×

IDMWORKS Blog

Provisioning to Active Directory with SailPoint (using SSL)


SailPoint’s new provisioning engine allows you to create, modify, and delete user accounts on various applications in conjunction with the Lifecycle Request Manager component of SailPoint.

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK. We do not guarantee this will work in your environment and make no warranties***

SailPoint’s new provisioning engine allows you to create, modify, and delete user accounts on various applications in conjunction with the Lifecycle Request Manager component of SailPoint. The actual provisioning is done using the Tivoli Directory Integrator (TDI) product.

Provisioning to most applications is a relatively simple setup that consists of developing or importing the Connector and Assemblyline code and modifying the connection parameters to point to the correct application for the given environment. SailPoint then calls the provisioning plan, which sends a JSON command to TDI which in turn provisions the account.

Provisioning to Active Directory (AD) is a little more complicated. To create an active AD user with a password, TDI must connect to AD using SSL. The setup to configure TDI to provision using SSL for AD is below.

Note: The instructions are written for a Windows 2008 server but would be similar if TDI were installed on another platform.

Prerequisites: A working TDI install with the Active Directory AssemblyLine and Connector imported. These files can be obtained from SailPoint or can be custom written.

Retrieve the CA certificate for the Domain controller

On the TDI server, create or find a folder for the certificate and keystore (ex. D:TDI_Store)

Copy the CA Certificate to that folder

Open a command prompt and navigate to the following %TDI Install DIR%V7.0jvmjrebin folder.

Example path: C:Program FilesibmTDIV7.0jvmjrebin

Enter the following command to create a keystore and import the AD certificate:

keytool –import –file “D:TDI_Storemyservercert.cer”
–keystore “D:TDI_Storekeystore.jks” –storepass Password1 –alias TDI_CA

When prompted to trust the certificate, type yes and hit enter

Verify the keystore was created and the certificate was imported by entering the following command:

keytool –list –keystore “D:TDI_Storekeystore.jks” –storepass Password1

Export the default key from TDI by entering the following command:

keytool –export –alias server –file tdiServerApi.cer
–keystore “C:UsersadminDocumentsTDItestserver.jks”

Note: The path to the testserver.jks corresponds to the user who setup the TDI server and create the server instance in TDI

Enter the following command to import the TDI certificate:

keytool –import –file “D:TDI_StoretestServerApi.cer”
–keystore “D:TDI_Storekeystore.jks”
-storepass Password1 –alias TDI_CA_Default

Edit the %TDI Install DIR%V7.0etcglobal.properties file and change the items marked in red.

## server authentication
javax.net.ssl.trustStore=D:TDI_Storekeystore.jks
{protect}-javax.net.ssl.trustStorePassword= Password1
javax.net.ssl.trustStoreType=jks

## client authentication
javax.net.ssl.keyStore=D:TDI_Storekeystore.jks
{protect}-javax.net.ssl.keyStorePassword=Password1
javax.net.ssl.keyStoreType=jks

Example path: C:Program FilesibmTDIV7.0etcglobal.properties file

Edit the %TDI Install DIR%V7.0etcsolutions.properties file and change the items marked in red.

# server authentication
javax.net.ssl.trustStore=D:TDI_Storekeystore.jks
{protect}-javax.net.ssl.trustStorePassword= Password1
javax.net.ssl.trustStoreType=jks

Restart the TDI Configuration Editor

Open the ActiveDirectory Connector

Under the connection tab, change the following settings marked in red:

LDAP URL: ldap://mydomain.com:636
Use SSL: Checked
Auto Map AD Password: Checked

Open the ActiveDirectory Assemblyline

Make sure the userAccountControl field is being set to 512

Note: 512 is the value for active with a password. For more information on the AD userAccountControl field visit http://support.microsoft.com/kb/305144

Restart the TDI server

Once this setup is complete, the environment is ready to provision to Active Directory using SSL.

Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.

Leave a Reply

Your email address will not be published. Required fields are marked *