This topic describes how to configure Identity Forge for use with EmpowerID. Once you have followed the steps outlined in this topic, you can connect EmpowerID to your AS/400 directories. Configuring Identity Forge for EmpowerID involves the following:
Download the latest Java JDK from:
http://www.oracle.com/technetwork/java/javase/downloads/index.html
Download the IdentityForge i5 Advanced Adapter Enterprise from:
http://download.thedotnetfactory.com/downloads/i5_advanced_adapter_5.0.0.4_enterprise.zip
Download
JTOpen from:
http://sourceforge.net/projects/jt400/
Download the
Microsoft Visual C++ 2008 Redistributable Package (x86) from:
http://www.microsoft.com/en-us/download/details.aspx?id=29
Download
Win32 OpenSSL v1.0.1e Light from:
http://slproweb.com/download/Win32OpenSSL_Light-1_0_1e.exe
Download
ImportKey.class from:
http://www.agentbob.info/agentbob/79-AB.html
(right click > Save As on the ImportKey.class link near the bottom of the page)
set JAVA_HOME=\software\jdk1.6.0_16
In our example, this line would be changed to the following:
set JAVA_HOME=C:\software\jdk1.7.0_25
_isSSL_
_host_
_agentHost_
_adminId_
_agentAdminId_
_adminPwd_
_agentAdminPwd_
_adminPwdEncrypt_
_agentAdminPwdEncrypt_
set JAVA_HOME=C:\software\jdk1.5.0_15
In our example, this line would be changed to the following:
set JAVA_HOME=C:\software\jdk1.7.0_25
SET CLASSPATH=C:\software\identityforge\ldapgateway\dist\idfserver.jar
This path needs to point to the IdentityForge installation directory. In our example, this line would be changed to the following:
SET CLASSPATH=C:\ldapgateway\dist\idfserver.jar
rem Start Property Encrypt Utility %JAVACMD% %JVM_OPTS% -cp %CLASSPATH% com.identityforge.idfserver.util.AESCipherUtil idfRacfPwd
New encrypted string as HEX: 10902AA71C4DF819C965E8B5B7DF0208
_adminPwdEncrypt_
_agentAdminPwdEncrypt_
Here is an example of a completed as400.properties file:
# USE SSL
_isSSL_=true
# HOST/IP VALUE TO CALL i5
_host_=74.125.225.114
# ADMIN ID TO CONNECT TO i5
_adminId_=AS400ADMIN
# ADMIN PASSWORD
#_adminPwd_=
# ADMIN ENCRYPTED PASSWORD
_adminPwdEncrypt_=10902AA71C4DF819C965E8B5B7DF0208
# HOST/IP WHERE AGENT RUNNING
_agentHost_=74.125.225.114
# ADMIN ID
_agentAdminId_=AS400ADMIN
# ADMIN PASSWORD
#_agentAdminPwd_=
# ADMIN ENCRYPTED PASSWORD
_agentAdminPwdEncrypt_=10902AA71C4DF819C965E8B5B7DF0208
The next step is to set the Front-End LDAP administrative account and password. This is the account used by EmpowerID to bind to the IdentityForge LDAP server.
<bean name="as400" singleton="true" class="com.identityforge.idfserver.backend.as400.As400Module">
<property name="suffix" value="dc=as400,dc=com"/>
<property name="workingDirectory" value="../as400"/>
<property name="adminUserDN" value="cn=idfAs400Admin, dc=as400,dc=com"/>
<property name="adminUserPassword" value="idfAs400Pwd"/>
<property name="altAdminUserDN" value="cn=oimAs400Admin, dc=as400,dc=com"/>
<property name="altAdminUserPassword" value="oimAs400Pwd"/>
<property name="allowAnonymous" value="false"/>
<property name="entryCacheSize" value="1000"/>
<property name="defaultUacc" value="read"/>
<property name="searchUsersType" value="user"/>
<bean name="as400" singleton="true" class="com.identityforge.idfserver.backend.as400.As400Module">
<property name="suffix" value="dc=as400,dc=com"/>
<property name="workingDirectory" value="../as400"/>
<property name="adminUserDN" value="cn=EIDIDF, dc=as400,dc=com"/>
<property name="adminUserPassword" value="idfAs400Pwd"/>
<property name="altAdminUserDN" value="cn=EIDIDF, dc=as400,dc=com"/>
<property name="altAdminUserPassword" value="oimAs400Pwd"/>
<property name="allowAnonymous" value="false"/>
<property name="entryCacheSize" value="1000"/>
<property name="defaultUacc" value="read"/>
<property name="searchUsersType" value="user"/>
Now we need to change the password for the Front-End LDAP administrative account.
