/wiki/spaces/E2D/pages/29982926 / Installation and Configuration / Configuring EmpowerID / Connecting to Directory Systems / Current: Configuring Identity Forge for EmpowerID |
This topic describes how to configure Identity Forge for use with EmpowerID. Once you have followed the steps outlined in this topic, you can connect EmpowerID to your AS/400 directories.
|
Adjust the following line to the installation path of the Java JDK:
set JAVA_HOME=\software\jdk1.6.0_16 |
In our example, this line is changed to the following:
set JAVA_HOME=C:\software\jdk1.7.0_25 |
From the text editor, change the following parameter to true:
_isSSL_ |
Adjust the following parameters with the IP address of your target iSeries:
_host_ _agentHost_ |
Adjust the following parameters with the UID of the administrative AS/400 account:
_adminId_ _agentAdminId_ |
Place a '#' in front of the following parameters to comment them out:
_adminPwd_ _agentAdminPwd_ |
Remove the '#' from the following parameters to uncomment them:
_adminPwdEncrypt_ _agentAdminPwdEncrypt_ |
Adjust the following line to the installation path of the Java JDK:
set JAVA_HOME=C:\software\jdk1.5.0_15 |
In our example, this line is changed to the following:
set JAVA_HOME=C:\software\jdk1.7.0_25 |
Scroll through the propertyEncrypt.bat file until you see the following line:
SET CLASSPATH=C:\software\identityforge\ldapgateway\dist\idfserver.jar |
This path needs to point to the IdentityForge installation directory. In our example, this line would be changed to the following:
SET CLASSPATH=C:\ldapgateway\dist\idfserver.jar |
Scroll to the end of the propertyEncrypt.bat file until you see the following lines:
rem Start Property Encrypt Utility %JAVACMD% %JVM_OPTS% -cp %CLASSPATH% com.identityforge.idfserver.util.AESCipherUtil idfRacfPwd |
Double-click propertyEncrypt.bat. You should see something similar to the following output:
New encrypted string as HEX: 10902AA71C4DF819C965E8B5B7DF0208 |
Paste the value into the following parameters:
_adminPwdEncrypt_ _agentAdminPwdEncrypt_ |
The next step is to set the Front-End LDAP administrative account and password. This is the account used by EmpowerID to bind to the IdentityForge LDAP server.
Open C:\ldapgateway\dist\idfserver\beans.xml in the text editor of you choice and scroll to the below section. We will be changing the value for theFront-End LDAP administrative account listed in bold:
<bean name="as400" singleton="true" class="com.identityforge.idfserver.backend.as400.As400Module"> |
<property name="suffix" value="dc=as400,dc=com"/> <property name="workingDirectory" value="../as400"/> <property name="adminUserDN" value="cn=idfAs400Admin, dc=as400,dc=com"/> <property name="adminUserPassword" value="idfAs400Pwd"/> <property name="altAdminUserDN" value="cn=oimAs400Admin, dc=as400,dc=com"/> <property name="altAdminUserPassword" value="oimAs400Pwd"/> <property name="allowAnonymous" value="false"/> <property name="entryCacheSize" value="1000"/> <property name="defaultUacc" value="read"/> <property name="searchUsersType" value="user"/> |
Change the adminUserDN and altAdminUserDN property values to the DN of the Front-End account you wish to use to bind to LDAP. For example:
<bean name="as400" singleton="true" class="com.identityforge.idfserver.backend.as400.As400Module"> |
<property name="suffix" value="dc=as400,dc=com"/> <property name="workingDirectory" value="../as400"/> <property name="adminUserDN" value="cn=EIDIDF, dc=as400,dc=com"/> <property name="adminUserPassword" value="idfAs400Pwd"/> <property name="altAdminUserDN" value="cn=EIDIDF, dc=as400,dc=com"/> <property name="altAdminUserPassword" value="oimAs400Pwd"/> <property name="allowAnonymous" value="false"/> <property name="entryCacheSize" value="1000"/> <property name="defaultUacc" value="read"/> <property name="searchUsersType" value="user"/> |
Scroll to the end of the propertyEncrypt.bat file until you see the following lines:
rem Start Property Encrypt Utility %JAVACMD% %JVM_OPTS% -cp %CLASSPATH% com.identityforge.idfserver.util.AESCipherUtil idfRacfPwd |
Double-click propertyEncrypt.bat. You should see something similar to the following output:
New encrypted string as HEX: 10902AA71C4DF819C965E8B5B7DF0208 |
Change the adminUserPassword and altAdminUserPassword property values to the encrypted password string in the clipboard. For example:
<bean name="as400" singleton="true" class="com.identityforge.idfserver.backend.as400.As400Module"> |
<property name="suffix" value="dc=as400,dc=com"/> <property name="workingDirectory" value="../as400"/> <property name="adminUserDN" value="cn=EIDIDF, dc=as400,dc=com"/> <property name="adminUserPassword" value="10902AA71C4DF819C965E8B5B7DF0208â/> <property name="altAdminUserDN" value="cn=EIDIDF, dc=as400,dc=com"/> <property name="altAdminUserPassword" value="10902AA71C4DF819C965E8B5B7DF0208"/> <property name="allowAnonymous" value="false"/> <property name="entryCacheSize" value="1000"/> <property name="defaultUacc" value="read"/> <property name="searchUsersType" value="user"/> |
The next step is to set the Back-End LDAP administrative password. This is the account used by EmpowerID to bind to the IdentityForge LDAP server and sync inventory to the Back-End.
