This topic describes how to configure IdentityForge for use with EmpowerID. Once you have followed the steps outlined in this topic, you can connect EmpowerID to your AS/400 directories.
Download the following files that we install and configure in this topic.
|
Adjust the following line to the installation path of the Java JDK:
set JAVA_HOME=\software\jdk1.7.0_01 |
In our example, we change this line to the following:
set JAVA_HOME=C:\software\jdk-11.0.1 |
In the text editor, change the following parameter to true:
_isSSL_ |
Adjust the following parameters with the IP address of your target iSeries:
_host_ _agentHost_ |
Adjust the following parameters with the UID of the administrative AS/400 account:
_adminId_ _agentAdminId_ |
Place a '#' in front of the following parameters to comment them out:
_adminPwd_ _agentAdminPwd_ |
Remove the '#' from the following parameters to uncomment them:
_adminPwdEncrypt_ _agentAdminPwdEncrypt_ |
Adjust the following line to the installation path of the Java JDK:
set JAVA_HOME=C:\software\jdk1.5.0_15 |
In our example, this line is:
set JAVA_HOME=C:\software\jdk-11.0.1 |
Scroll through the propertyEncrypt.bat file until you see the following line:
SET CLASSPATH=C:\software\identityforge\ldapgateway\dist\idfserver.jar |
Change this path to point to the IdentityForge installation directory. In our example, this line is:
SET CLASSPATH=C:\ldapgateway\dist\idfserver.jar |
Scroll to the end of the propertyEncrypt.bat file until you see the following lines:
rem Start Property Encrypt Utility %JAVACMD% %JVM_OPTS% -cp %CLASSPATH% com.identityforge.idfserver.util.AESCipherUtil idfRacfPwd |
Double-click propertyEncrypt.bat to see output similar to the following:
New encrypted string as HEX: 10902AA71C4DF819C965E8B5B7DF0208 |
Paste the hex value into the following parameters:
_adminPwdEncrypt_ _agentAdminPwdEncrypt_ |
The next step is to set the Front-End LDAP administrative account and password. This is the account used by EmpowerID to bind to the IdentityForge LDAP server.
Open C:\ldapgateway\dist\idfserver\beans.xml in the text editor of you choice and scroll to the as400 section. We will change the value for the Front-End LDAP administrative account adminUserDN and altAdminUserDN.
<bean name="as400" singleton="true" class="com.identityforge.idfserver.backend.as400.As400Module"> |
<property name="suffix" value="dc=as400,dc=com"/> <property name="workingDirectory" value="../as400"/> <property name="adminUserDN" value="cn=idfAs400Admin, dc=as400,dc=com"/> <property name="adminUserPassword" value="idfAs400Pwd"/> <property name="altAdminUserDN" value="cn=oimAs400Admin, dc=as400,dc=com"/> <property name="altAdminUserPassword" value="oimAs400Pwd"/> <property name="allowAnonymous" value="false"/> <property name="entryCacheSize" value="1000"/> <property name="defaultUacc" value="read"/> <property name="searchUsersType" value="user"/> |
Change the adminUserDN and altAdminUserDN property values to the DN of the Front-End account you wish to use to bind to LDAP. For example:
<bean name="as400" singleton="true" class="com.identityforge.idfserver.backend.as400.As400Module"> |
<property name="suffix" value="dc=as400,dc=com"/> <property name="workingDirectory" value="../as400"/> <property name="adminUserDN" value="cn=EIDIDF, dc=as400,dc=com"/> <property name="adminUserPassword" value="idfAs400Pwd"/> <property name="altAdminUserDN" value="cn=EIDIDF, dc=as400,dc=com"/> <property name="altAdminUserPassword" value="oimAs400Pwd"/> <property name="allowAnonymous" value="false"/> <property name="entryCacheSize" value="1000"/> <property name="defaultUacc" value="read"/> <property name="searchUsersType" value="user"/> |
Scroll to the end of the propertyEncrypt.bat file until you see the following lines:
rem Start Property Encrypt Utility %JAVACMD% %JVM_OPTS% -cp %CLASSPATH% com.identityforge.idfserver.util.AESCipherUtil idfRacfPwd |
Double-click propertyEncrypt.bat to see output similar to the following:
New encrypted string as HEX: 10902AA71C4DF819C965E8B5B7DF0208 |
Change the adminUserPassword and altAdminUserPassword property values to the encrypted password string in the clipboard. For example:
<bean name="as400" singleton="true" class="com.identityforge.idfserver.backend.as400.As400Module"> |
<property name="suffix" value="dc=as400,dc=com"/> <property name="workingDirectory" value="../as400"/> <property name="adminUserDN" value="cn=EIDIDF, dc=as400,dc=com"/> <property name="adminUserPassword" value="10902AA71C4DF819C965E8B5B7DF0208â/> <property name="altAdminUserDN" value="cn=EIDIDF, dc=as400,dc=com"/> <property name="altAdminUserPassword" value="10902AA71C4DF819C965E8B5B7DF0208"/> <property name="allowAnonymous" value="false"/> <property name="entryCacheSize" value="1000"/> <property name="defaultUacc" value="read"/> <property name="searchUsersType" value="user"/> |
The next step is to set the Back-End LDAP administrative password. This is the account used by EmpowerID to bind to the IdentityForge LDAP server and sync inventory to the Back-End.
