By default, the password synchronization traffic between the Password Capture Agent and the web service is secured by transport layer security only. Therefore, it is strongly recommended that you specify a custom certificate.
IMPORTANT: You need a certificate file including the private key to encrypt password synchronization traffic.
Detailed information about this topic
In this step, import the certificate to the Personal\Certificates machine certificate store by using the Certificates snap-in. You must complete this step on each domain controller running the Password Capture Agent and on each computer running the web service that will participate in password synchronization.
To import the certificate
-
Open the Certificates - Local Computers snap-in.
-
In the console tree, click Personal | Certificates.
-
On the Action menu, point to All Tasks and click Import.
-
Use the wizard.
-
On the File to Import page, in File name, enter the file name containing the certificate to be imported, or click Browse to locate and select the file. When finished, click Next.
-
On the Password page, enter the password used to encrypt the private key, and click Next.
-
On the Certificate Store page, ensure that Place all certificates in the following store is selected and that Certificate store displays Personal. Then click Next.
-
On the Completion page, revise the specified settings and click Finish.
To add read permissions to the certificate for the web service
-
Open the Certificates - Local Computers snap-in.
-
In the console tree, click Personal | Certificates.
-
Select your imported certificate from the list.
-
On the Action menu, point to All Tasks and click Manage Private Keys.
-
Add Read Permissions for the Network Service security principal and click OK.
Related topics
Copy the thumbprint of your custom certificate. (In the next step, you will need to provide the thumbprint to the Password Capture Agent.)
To copy the thumbprint of your custom certificate
-
Open the Certificates - Local Computer snap-in.
-
In the console tree, click Personal
-
Click Certificates.
-
In the details pane, double-click the certificate.
-
In the Certificate dialog, click Details, and scroll through the list of fields to select Thumbprint.
-
Copy the hexadecimal value of thumbprint to the clipboard.
NOTE: You will need the copied thumbprint value to configure the Password Capture Agent.
Related topics
This step assumes that the Password Capture Agent Windows PowerShell module for the Password Capture Agent is installed on your workstation and all other requirements are met.
To provide the thumbprint to the Password Capture Agent
-
Sign on to the workstation installed with Password Capture Agent Windows PowerShell module as member of the Domain Admins group.
-
Open an elevated command line.
-
Run the following command to modify the configuration profile with the new thumbprint:
REG ADD "\\<COMPUTERNAME>\HKLM\Software\One Identity\One Identity Manager\Password Capture Agent\Service" /v "CertificateThumbprint" /t REG_SZ /d "1800b62e8cf19d1c4bcdcd2b6e435c3c85e04188"
-
Run the following commands to restart the Password Capture Agent service:
sc \\COMPUTERNAME stop "Password Capture Agent"
sc \\COMPUTERNAME start "Password Capture Agent"
Related topics