Scroll to the section shown below. We will be changing the Back-End LDAP administrative account password listed in bold:
<bean name="hpbe2" singleton="true" class="com.identityforge.idfserver.backend.hpbe.HPBEModule"> <property name="suffix" value="dc=system,dc=backend"/> <property name="workingDirectory" value="../system"/> <property name="schema" ref="schemas"/> <property name="adminUserDN" value="cn=Directory Manager, dc=system,dc=backend"/> <property name="adminUserPassword" value="testpass"/> <property name="altAdminUserDN" value="cn=Directory Manager, dc=system,dc=backend"/> <property name="altAdminUserPassword" value="testpass"/> <property name="entryCacheSize" value="1000"/> |
Scroll to the end of the propertyEncrypt.bat file until you see the following lines:
rem Start Property Encrypt Utility %JAVACMD% %JVM_OPTS% -cp %CLASSPATH% com.identityforge.idfserver.util.AESCipherUtil idfRacfPwd |
Double-click propertyEncrypt.bat. You should see something similar to the following output:
New encrypted string as HEX: 10902AA71C4DF819C965E8B5B7DF0208 |
Change the adminUserPassword and altAdminUserPassword property values to the encrypted password string in the clipboard. For example:
<bean name="hpbe2" singleton="true" class="com.identityforge.idfserver.backend.hpbe.HPBEModule"> <property name="suffix" value="dc=system,dc=backend"/> <property name="workingDirectory" value="../system"/> <property name="schema" ref="schemas"/> <property name="adminUserDN" value="cn=Directory Manager, dc=system,dc=backend"/> <property name="adminUserPassword" value="10902AA71C4DF819C965E8B5B7DF0208"/> <property name="altAdminUserDN" value="cn=Directory Manager, dc=system,dc=backend"/> <property name="altAdminUserPassword" value="10902AA71C4DF819C965E8B5B7DF0208"/> <property name="entryCacheSize" value="1000"/> |
Execute the following command to convert the PFX file to a PEM file.
openssl pkcs12 -in C:\EIDcert.pfx -out C:\EIDcert.pem |
The OpenSSL toolkit will ask you to enter the import password; this is the pass phrase currently set on the PFX certificate. If you exported the certificate from the MMC snap-in, this will be the password you set on the certificate during the export.
Find the following lines below:
-----BEGIN ENCRYPTED PRIVATE KEY----- DATA HERE -----END ENCRYPTED PRIVATE KEY----- |
Next, we need to pull out the public key and put it into a separate file. Find the following lines below:
-----BEGIN CERTIFICATE----- DATA HERE -----END CERTIFICATE----- |
Execute the following command:
openssl rsa -in C:\encrypted.pem -out C:\key.pem |
Execute the following two commands:
openssl pkcs8 -topk8 -nocrypt -in C:\key.pem -inform PEM -out C:\key.der -outform DER openssl x509 -in C:\cert.pem -inform PEM -out C:\cert.der -outform DER |
Once these commands are completed, you will have two DER files. At this time it is recommended to delete the PFX and PEM files.
Open a Command Prompt, navigate to C:\software\jdk1.7.0_25\bin and execute the following command to merge the two DER certificate files into a single Java keystore.