rem Start Property Encrypt Utility
%JAVACMD% %JVM_OPTS% -cp %CLASSPATH% com.identityforge.idfserver.util.AESCipherUtil idfRacfPwd
New encrypted string as HEX: 10902AA71C4DF819C965E8B5B7DF0208
<bean name="as400" singleton="true" class="com.identityforge.idfserver.backend.as400.As400Module">
<property name="suffix" value="dc=as400,dc=com"/>
<property name="workingDirectory" value="../as400"/>
<property name="adminUserDN" value="cn=EIDIDF, dc=as400,dc=com"/>
<property name="adminUserPassword" value="10902AA71C4DF819C965E8B5B7DF0208”/>
<property name="altAdminUserDN" value="cn=EIDIDF, dc=as400,dc=com"/>
<property name="altAdminUserPassword" value="10902AA71C4DF819C965E8B5B7DF0208"/>
<property name="allowAnonymous" value="false"/>
<property name="entryCacheSize" value="1000"/>
<property name="defaultUacc" value="read"/>
<property name="searchUsersType" value="user"/>
The next step is to set the Back-End LDAP administrative password. This is the account used by EmpowerID to bind to the IdentityForge LDAP server and sync inventory to the Back-End.
<bean name="hpbe2" singleton="true" class="com.identityforge.idfserver.backend.hpbe.HPBEModule">
<property name="suffix" value="dc=system,dc=backend"/>
<property name="workingDirectory" value="../system"/>
<property name="schema" ref="schemas"/>
<property name="adminUserDN" value="cn=Directory Manager, dc=system,dc=backend"/>
<property name="adminUserPassword" value="testpass"/>
<property name="altAdminUserDN" value="cn=Directory Manager, dc=system,dc=backend"/>
<property name="altAdminUserPassword" value="testpass"/>
<property name="entryCacheSize" value="1000"/>
rem Start Property Encrypt Utility
%JAVACMD% %JVM_OPTS% -cp %CLASSPATH% com.identityforge.idfserver.util.AESCipherUtil idfRacfPwd
New encrypted string as HEX: 10902AA71C4DF819C965E8B5B7DF0208
<bean name="hpbe2" singleton="true" class="com.identityforge.idfserver.backend.hpbe.HPBEModule">
<property name="suffix" value="dc=system,dc=backend"/>
<property name="workingDirectory" value="../system"/>
<property name="schema" ref="schemas"/>
<property name="adminUserDN" value="cn=Directory Manager, dc=system,dc=backend"/>
<property name="adminUserPassword" value="10902AA71C4DF819C965E8B5B7DF0208"/>
<property name="altAdminUserDN" value="cn=Directory Manager, dc=system,dc=backend"/>
<property name="altAdminUserPassword" value=”10902AA71C4DF819C965E8B5B7DF0208"/>
<property name="entryCacheSize" value="1000"/>
openssl pkcs12 -in C:\EIDcert.pfx -out C:\EIDcert.pem
The OpenSSL toolkit will ask you to enter the import password; this is the pass phrase currently set on the PFX certificate. If you exported the certificate from the MMC snap-in, this will be the password you set on the certificate during the export.
-----BEGIN ENCRYPTED PRIVATE KEY-----
DATA HERE
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
DATA HERE
-----END CERTIFICATE-----
openssl rsa -in C:\encrypted.pem -out C:\key.pem
openssl pkcs8 -topk8 -nocrypt -in C:\key.pem -inform PEM -out C:\key.der -outform DER
openssl x509 -in C:\cert.pem -inform PEM -out C:\cert.der -outform DER
Once these commands are completed, you will have two DER files. At this time it is recommended to delete the PFX and PEM files.
java ImportKey C:\key.der C:\cert.der
keytool -storepasswd -new NEWPASSWORDHERE -keystore C:\ldapgateway\conf\as400.jks
You will be prompted for the old Java keystore password, and then the new password will be set. Remember this password as it will be used later.
