Configuring SSL communication between the IBM Control Desk and SDI servers

To configure secure SSL communication between IBM Control Desk and SDI servers, import the IBM Control Desk certificate to a keystore in your SDI environment and reference the keystore from the solution.properties file.

Before you begin

Note:
  1. Security Directory Integrator is licensed independent of IBM Control Desk as of 7.6.1.5 version of IBM Control Desk.
  2. If your organization has been using an existing Security Directory Integrator with IBM Control Desk, you can continue using it (SDI) as there is no change in IBM Control Desk functionalities for SDI use.
  3. IBM Control Desk will not enhance functionality or deliver support to integrate with any versions of Security Directory Integrator later than 7.2.
Before you perform this procedure, you must configure SSL communication for the web application server, for example, WebSphere® Application Server Network Deployment, that supports your IBM Control Desk server. For instructions, see the product documentation for your supporting web application server.

About this task

Complete the following steps from each computer that hosts an SDI server in your environment. Repeat the steps for each IBM Control Desk server to which the SDI server connects.

Procedure

  1. Using a browser, start a IBM Control Desk session using the SSL port that was defined when the web application server was configured for SSL. For example, enter a URL similar to the following:

    https://tuscserver.austin.ibm.com:9443/maximo/webclient/login/login.jsp

    Log on to IBM Control Desk.

  2. Export the certificate to a file using DER format. The following example shows the steps for Internet Explorer:
    1. Select Properties from the File menu of the browser.
    2. Click Certificates on the Properties window.
    3. Click the Details tab on the Certificate window.
    4. Click Copy to File.
    5. Click Next on the Welcome page of the Certificate Export Wizard.
    6. Select DER format on the Export File Format page of the wizard. Click Next.
    7. In the File name field, enter the full path name of the file to which you want to export the certificate, for example, C:\certificates\tmp.cer. Click Next.
    8. Click Finish.
  3. Import the certificate into a new or existing keystore in your SDI environment. You can run the following command to import the certificate if you are using the standard Java™ keystore process. Security Directory Integrator includes a Java distribution. The command prompts you for a password to the keystore.

    keytool -import -file cert_file -keystore sdi_store

    where:
    cert_file
    Specifies the full path name of the file to which you exported the certificate, for example, C:\certificates\tmp.cer.
    sdi_store
    Specifies the full path name of the keystore, for example, C:\KeyRings\sdi_store.jks. The file is created if it does not exist.
  4. Use the SDI Config Editor to edit the Java properties in the solution.properties file:
    1. Start the SDI Config Editor:
      • On Windows, select Start > Programs > IBM Security Directory Integrator v7.2 > SDI Config Editor.
      • On Linux® or UNIX, run the following command:
        SDI_home_directory/ibmditk
    2. Select Edit Solution Properties from the Tools menu.

      The solution.properties file is displayed.

    3. Edit the Java properties for server authentication as follows: 
      javax.net.ssl.trustStore=sdi_store
javax.net.ssl.trustStorePassword=password
javax.net.ssl.trustStoreType=jks
      where:
      sdi_store
      Specifies the full path name of the keystore, for example, C:\KeyRings\sdi_store.jks.
      password
      Specifies the password to the keystore