SSL authentication configuration for the plug-in

You can establish a secure connection between IBM Security Verify Governance Identity Manager plug-in and IBM Security Verify Governance Identity Manager server.

You must configure the plug-in and the server to use the Secure Sockets Layer (SSL) authentication.

The IBM® Security Password Synchronization plug-in sends sensitive password information over the network to the IBM Security Verify Governance Identity Manager server. For this reason, a Secure Sockets Layer (SSL) connection is required to communicate with the IBM Security Verify Governance Identity Manager server.

When configuring certificates for an SSL connection, there are two levels of validation. One-way SSL is achieved by the server that sends you its certificate and the software that verifies it is signed by a trusted Certificate Authority (CA). For additional security, the server can enforce two-way SSL and also request that the client provide a certificate to the server. It is validated the same way by ensuring it is signed by a trusted CA.

One-way SSL

At minimum, you must install the CA certificate that is the signer of the IBM Security Verify Governance Identity Manager server certificate to the local trust store. When a connection is requested, the server sends its certificate, which is verified, to be signed by a trusted CA. This is enough to establish a secure connection with the server.

Two-way SSL

For additional security, the IBM Security Verify Governance Identity Manager server can be configured to also request a certificate from the plug-in. This works the same as the server certificate, only in reverse. You must install a user certificate in the local certificate store and the CA certificate must be installed in the trust store on the IBM Security Verify Governance Identity Manager server. The extra security allows the IBM Security Verify Governance Identity Manager server to verify the source of the password change notification.

Additional SSL security options

It is important to ensure that the connection to the IBM Security Verify Governance Identity Manager server is secure because the password synchronization plugin sends password information. At minimum, the plugin requires an SSL connection. One-way SSL only verifies that the plugin trusts the signer of the certificate received in the handshake, and establishes an encrypted session. Two-way SSL is enforced by the target IBM Security Verify Governance Identity Manager server and it also just verifies that the signer of the client certificate is trusted.

The SSL handshake can be configured to verify that the CN of the subject in the server certificate, received in the handshake, matches the hostname of the server. You can enable this option in pfconfig. If the hostname does not match the CN, the connection is refused.

For additional security, the IBM Security Verify Governance Identity Manager server certificate can be registered with the password synchronization plugin. A binary copy of the certificate is stored by the plugin. Only those server connections that present the server certificate are accepted. This option ensures that only connections to the IBM Security Verify Governance Identity Manager server are allowed. The is configured in the Registered Certificate section of pfconfig.