Prior to installing One Identity Certificate Autoenrollment, ensure your system meets the following minimum hardware and software requirements:
Mac OS X®/macOS® 10.8.3 or higher
Red Hat® Enterprise Linux® 6 or higher
Solaris® 11 or higher
SUSE® Linux Enterprise Server 11 or higher
Ubuntu® 14.04 LTS or higher
|Java unlimited strength policy files||See Java requirement: Unlimited Strength Jurisdiction Policy Files|
One Identity Authentication Services version 4.1.2
Certificate Autoenrollment depends on services provided by a Microsoft Enterprise Certificate Authority (CA) in your environment.
In addition to Active Directory and an Enterprise CA, you must install the following software in your environment:
In order for Certificate Autoenrollment to function on client computers, you must configure the following policies:
Additionally, you must configure Java 1.6 or higher as the default JVM for your system.
Enterprise Administrator rights to install software and configure Group Policy and Certificate Template policy (only if Certificate Autoenrollment is not already configured for Windows hosts in your environment.)
By default, most JRE and JDK implementations enforce limits on cryptographic key strengths that satisfy US export regulations. These limits are often insufficient for Certificate Autoenrollment and may lead to "java.security.InvalidKeyException: Illegal key size" failures. The "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files" can be installed to remove these limits and enable Certificate Autoenrollment to function properly.
In general the answer is: Yes, these files are needed.
Java 9 and above do not require these files, but Java 6, 7 and 8 rely on these files.
In some environments, Certificate Autoenrollment may be able to function correctly without these files. Typically, these are older environments such as Windows Server 2008 R2 with Java 6 on Mac OS X 10.9. However, even if one of these environments works now, it may no longer work in the future when its components are upgraded to newer releases. Therefore, it is prudent to install the policy files even if they are not needed at present.
For Java implementations from IBM, the policy files are usually bundled with the JDK but not the JRE, so it may be more convenient to install the JDK rather than just the JRE. Once the JDK is installed its demo/jce/policy-files/unrestricted directory should contain two JAR files:
Use these files to replace the corresponding JAR files in the jre/lib/security directory of the JDK. Alternatively, the "Unrestricted SDK JCE policy files" can be downloaded from ibm.com.
For Java implementations from Sun, Oracle and Apple and for OpenJDK implementations, the policy files must be downloaded from Oracle. Each major Java version requires its own policy files:
Each of these downloads is a zip file that includes a README.txt and two JAR files, local_policy.jar and US_export_policy.jar. Use these JAR files to replace the corresponding files in the JRE or JDK:
The following procedures walk you through the installation and configuration of the required components. If Certificate Autoenrollment is already configured for Windows hosts in your environment, you can skip to Using Certificate Autoenrollment.
To perform these procedures, you need Enterprise Administrator rights to install software and configure Group Policy and Certificate Template policy.
Note: Microsoft has documented all of the steps to install and configure certificate enrollment Web services.
To set up certificate enrollment web services
Certificate enrollment Web services are now installed. Next, you will configure policy settings to enable Certificate Autoenrollment.
If you are using Group Policy, you must configure the Certificate Enrollment Policy Web Service group policy setting to provide the location of the Web service to domain members. Otherwise, you must manually configure the server URL on each system as explained in Using Certificate Autoenrollment.
To configure certificate enrollment policy
In the console tree, expand Sites, and click the Web service application that begins with ADPolicyProvider_CEP.
Note: The name of the application is ADPolicyProvider_CEP_AuthenticationType where AuthenticationType is the Web service authentication type.
The Add button is available only when the enrollment policy server URI and authentication type are valid.