Friday, February 10, 2017

TDI / SDI - Connect to Active Directory over SSL - How to

I mostly write this post as a reminder to my self the next time I have a similar need.

I had a case where I had to connect to Active Directory to be able to create users and set passwords on that user, off course, using TDI.

The AD administrator gave me a .pfx format of the certificate which is stored in AD.
Installing this file in Windows is easy. Just double click it and install.
Then, starting the "certmgr.msc" from Start - Run inn Windows, I was able to right click the cert, selected "export".

Then, go like this:
And select the DER format:

Saved this exported cert on d:\temp as "cert.der"

Then, open up a command prompt and go to the tdi\jvm\jre\bin catalog:

cd D:\IBM\TDI\V7.1.1\jvm\jre\bin

Then, create a .jks keystore and import the cert.der into it:

keytool -import -file d:\temp\cert.cer -keystore ADKEYSTORE.jks -storepass PaSsW0Rd -alias ADKEYSTORE

If all goes good, output will be:

Issuer: CN=FS03-CA, DC=CUSTOMER, DC=local
Serial number: 7a638e0a000000000001
Valid from: 10.02.17 14:20 until: 10.02.19 14:30
Certificate fingerprints:
MD5:  F8:2E:4B:C7:1B:04:58:5F:E1:FF:2E:B1:88:EE:02:4A
SHA1: 06:97:8F:E":93:21:FB:BB:71:E2:C2:FF:02:06:17:8E:8E:02:8C:A5
Trust this certificate? [no]:  yes
Certificate was added to keystore

And to check the content of the .jks keystore:
keytool -list -keystore ADKEYSTORE.jks -storepass PaSsW0Rd

Output will be:

Keystore type: jks
Keystore provider: IBMJCE

Your keystore contains 1 entry

ADKEYSTORE, 10.feb.2017, trustedCertEntry,
Certificate fingerprint (MD5): F8:2E:4B:B7:1B:14:58:5F:A1:FF:2E:91:88:3E:02:4A

I then moved the ADKEYSTORE.jks file to my TDI Solutions directory, which is in this case:

over to:

I then modified the file "E:\TDISOL\TDI_custom\"

Where I inserted:

#server authentication
#client authentication

After restarting TDI, I was able to connect to the AD server on port 636 in TDI.

No comments: