Chat now with support
Chat with Support

Identity Manager 8.0 - Password Capture Agent Administration Guide

The One Identity Manager Password Capture Agent Appendix About us

Specifying a Custom Certificate for Encrypting Password Synchronization Traffic

By default, the password synchronization traffic between the Password Capture Agent and the Webservice will be secured by transport layer security only. Therefore, it is strongly recommended that you to specify a custom certificate for this purpose.

IMPORTANT: You need a certificate file including the private key to encrypt the password synchronization traffic.

This section describes how to use a custom certificate for encrypting the password synchronization traffic.

Detailed information about this topic

Step 1: Import Certificate into Certificates Store

In this step, you import the certificate to the machine certificate store Personal\Certificates by using the Certificates snap-in. You must complete this step on each domain controller running the Password Capture Agent and on each computer running the Webservice that will participate in password synchronization.

To import the certificate

  1. Open the Certificates - Local Computers snap-in.
  2. In the console tree, click the logical store Personal\Certificates.
  3. On the menu Action, point to All Tasks and then click Import.
  4. Step through the wizard.
  5. On the page "File to Import", in the text box File name, type the file name containing the certificate to be imported or click Browse and to locate and select the file. When finished, click Next.
  6. On the page "Password", type the password used to encrypt the private key, and then click Next.
  7. On the page "Certificate Store", ensure that the option Place all certificates in the following store is selected and the text box Certificate store displays "Personal", and then click Next.
  8. On the page "Completion", revise the specified settings and click Finish to import the certificate and close the wizard.

To add read permissions to the certificate for the Webservice

  1. Open the Certificates - Local Computers snap-in.
  2. In the console tree, click the logical store Personal\Certificates.
  3. Select your imported certificate from the list.
  4. On the menu Action, point to All Tasks and then click Manage Private Keys.
  5. Add "Read Permissions" for the security principal "NETWORK SERVICE" and click Okay.
Related Topics

Step 2: Copy Certificate’s Thumbprint

In this step, you copy the thumbprint of your custom certificate. In the next step, you will need to provide the thumbprint to the Password Capture Agent.

To copy the thumbprint of your custom certificate

  1. Open the Certificates - Local Computer snap-in.
  2. In the console tree, click the store Personal to expand it.
  3. Click the store Certificates to expand it.
  4. In the details pane, double-click the certificate.
  5. In the dialog box Certificate, click the tab Details, and scroll through the list of fields to select Thumbprint.
  6. Copy the hexadecimal value of thumbprint to clipboard.

NOTE: You will need the copied thumbprint value to configure the Password Capture Agent.
Related Topics

Step 3: Provide Certificate’s Thumbprint to the Password Capture Agent

Step 3: Provide Certificate’s Thumbprint to the Password Capture Agent

This step assumes that the Password Capture Agent Windows PowerShell module for the Password Capture Agent is installed on your workstation and all other requirements are met.

To provide the thumbprint to the Password Capture Agent

  1. Sign on to the workstation installed with Password Capture Agent Windows PowerShell module as member of the group "Domain Admins".
  2. Open an elevated command line.
  3. Execute command to modify the configuration profile with the new thumbprint.

    REG ADD "\\<COMPUTERNAME>\HKLM\Software\One Identity\One Identity Manager\Password Capture Agent\Service" /v "CertificateThumbprint" /t REG_SZ /d "1800b62e8cf19d1c4bcdcd2b6e435c3c85e04188"

  4. Execute commands to restart the Password Capture Agent service.

    sc \\COMPUTERNAME stop "Password Capture Agent"

    sc \\COMPUTERNAME start "Password Capture Agent"

    Related Topics
Related Documents