Scroll to the section shown below. We will change the Back-End LDAP administrative account password for adminUserPassword and altAdminUserPassword:
<bean name="hpbe2" singleton="true" class="com.identityforge.idfserver.backend.hpbe.HPBEModule"> <property name="suffix" value="dc=system,dc=backend"/> <property name="workingDirectory" value="../system"/> <property name="schema" ref="schemas"/> <property name="adminUserDN" value="cn=Directory Manager, dc=system,dc=backend"/> <property name="adminUserPassword" value="testpass"/> <property name="altAdminUserDN" value="cn=Directory Manager, dc=system,dc=backend"/> <property name="altAdminUserPassword" value="testpass"/> <property name="entryCacheSize" value="1000"/> |
Scroll to the end of the propertyEncrypt.bat file until you see the following lines:
rem Start Property Encrypt Utility %JAVACMD% %JVM_OPTS% -cp %CLASSPATH% com.identityforge.idfserver.util.AESCipherUtil idfRacfPwd |
Double-click propertyEncrypt.bat to see output similar to the following:
New encrypted string as HEX: 10902AA71C4DF819C965E8B5B7DF0208 |
Change the adminUserPassword and altAdminUserPassword property values to the encrypted password string in the clipboard. For example:
<bean name="hpbe2" singleton="true" class="com.identityforge.idfserver.backend.hpbe.HPBEModule"> <property name="suffix" value="dc=system,dc=backend"/> <property name="workingDirectory" value="../system"/> <property name="schema" ref="schemas"/> <property name="adminUserDN" value="cn=Directory Manager, dc=system,dc=backend"/> <property name="adminUserPassword" value="10902AA71C4DF819C965E8B5B7DF0208"/> <property name="altAdminUserDN" value="cn=Directory Manager, dc=system,dc=backend"/> <property name="altAdminUserPassword" value="10902AA71C4DF819C965E8B5B7DF0208"/> <property name="entryCacheSize" value="1000"/> |
To configure secure communications between EmpowerID and the IdentityForge LDAP server we need a PFX copy of the certificate being used by EmpowerID and an installed copy of OpenSSL to convert the PFX to a format usable by Java keystores.
Execute the following command to convert the PFX file to a PEM file.
openssl pkcs12 -in C:\EIDcert.pfx -out C:\EIDcert.pem |
The OpenSSL toolkit asks you to enter the import password; this is the pass phrase currently set on the PFX certificate. If you exported the certificate from the MMC snap-in, this is the password you set on the certificate during the export.
OpenSSL prompts for the PEM pass phrase. Enter the pass phrase and press ENTER, then enter the pass phrase again to confirm and press ENTER once more.
We are setting a new pass phrase here--be sure to remember this value! You can use the same password as the import password if you prefer. |
We now have a PEM file available at C:\EIDcert.pem.
Find the following lines:
-----BEGIN ENCRYPTED PRIVATE KEY----- DATA HERE -----END ENCRYPTED PRIVATE KEY----- |
To pull out the public key and put it into a separate file, find the following lines:
-----BEGIN CERTIFICATE----- DATA HERE -----END CERTIFICATE----- |
Execute the following command:
openssl rsa -in C:\encrypted.pem -out C:\key.pem |
Execute the following two commands:
openssl pkcs8 -topk8 -nocrypt -in C:\key.pem -inform PEM -out C:\key.der -outform DER openssl x509 -in C:\cert.pem -inform PEM -out C:\cert.der -outform DER |
Once these commands are completed, you have two DER files.
We recommend deleting the PFX and PEM files at this point.