java ImportKey C:\key.der C:\cert.der |
Finally, we need to configure IdentityForge to point to this Java keystore. Open C:\ldapgateway\dist\idfserver\beans.xml in the text editor of your choice and scroll to the following section. We will be changing the Java keystore filename listed in bold:
<bean id="sslChannelFactory" class="com.identityforge.idfserver.nio.ssl.SSLChannelFactory"> <constructor-arg><value>false</value></constructor-arg> <constructor-arg><value>../conf/testnew.jks</value></constructor-arg> <constructor-arg><value>abc123</value></constructor-arg> <constructor-arg><value>false</value></constructor-arg> </bean> |
Change the second constructor-arg value to the name of the Java keystore we created earlier. For example:
<bean id="sslChannelFactory" class="com.identityforge.idfserver.nio.ssl.SSLChannelFactory"> <constructor-arg><value>false</value></constructor-arg> <constructor-arg><value>../conf/as400.jks</value></constructor-arg> <constructor-arg><value>abc123</value></constructor-arg> <constructor-arg><value>false</value></constructor-arg> </bean> |
The final step is to set the Java keystore password. We will be changing the Java keystore password listed inbold:
<bean id="sslChannelFactory" class="com.identityforge.idfserver.nio.ssl.SSLChannelFactory"> <constructor-arg><value>false</value></constructor-arg> <constructor-arg><value>../conf/as400.jks</value></constructor-arg> <constructor-arg><value>abc123</value></constructor-arg> <constructor-arg><value>false</value></constructor-arg> </bean> |
Scroll to the end of the propertyEncrypt.bat file until you see the following lines of code:
rem Start Property Encrypt Utility %JAVACMD% %JVM_OPTS% -cp %CLASSPATH% com.identityforge.idfserver.util.AESCipherUtil idfRacfPwd |
Double-click propertyEncrypt.bat. You should see something similar to the following output:
New encrypted string as HEX: 10902AA71C4DF819C965E8B5B7DF0208 |
Copy this value (in our example, 10902AA71C4DF819C965E8B5B7DF0208) to the clipboard. Change the Java keystore password listed in bold to the encrypted password string in the clipboard. For example:
<bean id="sslChannelFactory" class="com.identityforge.idfserver.nio.ssl.SSLChannelFactory"> <constructor-arg><value>false</value></constructor-arg> <constructor-arg><value>../conf/as400.jks</value></constructor-arg> <constructor-arg><value>10902AA71C4DF819C965E8B5B7DF0208</value></constructor-arg> <constructor-arg><value>false</value></constructor-arg> </bean> |
Finally, since we are using an encrypted password for the Java keystore, we need to change the last constructor-arg value to true. For example:
<bean id="sslChannelFactory" class="com.identityforge.idfserver.nio.ssl.SSLChannelFactory"> <constructor-arg><value>false</value></constructor-arg> <constructor-arg><value>../conf/as400.jks</value></constructor-arg> <constructor-arg><value>10902AA71C4DF819C965E8B5B7DF0208</value></constructor-arg> <constructor-arg><value>true</value></constructor-arg> </bean> |
To configure secure communications between the IdentityForge server and the AS/400 we will need to retrieve the SSL certificate from the OS/400 Certificate Manager.
Open a Command Prompt and navigate to the Java JDK bin folder. In our example, this is C:\software\jdk1.7.0_25\bin. Execute the following command:
keytool -importcert -file C:\cert.cer -alias arbitraryaliashere -keystore C:\software\jdk1.7.0_25\jre\lib\security\cacerts |
To verify the presence of the certificate in the certificate store, run the following command:
keytool -list -keystore C:\software\jdk1.7.0_25\jre\lib\security\cacerts |
Enter the defaukt JDK keystore password (changeit) to view the contents of the Java keystore.
To allow IdentityForge and AS/400 to communicate through a firewall, the following ports may need to be opened between the IdentityForge server and the AS/400:
For more information, please see the following JTOpen and IBM iSeries documentation pages: |
Scroll to the section shown below. We will be changing the JAVA_HOME and JVM path variables listed in bold:
set JAVA_HOME=C:\Program Files\Java\jre7 set JVM=C:\Program Files\Java\jre7\bin\client\jvm.dll |
This path needs to point to the installation path of the Java JDK. In our example, this line would be changed to the following:
set JAVA_HOME=C:\software\jdk1.7.0_25 set JVM=C:\software\jdk1.7.0_25\jre\bin\client\jvm.dll |
Scroll through the IDF-Win-Service.bat file until you see the HOME and APPLICATION_SERVICE_HOME variables listed in bold:
set HOME=C:\ldfService\ldapgateway set APPLICATION_SERVICE_HOME=C:\ldfService\ldapgateway\win_service |
This path needs to point to the IdentityForge installation directory. In our example, this line would be changed to the following:
set HOME=C:\ldapgateway set APPLICATION_SERVICE_HOME=C:\ldapgateway\win_service |
Scroll through the IDF-Win-Service.bat file until you see the SERVICE_NAME value listed in bold:
set SERVICE_NAME=IdentityForgeService |
This variable can be changed to a name of your choosing. This will be the name of the Windows service as shown in Service Manager.
Scroll through the IDF-Win-Service.bat file until you see the CG_STDOUTPUT variable listed below:
set CG_STDOUTPUT=%CG_LOGPATH%\IDFServiceOut.log |
In order to disable verbose logging, this line should be changed to the following:
REM -- set CG_STDOUTPUT=%CG_LOGPATH%\IDFServiceOut.log |
Scroll through the IDF-Win-Service.bat file until you see the CG_DESCRIPTION and CG_DISPLAY_NAME values listed in bold:
Set CG_DESCRIPTION="Identity Forge Service for LDAP Gateway" set CG_DISPLAY_NAME=IdentityForgeService |
These variables can be changed as you see fit. The text will become the description and the display name of the Windows service as shown in Service Manager, respectively.
Execute the following command:
IDF-Win-Service.bat install |
If you wish to remove the service at a later date, execute the following command:
IDF-Win-Service.bat remove |
To check and monitor the IdentityForge log files, look for the log files located in C:\ldapgateway\logs. To enable Java debugging do the following:
To increase the memory available to the Java JVM, do the following:
|
|