Secure the Connection to the Connector Server With SSL

Important

Connectors continue to be released outside the IDM release. For the latest documentation, refer to the ICF documentation.

The SSL configuration for a connector server depends on whether you are running the connector server in server mode or in client mode:

  • In server mode, the connector server needs a public/private key pair and a certificate (either self-signed or signed by a CA). The certificate is sent to the client (IDM) during the SSL handshake. For IDM to trust the certificate, the certificate must be imported into the IDM truststore.

  • In client mode, the connector server initiates the connection to IDM. IDM sends its certificate during the SSL handshake. The CA that signed the IDM certificate (or the IDM self-signed certificate) must be imported into the truststore of the connector server. If you use TLS Mutual Authentication, IDM requests the certificate from the connector server during the SSL handshake. The connector server needs a public/private key pair and a certificate to achieve TLS Mutual Authentication with IDM.

  1. Generate the connector server private/public key pair and create a new PKCS12 keystore:

    keytool \
    -genkeypair \
    -keyalg EC \
    -alias icf-rcs \
    -dname "CN=icf.example.com,O=Example Corp,C=FR" \
    -keystore rcsKeystore \
    -storetype PKCS12 \
    -storepass changeit \
  2. Verify the contents of the new keystore:

    keytool \
    -list \
    -v \
    -keystore rcsKeystore
    Enter keystore password:  changeit
    Keystore type: PKCS12
    Keystore provider: SUN
    
    Your keystore contains 1 entry
    
    Alias name: icf-rcs
    Creation date: Jul 13, 2020
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=icf.example.com, O=Example Corp, C=FR
    Issuer: CN=icf.example.com, O=Example Corp, C=FR
    Serial number: 611e093d
    Valid from: Mon Jul 13 23:58:49 SAST 2020 until: Sun Oct 11 23:58:49 SAST 2020
    Certificate fingerprints:
      SHA1: Fingerprint
    	 SHA256: Fingerprint
    Signature algorithm name: SHA256withECDSA
    Subject Public Key Algorithm: 256-bit EC key
    ...
  3. Export the connector server certificate:

    keytool \
    -export \
    -alias icf-rcs \
    -file rcs.cert \
    -keystore rcsKeystore.pkcs12
    Enter keystore password: changeit
    Certificate stored in file <rcs.cert>
  4. If you are not using a self-signed certificate, have the certificate signed by a Certificate Authority (CA):

    1. Create a Certificate Signing Request (CSR):

      keytool \
      -keystore rcsKeystore.pkcs12 \
      -certreq \
      -alias icf-rcs \
      -file rcs.csr
      more rcs.csr
      -----BEGIN NEW CERTIFICATE REQUEST-----
      
      MIIEKTCCA9QCAQAwVzELMAkGA1UEBhMCRlIxCzAJBgNVBAgTAkZSMQswCQYDVQQH
      xZ47rzcY6OrElh8+/TYG50NRqcQYMzm4CefCrhxTm6dHW4XQEa24tHmHdUmEaVys
      A1UdDgQWBBSivxV9AzgbrIo3gG6vCBlNaXf3wjANBglghkgBZQMEAwIFAANAADA9
      ...
      AhxL791/ikf1hqxOD3uttV7qumg+TNednsgtk6uOAh0AlINk+1LBeyUkQA7iUHy/
      3KLYWog/Npu5USdCeA==
      
      -----END NEW CERTIFICATE REQUEST-----
    2. Submit the CSR to your CA for signature.

  5. Import the signed certificate into the connector server keystore:

    keytool \
    -importcert \
    -trustcacerts \
    -file rcs.cert \
    -keystore rcsKeystore.pkcs12 \
    -storetype pkcs12 \
    -alias icf-rcs
    Enter keystore password: changeit
    Certificate reply was installed in keystore

    Note

    If your CA certificate is not trusted, you might need to import the CA certificate into the keystore too.

  6. Import the connector server certificate into the IDM truststore:

    keytool \
    -import \
    -alias icf-rcs \
    -keystore /path/to/openidm/truststore \
    -file rcs.cert
    Enter keystore password: changeit
    Owner: CN=icf.example.com, O=Example Corp, C=FR
    Issuer: CN=icf.example.com, O=Example Corp, C=FR
    Serial number: 611e093d
    Valid from: Fri Apr 05 16:04:04 CEST 2019 until: Mon Aug 17 16:04:04 CEST 2020
    Certificate fingerprints:
         MD5:  Fingerprint
         SHA1: Fingerprint
         SHA256: Fingerprint
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 2048-bit DSA key
    Version: 1
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
  1. Generate the connector server private/public key pair and create a new PKCS12 keystore:

    keytool \
    -genkeypair \
    -keyalg EC \
    -alias icf-rcs \
    -dname "CN=icf.example.com,O=Example Corp,C=FR" \
    -keystore rcsKeystore \
    -storetype PKCS12 \
    -storepass changeit \
  2. Verify the contents of the new keystore:

    keytool \
    -list \
    -v \
    -keystore rcsKeystore
    Enter keystore password:  changeit
    Keystore type: PKCS12
    Keystore provider: SUN
    
