytool, go to http://java.sun.com/j2se/1.3/docs/tooldocs/solaris/keytool.html 6. Configure IBM Directory Integrator to use the keystore created in the previous step. Edit <root_directory>/global.properties file for the keystore file location, keystore file password and keystore file type. In the current release, only jks-type is supported. #server authentication #example javax.net.ssl.truststore=c::\test\idi.jks javax.net.ssl.truststorepassword=secret javax.net.ssl.truststoretype=jks #client authentication #example javax.net.ssl.keystore=c:\test\idi.jks javax.net.ssl.keystorepassword=secret javax.net.ssl.keystoretype=jks 7. Edit <root_directory>/_jvm/lib/security/java.security for the security provider list: security.provider.1=sun.security.provider.sun security.provider.2=com.ibm.crypto.provider.ibmjce security.provider.3=com.ibm.crypto.provider.ibmjca 8. Enable SSL for your LDAP connector. a. Go to the LDAP Connector configuration panel. b. Change LDAP URL to port 636. c. Check Use SSL. 9. Restart IBM Directory Integrator. 4 IBM Directory Integrator 5.1.2: Readme Addendum
Notices This information was developed for products and services offered in the U.S.A. IBM might not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user s responsibility to evaluate and verify the operation of any non-ibm product, program, or service. IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the information. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this information at any time without notice. Any references in this information to non-ibm Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. 5
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation Department MU5A46 11301 Burnet Road Austin, TX 78758 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM s application programming interfaces. Each copy or any portion of these sample programs or any derivative work, must include a copyright notice as follows: 6 IBM Directory Integrator 5.1.2: Readme Addendum
Opensource licenses (your company name) (year). Portions of this code are derived from IBM Corp. Sample Programs. Copyright IBM Corp. _enter the year or years_. All rights reserved. If you are viewing this information softcopy, the photographs and color illustrations may not appear. There are several opensource products included in IBM Directory Integrator 5.1.2. The licenses for the following products are available in <root_directory>\license\opensource: Product Owner License file name Pre-required licenses Company/Organization ANTLR JGURU Antlr_license.txt Xerces Apache apache_license.txt Castor Exolab Castor_license.txt junit_license.txt xerces_license.txt jakarta_ant_license.txt jakarta_oro_license.txt Jakarta_RegExp_license.txt CommonLogging Apache CommonsLogging_license.txt dom4j SourceForge.net dom4j_license.txt log4j Apache log4j_license.txt MX4J Apache mx4j_license.txt BCEL_license.txt Jython_license.txt log4j_license.txt XDoclet_license.txt RegExp Apache Jakarta_RegExp_license.txt Trademarks The following terms are trademarks of International Business Machines Corporation in the United States, or other countries, or both: IBM Microsoft and Windows are registered trademarks of Microsoft Corporation. Other company, product, and service names may be trademarks or service marks of others. Notices 7