Provisioning to Active Directory with SailPoint (using SSL)
SailPoint’s new provisioning engine allows you to create, modify, and delete user accounts on various applications in conjunction with the Lifecycle Request Manager component of SailPoint.
***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK. We do not guarantee this will work in your environment and make no warranties***
SailPoint’s new provisioning engine allows you to create, modify, and delete user accounts on various applications in conjunction with the Lifecycle Request Manager component of SailPoint. The actual provisioning is done using the Tivoli Directory Integrator (TDI) product.
Provisioning to most applications is a relatively simple setup that consists of developing or importing the Connector and Assemblyline code and modifying the connection parameters to point to the correct application for the given environment. SailPoint then calls the provisioning plan, which sends a JSON command to TDI which in turn provisions the account.
Provisioning to Active Directory (AD) is a little more complicated. To create an active AD user with a password, TDI must connect to AD using SSL. The setup to configure TDI to provision using SSL for AD is below.
Note: The instructions are written for a Windows 2008 server but would be similar if TDI were installed on another platform.
Prerequisites: A working TDI install with the Active Directory AssemblyLine and Connector imported. These files can be obtained from SailPoint or can be custom written.
Retrieve the CA certificate for the Domain controller
On the TDI server, create or find a folder for the certificate and keystore (ex. D:TDI_Store)
Copy the CA Certificate to that folder
Open a command prompt and navigate to the following %TDI Install DIR%V7.0jvmjrebin folder.
Example path: C:Program FilesibmTDIV7.0jvmjrebin
Enter the following command to create a keystore and import the AD certificate:
keytool –import –file “D:TDI_Storemyservercert.cer”
–keystore “D:TDI_Storekeystore.jks” –storepass Password1 –alias TDI_CA
When prompted to trust the certificate, type yes and hit enter
Verify the keystore was created and the certificate was imported by entering the following command:
keytool –list –keystore “D:TDI_Storekeystore.jks” –storepass Password1
Export the default key from TDI by entering the following command:
keytool –export –alias server –file tdiServerApi.cer
Note: The path to the testserver.jks corresponds to the user who setup the TDI server and create the server instance in TDI
Enter the following command to import the TDI certificate:
keytool –import –file “D:TDI_StoretestServerApi.cer”
-storepass Password1 –alias TDI_CA_Default
Edit the %TDI Install DIR%V7.0etcglobal.properties file and change the items marked in red.
## server authentication
## client authentication
Example path: C:Program FilesibmTDIV7.0etcglobal.properties file
Edit the %TDI Install DIR%V7.0etcsolutions.properties file and change the items marked in red.
# server authentication
Restart the TDI Configuration Editor
Open the ActiveDirectory Connector
Under the connection tab, change the following settings marked in red:
LDAP URL: ldap://mydomain.com:636
Use SSL: Checked
Auto Map AD Password: Checked
Open the ActiveDirectory Assemblyline
Make sure the userAccountControl field is being set to 512
Note: 512 is the value for active with a password. For more information on the AD userAccountControl field visit http://support.microsoft.com/kb/305144
Restart the TDI server
Once this setup is complete, the environment is ready to provision to Active Directory using SSL.