SailPoint IdentityNow Active Directory Source TLS Configuration

Recently I needed to enable a SailPoint IdentityNow Active Directory Source to use TLS. Looking for information on how to complete this saw me read many articles in SailPoint Compass. However, none of them were written specifically for IdentityNow Active Directory Source TLS Configuration. Mostly they were for the IQService and Identity IQ. Putting pieces of this information together I got an existing Source (even though it is mentioned this shouldn’t work) updated and working for TLS.

I’m documenting this so the next time I need to do it and I find the process quickly, get it done and move on.

The high level process is;

  1. Logon to a Domain Controller in the Active Directory Domain you will be connecting to as a Source for IdentityNow
  2. Use Internet Explorer to export the Active Directory Trusted Root Cert
  3. Copy  the certificate to all IdentityNow Virtual Appliances
  4. Restart the CCG Process
  5. Configure your Active Directory Source TLS Configuration settings
  6. Test the connection and perform Aggregations

Active Directory Trusted Root Cert

Logon to a Domain Controller using an Admin account in the Active Directory Domain you will be connecting to as a Source for IdentityNow and;

  • from the Control Panel select Network and Internet => Internet Options
  • on the Content tab select Certificates
  • select the Trusted Root Certification Authorities tab
  • locate the certificate associated with the Active Directory you will be connecting to as an IdentityNow Source
  • select Export 

Export AD Trusted Root Cert

  • export the certificate in Base-64 encoded format

Import the Certificate to all Virtual Appliances

The certificate needs to be put on each Virtual Appliance in the ~/sailpoint/certificates directory. On each VA;

  • SSH into the Virtual Appliance Server
  • change to the certificates directory
  • open VI with the name that you want to give the certificate
    • vi ADProdTrustedRootCert.pem
    • press insert 
    • paste in your certificate (right click if using Putty) that you exported from the AD DC (open it in Notepad or similar on your host machine to copy the contents)
    • press escape to exit insert mode
    • enter :wq to write and quit vi

Virtual Appliance IdentityNow Active Directory Source TLS Configuration

  • restart the CCG process
    • sudo systemctl restart ccg
  • inspect the ccg-start.log to make sure the certificate was picked up and imported
    • cat /home/sailpoint/log/ccg-start.log

VA CCG Certificate Imported

IdentityNow Active Directory Source TLS Configuration

Finally, on the Active Directory Source under Admin => Connections => Sources in the IdentityNow Portal, edit the Forest and Domain configuration to enable TLS. Ensure that your configuration uses FQDN names and not hostnames or IP Addresses. I also needed to list the Domain Controllers to connect to on the Domain Configuration.

Test the connection and start aggregating.

IdentityNow Active Directory Source TLS Configuration

Summary

SailPoint IdentityNow Active Directory Source TLS Configuration is pretty straight forward (once you work out the process).