I had a case where I had to connect to Active Directory to be able to create users and set passwords on that user, off course, using TDI.
The AD administrator gave me a .pfx format of the certificate which is stored in AD.
Installing this file in Windows is easy. Just double click it and install.
Then, starting the "certmgr.msc" from Start - Run inn Windows, I was able to right click the cert, selected "export".
Then, go like this:
And select the DER format:
Saved this exported cert on d:\temp as "cert.der"
Then, open up a command prompt and go to the tdi\jvm\jre\bin catalog:
cd D:\IBM\TDI\V7.1.1\jvm\jre\bin
Then, create a .jks keystore and import the cert.der into it:
keytool -import -file d:\temp\cert.cer -keystore ADKEYSTORE.jks -storepass PaSsW0Rd -alias ADKEYSTORE
If all goes good, output will be:
Owner:
Issuer: CN=FS03-CA, DC=CUSTOMER, DC=local
Serial number: 7a638e0a000000000001
Valid from: 10.02.17 14:20 until: 10.02.19 14:30
Certificate fingerprints:
MD5: F8:2E:4B:C7:1B:04:58:5F:E1:FF:2E:B1:88:EE:02:4A
SHA1: 06:97:8F:E":93:21:FB:BB:71:E2:C2:FF:02:06:17:8E:8E:02:8C:A5
Trust this certificate? [no]: yes
Certificate was added to keystore
And to check the content of the .jks keystore:
keytool -list -keystore ADKEYSTORE.jks -storepass PaSsW0Rd
Output will be:
Keystore type: jks
Keystore provider: IBMJCE
Your keystore contains 1 entry
ADKEYSTORE, 10.feb.2017, trustedCertEntry,
Certificate fingerprint (MD5): F8:2E:4B:B7:1B:14:58:5F:A1:FF:2E:91:88:3E:02:4A
I then moved the ADKEYSTORE.jks file to my TDI Solutions directory, which is in this case:
From:
D:\IBM\TDI\V7.1.1\jvm\jre\binover to:
E:\TDISOL\TDI_custom
I then modified the file "E:\TDISOL\TDI_custom\solution.properties"
Where I inserted:
#server authentication
#example
javax.net.ssl.trustStore=E:\TDISOL\TDI_custom\ADKEYSTORE.jks
javax.net.ssl.trustStorePassword=PaSsW0Rd
javax.net.ssl.trustStoreType=jks
#client authentication
#example
javax.net.ssl.keyStore=E:\TDISOL\TDI_custom\ADKEYSTORE.jks
javax.net.ssl.keyStorePassword=PaSsW0Rd
javax.net.ssl.keyStoreType=jks
After restarting TDI, I was able to connect to the AD server on port 636 in TDI.
No comments:
Post a Comment