- This line was added.
- This line was removed.
- Formatting was changed.
In some cases, certificates are issued directly via Certificate Manager without involving Identity Manager. One typical use case is when certificates for servers, devices, workstations etc. are requested via Protocol Gateway, using the automation protocols (such as SCEP, ACME, EST or Windows-Autoenrollment). Also, in these cases, we want to inform Identity Manager about the new certificates so that Identity Manager can do the corresponding lifecycle management later on.
To keep Certificate Manager and Identity Manager in sync, the certificates can be pushed from Certificate Manager via a 'Distribution Rule' to a HTTPS endpoint to Identity Manager. The push to Identity Manager will contain the certificate itself, a corresponding Certificate Template that it will be mapped on in Identity Manager. and optionally a BPMN process that will be executed with the push, for example to link the certificate to certain assets in Identity Manager.
In Certificate Manager
Certificate Manager must authenticate itself. There are two ways to do this: a certificate based authentication or HTTP Basic authentication. The certificate based authentication is recommended, as username/password is less secure.
The keystore is mandatory. It must contain the keypair and certificate the Certificate Manager will use to authenticate to Identity Manager. Its issuer must be present in the truststore of the Identity Manager Operator application.
Just set a username/password of an Identity Manager internal user in the distribution rule. Also you need to make sure that the URL to connect to Identity Manager Operator does not require a client certifciate.
Optionally, but highly recommended, Identity Manager's TLS server certificate can be validated also on Certificate Manager side. Therefore, a corresponding truststore can be configured. It should contain the issuer of the Identity Manager server certificate.
In Identity Manager
Optionally, a BPMN process can be executed on the certificate. Identity Manger Manager will first persist the certificate core object. After that, if a