java ImportKey C:\key.der C:\cert.der |
To configure IdentityForge to point to this Java keystore, open C:\ldapgateway\dist\idfserver\beans.xml in the text editor of your choice and scroll to the following section to change the Java keystore filename testnew.jks:
<bean id="sslChannelFactory" class="com.identityforge.idfserver.nio.ssl.SSLChannelFactory"> <constructor-arg><value>false</value></constructor-arg> <constructor-arg><value>../conf/testnew.jks</value></constructor-arg> <constructor-arg><value>abc123</value></constructor-arg> <constructor-arg><value>false</value></constructor-arg> </bean> |
Change the second constructor-arg value to the name of the Java keystore we created earlier. For example:
<bean id="sslChannelFactory" class="com.identityforge.idfserver.nio.ssl.SSLChannelFactory"> <constructor-arg><value>false</value></constructor-arg> <constructor-arg><value>../conf/as400.jks</value></constructor-arg> <constructor-arg><value>abc123</value></constructor-arg> <constructor-arg><value>false</value></constructor-arg> </bean> |
To set the Java keystore password, change the Java keystore password abc123:
<bean id="sslChannelFactory" class="com.identityforge.idfserver.nio.ssl.SSLChannelFactory"> <constructor-arg><value>false</value></constructor-arg> <constructor-arg><value>../conf/as400.jks</value></constructor-arg> <constructor-arg><value>abc123</value></constructor-arg> <constructor-arg><value>false</value></constructor-arg> </bean> |
Scroll to the end of the propertyEncrypt.bat file until you see the following lines of code:
rem Start Property Encrypt Utility %JAVACMD% %JVM_OPTS% -cp %CLASSPATH% com.identityforge.idfserver.util.AESCipherUtil idfRacfPwd |
Double-click propertyEncrypt.bat to see output similar to the following:
New encrypted string as HEX: 10902AA71C4DF819C965E8B5B7DF0208 |
Copy this value (in our example, 10902AA71C4DF819C965E8B5B7DF0208) to the clipboard. Change the Java keystore password in the third constructor-arg to the encrypted password string in the clipboard. For example:
<bean id="sslChannelFactory" class="com.identityforge.idfserver.nio.ssl.SSLChannelFactory"> <constructor-arg><value>false</value></constructor-arg> <constructor-arg><value>../conf/as400.jks</value></constructor-arg> <constructor-arg><value>10902AA71C4DF819C965E8B5B7DF0208</value></constructor-arg> <constructor-arg><value>false</value></constructor-arg> </bean> |
Finally, since we are using an encrypted password for the Java keystore, we need to change the last constructor-arg value to true. For example:
<bean id="sslChannelFactory" class="com.identityforge.idfserver.nio.ssl.SSLChannelFactory"> <constructor-arg><value>false</value></constructor-arg> <constructor-arg><value>../conf/as400.jks</value></constructor-arg> <constructor-arg><value>10902AA71C4DF819C965E8B5B7DF0208</value></constructor-arg> <constructor-arg><value>true</value></constructor-arg> </bean> |
To configure secure communications between the IdentityForge server and the AS/400 we need to retrieve the SSL certificate from the OS/400 Certificate Manager.
Open a Command Prompt and navigate to the Java JDK bin folder. In our example, this is C:\software\jdk-11.0.1\bin. Execute the following command:
keytool -importcert -file C:\cert.cer -alias arbitraryaliashere -keystore C:\software\jdk-11.0.1\jre\lib\security\cacerts |
To verify the presence of the certificate in the certificate store, run the following command:
keytool -list -keystore C:\software\jdk-11.0.1\jre\lib\security\cacerts |
Enter the defaukt JDK keystore password, "changeit," to view the contents of the Java keystore.
To allow IdentityForge and AS/400 to communicate through a firewall, the following ports may need to be opened between the IdentityForge server and the AS/400:
For more information, please see the following JTOpen and IBM iSeries documentation pages: |
Scroll to the section shown below to change the JAVA_HOME and JVM path variables listed here:
set JAVA_HOME=C:\Program Files\Java\jre7 set JVM=C:\Program Files\Java\jre7\bin\client\jvm.dll |
Change this path to point to the installation path of the Java JDK. In our example, we change it to the following:
set JAVA_HOME=C:\software\jdk-11.0.1 set JVM=C:\software\jdk-11.0.1\jre\bin\client\jvm.dll |
Scroll through the IDF-Win-Service.bat file until you see the HOME and APPLICATION_SERVICE_HOME variables listed here:
set HOME=C:\ldfService\ldapgateway set APPLICATION_SERVICE_HOME=C:\ldfService\ldapgateway\win_service |
Change this path to point to the IdentityForge installation directory. In our example, we change it to the following:
set HOME=C:\ldapgateway set APPLICATION_SERVICE_HOME=C:\ldapgateway\win_service |
Scroll through the IDF-Win-Service.bat file until you see this SERVICE_NAME value:
set SERVICE_NAME=IdentityForgeService |
Change this variable to a name to use for the Windows service as shown in Service Manager.
Scroll through the IDF-Win-Service.bat file until you see the CG_STDOUTPUT variable listed below:
set CG_STDOUTPUT=%CG_LOGPATH%\IDFServiceOut.log |
In order to disable verbose logging, change this line to the following:
REM -- set CG_STDOUTPUT=%CG_LOGPATH%\IDFServiceOut.log |
Scroll through the IDF-Win-Service.bat file until you see the CG_DESCRIPTION and CG_DISPLAY_NAME values listed here:
Set CG_DESCRIPTION="Identity Forge Service for LDAP Gateway" set CG_DISPLAY_NAME=IdentityForgeService |
Change these variables to text for the description and display name of the Windows service as shown in Service Manager.
Execute the following command:
IDF-Win-Service.bat install |
If you wish to remove the service at a later date, execute the following command:
IDF-Win-Service.bat remove |
To check and monitor the IdentityForge log files, look for the log files located in C:\ldapgateway\logs. To enable Java debugging do the following:
To increase the memory available to the Java JVM, do the following:
|
|
|