Identity Management Service › Getting Started with Identity Management › How to Set Up On-Premise Provisioning

How to Set Up On-Premise Provisioning

As an administrator who wishes to set up communication between cloud-based and on-premise environments and allow on-premise provisioning, follow this process:

1. Receive the username, password, the server certificate, and the URLs for the cloud-based CA IAM Connector Server messaging interface from the CA CloudMinder System Administrator for your environment. Make a note of the time settings from the cloud-based Connector Server.
2. Download and install CA IAM Connector Server in your on-premise environment. The installation package is available from support.ca.com.
3. Export the certificate that the connector server installer creates, and deliver it to the System Administrator if it is needed. The System Administrator tells you if this is required in your environment. If you have an existing server certificate, you can use it instead. After you install IAM Connector Server, add the certificate to the ssl keystore. The ssl keystore is a java keystore located in the jcs/conf folder of your connector server installation.

   Note: You can only add one private key to the keystore. CA IAM Connector Server only supports one private key.

4. Install the certificate that you received from the System Administrator in your on-premise Connector Server.
5. Go to the cloud-based CA IAM Connector Server interface and add any endpoint routes that you want.

This diagram illustrates the set-up steps:

Install CA IAM Connector Server

The CA IAM Connector Server includes connectors for all of the endpoints that are supported at the time of the release.

When you install CA IAM Connector Server, be sure to record the values you enter. The port name, password, and URL are required in other parts of the process.

Note: This procedure assumes that you do not already have a local instance of CA IAM Connector Server installed. If you have installed it as part of an Identity Management installation, the default username is set to "admin".

Follow these steps:

1. Check the time settings for your on-premise Connector Server host. They must match the setting information that you received from the System Administrator for the two servers to connect successfully.

   Note: The cloud-based and on-premise Connector Server time zones need not match, only the settings. For example, daylight savings time must be enabled on both.

2. Download CA IAM Connector Server from support.ca.com, and launch the installer.
3. Select the C++ connector option you want, depending on your environment.
4. Clear the "Register this installation with a Provisioning Server" checkbox if it is selected. This setting is not required for an on-premise installation.
5. On the Cloud Connector Server screen, enter the following information:
   • Server URL - The URL of the cloud-based CA IAM Connector Server messaging interface, for example: https://hosting.cloudminder.com/gateway/request/tenant/mytenant/. The System Administrator provides the URL information.
   • Tenant Name
   • Tenant Host ID - Optional identification for an environment with multiple on-premise server installations.
   • Username - The user name that the System Administrator created for this tenant.
   • Password - The password that the System Administrator created for this tenant.

   Note: To connect to a cloud-based Connector Server, enter details in this step. The details are required for the installer to create a key pair and self-signed certificate. If for some reason you cannot enter details on initial installation, rerun the installer and add details before completing the connection.

6. Enter the admin password on the Connector Server Configuration screen, and accept the default LDAP port values.

   Note: If you install multiple connector servers, be sure to set the same password for each. This practice avoids a password synch issue.

7. On the Port Configuration screen, accept the default values.
8. Enter HTTP Proxy credentials if your environment uses an HTTP proxy.
9. Complete the wizard. You can install multiple connector servers in your environment, depending on your needs.

Export a Certificate

The CA IAM Connector Server installer creates a self-signed certificate. If you are a Site Administrator preparing for on-premise provisioning, you can locate and export the certificate file to deliver to the CA CloudMinder System Administrator.

Follow these steps:

1. Log in to the on-premise CA IAM Connector Server.
2. Select the Certificates tab, and locate the new certificate. The certificate is a Private Key type, "tenant_name". You can sort the Type or Name columns to help locate the certificate.
3. Select the new certificate, click Download, and save the file in a location of your choice.
4. If you are using two-way SSL certification in your environment, send the certificate file to the System Administrator using a trusted mechanism.

Configure the On-Premise Connector Server

To set up on-premise provisioning, add the certificate that you received from the CA CloudMinder System Administrator to your on-premise connector server.

Follow these steps:

1. Log in to CA IAM Connector Server in your CA CloudMinder environment.
2. Click the Certificates tab in the Connector Server Management pane.

   The Add Certificate dialog appears.

3. Browse to the location where you saved the certificate file, select it, and click Add.
4. Enter the certificate alias, and Click OK.

   The certificate appears in the certificate list.

5. Select the Servers tab. Select the cloud connector server entry, and click Modify.

   The Modify Connector Server dialog appears.

6. Enter or add to the credentials for the target connector server, including the tenant name, and click OK.

   You can test the connection to make sure that the components are communicating properly.

Configure the Cloud-Based Connector Server

To complete the set-up process for on-premise provisioning, you add endpoint routes. You can configure the default on-premise connector server or any other on-premise connector server in your environment. You can also add a connector server then add routes to that connector server.

Follow these steps:

1. Log in to the CA CloudMinder user console and navigate to Task>System>Manage Connector Server.
2. Click Add to add a connector server.
   1. Supply any name for the connector server.
   2. Click OK.
   3. After a minute, click Status to display the new connector server.
3. Select the connector server entry to which you want to add a route.
4. Right-click the connector entry and select Add Routes from the popup menu.
5. Check the route or routes that you want to add, and click OK.

   You can add routes to more than one connector server. If you have added an Active Directory route to one connector server, it is not available to add to other connector servers.