Remote connector server

Remote connector server is a standalone daemon used for interfacing some of the more difficult systems. You deploy connector bundles into the connector server. Then, you configure CzechIdM to use connectors from within the remote connector server. As far as IdM is concerned, there is no difference if actions on end system are performed by connector server or IdM itself. The only difference is in the point of origin of network communication.

CzechIdM comes bundled only with certain types of connectors. For some deployments, it is necessary to use Remote connector server ("connector server" from now on). There are generally four reasons for this:

• We cannot run Java code on the target system (e. g. .NET code is needed).
• The OS does not have some normal API (e. g. old Windows without WinRM) so we need to run commands on it locally.
• Security reasons - we do not want to run the connector code under the same user as the CzechIdM.
• You need to use two different versions of one connector (or two connectors which bundle different versions of the same library - for example Apache CXF). If you did deploy them both into one Java context, libraries would break due to Java Class FQDN conflicts.

The remote server connector configuration form behaves just like the local connector form - this means that definition is stored in the EAV attributes for system which it belongs. As a key to EAV attributes are used the system name, connector name, and connector version. Therefore, it is possible to have multiple connectors with different version on the remote connector server.

Download appropriate version of the connector server. If you are a BCV developer, use our internally provided version.

1. Download the all-in-one prepared bundle from there (login required), you do not need to download anything else.
2. Continue with deployment instructions.

1. Download connector server from the ConnId project.
2. Use version 1.4.5.1 of remote connector server and version 1.4.3.0 of connector framework.
3. Download following libraries and add them to the lib directory of the connector server:
   • jackson-annotations-2.9.8
   • jackson-core-2.9.8
   • jackson-databind-2.9.8
4. Add those libraries to the classpath inside ConnectorServer.sh script (for Linux) or ConnectorServer.bat script (for Windows).

Create new user under which the connector server will be started and give him ownership of connector-server directory.

useradd connector-server
chown -R connector-server:connector-server /opt/connid-connector-server

To configure settings (such as log, port…) will be found at configurations file: conf/connectorserver.properties

* To directory "bundles" add .jar connectors. * To directory "scripts" add scripts which IdM will use. * In default scripts will look to "cert" directory for certificates.

If you will add AD connector you also need create connector server truststore. Create truststore in "". On windows use gitbash.

openssl genrsa -out fakecert.key
openssl req -new -key fakecert.key -out fakecert.csr -subj "/C=CZ/ST=Czech Republic/L=Prague/O=BCV/CN=Connector placeholder cert"
openssl x509 -req -in fakecert.csr -signkey fakecert.key -days 1 -sha256 -out fakecert.crt
keytool -importcert -file fakecert.crt -alias placeholder-cert -keystore truststore.jks
    Enter keystore password:  ENTER SOME PASSWORD HERE AND REMEMBER IT FOR LATER
    Re-enter new password:
    ...
    Trust this certificate? [no]:  yes
    Certificate was added to keystore

rm fakecert.key fakecert.csr fakecert.crt
chmod 644 truststore.jks
chown connector-server:connector-server truststore.jks

Add truststore to start scripts: Add this java property to java start options in "bin/ConnectorServer.sh"(linux)

-Djavax.net.ssl.trustStore=/opt/cconnid-connector-server/conf/truststore.jks -Djavax.net.ssl.trustStorePassword=TODO_PASSWORD

or add this to service installation in „bin\ConnectorServer.bat“(windows)

"-Djavax.net.ssl.trustStore=C:\connid-connector-server\conf\truststore.jks";"-Djavax.net.ssl.trustStorePassword=TODO_PASSWORD"

All commands execute in root folder of remote connector server.

Next it's good to setup new password for connector server. This password will IdM use to connect to connector-server.

./bin/ConnectorServer.sh -setKey -key yourKey -properties conf/connectorserver.properties

Create service file for connector-server. Content of the file, change path according where you have your connector server /etc/systemd/system/java-connector-server.service

[Unit]
Description=Java Connector Server Service
[Service]
User=connector-server
WorkingDirectory=/opt/connid-connector-server
ExecStart=/bin/bash /opt/connid-connector-server/bin/ConnectorServer.sh -run -properties /opt/connid-connector-server/conf/connectorserver.properties
SuccessExitStatus=143
[Install]
WantedBy=multi-user.target

Reload, enable and start deamon. To control service use "systemctl start/stop/status java-connector-server".

systemctl daemon-reload
systemctl enable java-connector-server
systemctl start java-connector-server

All commands execute in root folder of remote connector server.

Start CMD under system admid. Then go to connector-server root directory. Setup connector-server key and install windows service(connector_server).

cd C:\connid-connector-server
bin\ConnectorServer.bat /setkey
bin\ConnectorServer.bat /install connector_server

Then start service in "services.msc". If connector_server service started correctly set this service to automatic start.

On the system tab we will create a new system. In the detail of this system, check option "Use remote connector server" and fill everything form field that system needed to connect to the remote system. For connection it is necessary to fill the host and port on which the connector is available on remote server. If server is secured by password you will need fill the password for connect to remote connector server. Password for connect will be stored in local confidential storage.

After saving all the necessary information to the remote connector of the server, we will go to the "Configurations" tab. From now will be available only connectors on the remote connector server. The functionality of the remote connector server can be verified as well as the functionality of the local connector - using the "Test connector".