    Your keystore contains 1 entry
    
    Alias name: icf-rcs
    Creation date: Jul 13, 2020
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=icf.example.com, O=Example Corp, C=FR
    Issuer: CN=icf.example.com, O=Example Corp, C=FR
    Serial number: 611e093d
    Valid from: Mon Jul 13 23:58:49 SAST 2020 until: Sun Oct 11 23:58:49 SAST 2020
    Certificate fingerprints:
      SHA1: Fingerprint
    	 SHA256: Fingerprint
    Signature algorithm name: SHA256withECDSA
    Subject Public Key Algorithm: 256-bit EC key
    ...
  3. Export the connector server certificate:

    keytool \
    -export \
    -alias icf-rcs \
    -file rcs.cert \
    -keystore rcsKeystore.pkcs12
    Enter keystore password: changeit
    Certificate stored in file <rcs.cert>
  4. If you are not using a self-signed certificate, have the certificate signed by a Certificate Authority (CA):

    1. Create a Certificate Signing Request (CSR):

      keytool \
      -keystore rcsKeystore.pkcs12 \
      -certreq \
      -alias icf-rcs \
      -file rcs.csr
      more rcs.csr
      -----BEGIN NEW CERTIFICATE REQUEST-----
      
      MIIEKTCCA9QCAQAwVzELMAkGA1UEBhMCRlIxCzAJBgNVBAgTAkZSMQswCQYDVQQH
      xZ47rzcY6OrElh8+/TYG50NRqcQYMzm4CefCrhxTm6dHW4XQEa24tHmHdUmEaVys
      A1UdDgQWBBSivxV9AzgbrIo3gG6vCBlNaXf3wjANBglghkgBZQMEAwIFAANAADA9
      ...
      AhxL791/ikf1hqxOD3uttV7qumg+TNednsgtk6uOAh0AlINk+1LBeyUkQA7iUHy/
      3KLYWog/Npu5USdCeA==
      
      -----END NEW CERTIFICATE REQUEST-----
    2. Submit the CSR to your CA for signature.

  5. Import the signed certificate into the connector server keystore:

    keytool \
    -importcert \
    -trustcacerts \
    -file rcs.cert \
    -keystore rcsKeystore.pkcs12 \
    -storetype pkcs12 \
    -alias icf-rcs
    Enter keystore password: changeit
    Certificate reply was installed in keystore

    Note

    If your CA certificate is not trusted, you might need to import the CA certificate into the keystore too.

  6. Import the connector server certificate into the IDM truststore:

    keytool \
    -import \
    -alias icf-rcs \
    -keystore /path/to/openidm/truststore \
    -file rcs.cert
    Enter keystore password: changeit
    Owner: CN=icf.example.com, O=Example Corp, C=FR
    Issuer: CN=icf.example.com, O=Example Corp, C=FR
    Serial number: 611e093d
    Valid from: Fri Apr 05 16:04:04 CEST 2019 until: Mon Aug 17 16:04:04 CEST 2020
    Certificate fingerprints:
         MD5:  Fingerprint
         SHA1: Fingerprint
         SHA256: Fingerprint
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 2048-bit DSA key
    Version: 1
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
  7. Export the IDM self-signed certificate:

    keytool \
    -export \
    -alias openidm-localhost \
    -keystore keystore.jceks \
    -storetype jceks \
    -file idm.cert \
    Enter keystore password: changeit
    Certificate stored in file <idm.cert>
  8. Import the IDM self-signed certificate into the connector server truststore:

    keytool \
    -import \
    -alias openidm-localhost \
    -keystore /path/to/rcs/security/truststore.pkcs12 \
    -storetype pkcs12 \
    -file idm.cert
    Enter keystore password: changeit
    
    Owner: CN=openidm-localhost, O=OpenIDM Self-Signed Certificate, OU=None, L=None, ST=None, C=None
    Issuer: CN=openidm-localhost, O=OpenIDM Self-Signed Certificate, OU=None, L=None, ST=None, C=None
    Serial number: 16981c79d8d
    Valid from: Wed Feb 13 15:35:36 CET 2019 until: Thu Mar 15 15:35:36 CET 2029
    Certificate fingerprints:
             MD5:  fingerprint
             SHA1: fingerprint
             SHA256: fingerprint
    Signature algorithm name: SHA512withRSA
    Subject Public Key Algorithm: 2048-bit RSA key
    Version: 3
    Trust this certificate? [no]:  yes
    
    Certificate was added to keystore
Read a different version of :