Manually Creating eDirectory Certificate Exchange for DirXML/Identity Manager

Summary

You've tried all the TID's for the NDS2NDS wizard and it still won't work for the certificate exchange.

Symptoms

Numerous symptoms / errors
Unable to create NDS2NDS certificates with IDM Wizard.

Cause

1) Unknown
2) Server failure

Solution

Try this workaround taken from the DirXML 1 documentation.

Workaround

Creating the Key Material Object

Key Material Objects (KMOs) are used in NDS to store certificate and public/private key data. A minimum of two KMOs (one KMO per tree) must be created for use with the NDS to NDS driver. For additional security, you can specify two KMOs per tree. To use a certificate from one tree in another tree, the Trusted Root certificate from the first tree's Certificate Authority must be exported for use in the second tree.

The Key Pair name of a KMO is the part of the NDS object name which appears before the dash (-). The part of the object name which appears after the dash is the NDS server name to which the KMO belongs. When using the name of a KMO in the driver configuration, always use the Key Pair name. For example, if the name of the NDS object is Driver Cert - SRV1_TAO, the Key Pair name is Driver Cert.


Exporting the Trusted Root from a Tree

1. In ConsoleOne, click the Security container (located under Tree) > right-click the Certificate Authority object.
2. Click Properties > Certificates-Public Key Certificate tab.
3. Click Export.
4. Click File in Binary DER Format > click Export.


Creating a Single KMO for a Tree

Using a single KMO per tree causes both sides of a channel to authenticate using a certificate issued by a common Certificate Authority. This means that one tree will need a certificate issued by the other tree.

To create the KMOs, authenticate to both NDS trees in ConsoleOne, then complete these procedures:

* Exporting the Trusted Root from a Tree

Export the trust root using the Certificate Authority from the first tree.

* Creating the KMO for the First Tree

This certificate must be signed by this tree's Certificate Authority.

* Creating the KMO for the Second Tree

This certificate must be signed by the first tree's Certificate Authority.


Creating the KMO for the First Tree

1. In ConsoleOne, right-click the container containing the NDS Server object on which the DirXML driver will run.
2. Click New > Object.
3. Click NDSPKI:Key Material > OK.
4. Specify a name for the KMO object.
5. Make sure the Standard radio button is selected in the Creation Method box > click Next.
6. Make sure the certificate parameters meet your needs > click Finish.


Creating the KMO for the Second Tree

1. In ConsoleOne, right-click the container containing the NDS Server object on which the DirXML driver will run.
2. Click New > Object.
3. Click NDSPKI:Key Material > OK.
4. Specify a name for the KMO object.
5. Click Custom > Next.
6. Click External Certificate Authority (to indicate that the certificate will be generated by the first tree) > click Next.
7. Specify the RSA key size (if applicable) > click Next.
8. Click Next > Finish.

This generates a Certificate Signing Request (CSR).
9. Click System Clipboard in Base64 Format > Save.
10. Click the NDS Server object for the first tree > Tools > Issue Certificate.
11. Paste the CSR created in Step 8 into the CSR window > click Next.
12. Click Next to generate a certificate signed by the first tree's Certificate Authority.
13. Click SSL or TLS to indicate that the certificate is to be used for SSL authentication > click Next.
14. Specify the validity period you want > click Next.
15. Click Finish to create the certificate.
16. Click System Clipboard in Base64 Format > Save.
17. Right-click the KMO in the second tree > click Properties > Certificates-Public Key Certificate tab.
18. Click Import.
19. Click Read from File.
20. Enter the filename of the Trusted Root certificate you exported from the first tree > click Next.
21. Paste the certificate created by the first tree's Certificate Authority into the certificate window.
22. Click Finish.

References

SHU, 2007.

THE INFORMATION IN THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS WITHOUT WARRANTY OF ANY KIND. PROVIDER SPECIFICALLY DISCLAIMS ANY OTHER WARRANTY, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL PROVIDER BE LIABLE FOR ANY CONSEQUENTIAL, INDIRECT, SPECIAL OR INCIDENTAL DAMAGES, EVEN IF PROVIDER HAS BEEN ADVISED BY USER OF THE POSSIBILITY OF SUCH POTENTIAL LOSS OR DAMAGE. USER AGREES TO HOLD PROVIDER HARMLESS FROM AND AGAINST ANY AND ALL CLAIMS, LOSSES, LIABILITIES AND EXPENSES.

Document ID: SKB0466
Published on: 01 Feb 2007