Friday, February 10, 2017

TDI / SDI - Connect to Active Directory over SSL - How to

I mostly write this post as a reminder to my self the next time I have a similar need.

I had a case where I had to connect to Active Directory to be able to create users and set passwords on that user, off course, using TDI.


The AD administrator gave me a .pfx format of the certificate which is stored in AD.
Installing this file in Windows is easy. Just double click it and install.
Then, starting the "certmgr.msc" from Start - Run inn Windows, I was able to right click the cert, selected "export".


Then, go like this:
And select the DER format:

Saved this exported cert on d:\temp as "cert.der"


Then, open up a command prompt and go to the tdi\jvm\jre\bin catalog:

cd D:\IBM\TDI\V7.1.1\jvm\jre\bin

Then, create a .jks keystore and import the cert.der into it:

keytool -import -file d:\temp\cert.cer -keystore ADKEYSTORE.jks -storepass PaSsW0Rd -alias ADKEYSTORE

If all goes good, output will be:

Owner:
Issuer: CN=FS03-CA, DC=CUSTOMER, DC=local
Serial number: 7a638e0a000000000001
Valid from: 10.02.17 14:20 until: 10.02.19 14:30
Certificate fingerprints:
MD5:  F8:2E:4B:C7:1B:04:58:5F:E1:FF:2E:B1:88:EE:02:4A
SHA1: 06:97:8F:E":93:21:FB:BB:71:E2:C2:FF:02:06:17:8E:8E:02:8C:A5
Trust this certificate? [no]:  yes
Certificate was added to keystore

And to check the content of the .jks keystore:
keytool -list -keystore ADKEYSTORE.jks -storepass PaSsW0Rd

Output will be:

Keystore type: jks
Keystore provider: IBMJCE

Your keystore contains 1 entry

ADKEYSTORE, 10.feb.2017, trustedCertEntry,
Certificate fingerprint (MD5): F8:2E:4B:B7:1B:14:58:5F:A1:FF:2E:91:88:3E:02:4A

I then moved the ADKEYSTORE.jks file to my TDI Solutions directory, which is in this case:

From:
D:\IBM\TDI\V7.1.1\jvm\jre\bin
over to:
E:\TDISOL\TDI_custom

I then modified the file "E:\TDISOL\TDI_custom\solution.properties"

Where I inserted:

#server authentication
#example
javax.net.ssl.trustStore=E:\TDISOL\TDI_custom\ADKEYSTORE.jks
javax.net.ssl.trustStorePassword=PaSsW0Rd
javax.net.ssl.trustStoreType=jks
#client authentication
#example
javax.net.ssl.keyStore=E:\TDISOL\TDI_custom\ADKEYSTORE.jks
javax.net.ssl.keyStorePassword=PaSsW0Rd
javax.net.ssl.keyStoreType=jks

After restarting TDI, I was able to connect to the AD server on port 636 in TDI.