<bean id="sslChannelFactory" class="com.identityforge.idfserver.nio.ssl.SSLChannelFactory">
<constructor-arg><value>false</value></constructor-arg>
<constructor-arg><value>../conf/testnew.jks</value></constructor-arg>
<constructor-arg><value>abc123</value></constructor-arg>
<constructor-arg><value>false</value></constructor-arg>
</bean>
<bean id="sslChannelFactory" class="com.identityforge.idfserver.nio.ssl.SSLChannelFactory">
<constructor-arg><value>false</value></constructor-arg>
<constructor-arg><value>../conf/as400.jks</value></constructor-arg>
<constructor-arg><value>abc123</value></constructor-arg>
<constructor-arg><value>false</value></constructor-arg>
</bean>
<bean id="sslChannelFactory" class="com.identityforge.idfserver.nio.ssl.SSLChannelFactory">
<constructor-arg><value>false</value></constructor-arg>
<constructor-arg><value>../conf/as400.jks</value></constructor-arg>
<constructor-arg><value>abc123</value></constructor-arg>
<constructor-arg><value>false</value></constructor-arg>
</bean>
rem Start Property Encrypt Utility
%JAVACMD% %JVM_OPTS% -cp %CLASSPATH% com.identityforge.idfserver.util.AESCipherUtil
idfRacfPwd
New encrypted string as HEX: 10902AA71C4DF819C965E8B5B7DF0208
<bean id="sslChannelFactory" class="com.identityforge.idfserver.nio.ssl.SSLChannelFactory">
<constructor-arg><value>false</value></constructor-arg>
<constructor-arg><value>../conf/as400.jks</value></constructor-arg>
<constructor-arg><value>10902AA71C4DF819C965E8B5B7DF0208</value></constructor-arg>
<constructor-arg><value>false</value></constructor-arg>
</bean>
<bean id="sslChannelFactory" class="com.identityforge.idfserver.nio.ssl.SSLChannelFactory">
<constructor-arg><value>false</value></constructor-arg>
<constructor-arg><value>../conf/as400.jks</value></constructor-arg>
<constructor-arg><value>10902AA71C4DF819C965E8B5B7DF0208</value></constructor-arg>
<constructor-arg><value>true</value></constructor-arg>
</bean>
To configure secure communications between the IdentityForge server and the AS/400 we will need to retrieve the SSL certificate from the OS/400 Certificate Manager.
We now need to add the SSL certificate from the OS/400 system to the Java JDK keystore.
keytool -importcert -file C:\cert.cer -alias arbitraryaliashere -keystore C:\software\jdk1.7.0_25\jre\lib\security\cacerts
keytool -list -keystore C:\software\jdk1.7.0_25\jre\lib\security\cacerts
For more information, please see the following JTOpen and IBM iSeries documentation pages:
Navigate to C:\ldapgateway\dist\idfserver, press CTRL+A to select all of files and folders in this location, then right click and choose Send to > Compressed (zipped) folder. This will create a .zip file in the C:\ldapgateway\dist\idfserver directory. Rename the .zip file to idfserver.jar. Copy idfserver.jar to C:\ldapgateway\dist. Overwrite the existing file.
set JAVA_HOME=C:\Program Files\Java\jre7
set JVM=C:\Program Files\Java\jre7\bin\client\jvm.dll
This path needs to point to the installation path of the Java JDK. In our example, this line would be changed to the following:
set JAVA_HOME=C:\software\jdk1.7.0_25
set JVM=C:\software\jdk1.7.0_25\jre\bin\client\jvm.dll
set HOME=C:\ldfService\ldapgateway
set APPLICATION_SERVICE_HOME=C:\ldfService\ldapgateway\win_service
This path needs to point to the IdentityForge installation directory. In our example, this line would be changed to the following:
set HOME=C:\ldapgateway
set APPLICATION_SERVICE_HOME=C:\ldapgateway\win_service
set SERVICE_NAME=IdentityForgeService
This variable can be changed to a name of your choosing. This will be the name of the Windows service as shown in Service Manager.
set CG_STDOUTPUT=%CG_LOGPATH%\IDFServiceOut.log
In order to disable verbose logging, this line should be changed to the following:
REM -- set CG_STDOUTPUT=%CG_LOGPATH%\IDFServiceOut.log
Set CG_DESCRIPTION=”Identity Forge Service for LDAP Gateway”
set CG_DISPLAY_NAME=IdentityForgeService
These variables can be changed as you see fit. The text will become the description and the display name of the Windows service as shown in Service Manager, respectively.
IDF-Win-Service.bat install
IDF-Win-Service.bat remove
To enable Java debugging do the following:
rem Start Ldap Gateway Server
%JAVACMD% %DEBUG% %JVM_OPTS% %SECURE% -cp %CLASSPATH% com.identityforge.idfserver.Main %1 %2 %3 %4 %5 %6 %7 %8 %9
rem Start Ldap Gateway Server
%JAVACMD% %DEBUG% %JVM_OPTS% %SECURE% -cp %CLASSPATH% -Djavax.net.debug=all com.identityforge.idfserver.Main %1 %2 %3 %4 %5 %6 %7 %8 %9
To increase the memory available to the Java JVM, do the following:
rem Start Ldap Gateway Server
%JAVACMD% %DEBUG% %JVM_OPTS% %SECURE% -cp %CLASSPATH% com.identityforge.idfserver.Main %1 %2 %3 %4 %5 %6 %7 %8 %9
rem Start Ldap Gateway Server
%JAVACMD% %DEBUG% %JVM_OPTS% %SECURE% -cp %CLASSPATH% -Xms512m -Xmx1024m com.identityforge.idfserver.Main %1 %2 %3 %4 %5 %6 %7 %8 %9