This page is work in progress and might contain errors or lack some steps.
The OpenDJ account change handler is an OpenDJ plugin and a remote OpenIDM agent. This plugin can be installed into OpenDJ 2.4.1 or newer server to notify OpenIDM 2.0.0 or 2.1.0 when password of an account has been updated.
An OpenDJ server can have the same plugin configured multiple times and the handler configuration has to be assigned to a password policy. This makes possible to have different configuration for example per group or root context.
The communication between the OpenDJ and the OpenIDM is secured multiple ways. The plugin use mutual authentication, transport secured by HTTPS protocol and the message itself is encrypted with a public key. Only the OpenIDM can decrypt the payload. The plugin use the JSON Patch format to update the managed object in OpenIDM.
Install the OpenDJ follow the Install Guide
If you want to enable the debug then change the Server Runtime Settings to:
-server -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005
Install and configure
Before you install it stop the OpenDJ instance:
Download the OpenIDM Agents - OpenDJ from the download site and extract the archive and copy the content of the opendj directory to the OpneDJ installation directory.
Update the configuration by appending it to the config.ldif:
(make sure the there is one empty line between the last object in the config.ldif and the newly added object; you may want to change the default configuration first, but you can do it afterwards with dsconfig)
The certificate of OpenIDM PasswordSync service need to be installed into the truststore and the client certificate and private key needs to be installed into the keystore.
The archive comes with some sample keys but you can generate and use your own.
Certificate and public key exchange
To secure the communication between the OpenDJ and OpenIDM some certificates has to be shared between the two servers. If the OpenDJ configured for LDAPS the wizard generates the required keystore files in config folder and configures the keymanagers.
Two keys MUST shared between OpenIDM and OpenDJ before start.
The default OpenIDM server open and HTTPS listener on 8444 port and pick the first private key "openidm-localhost" from the configured keystore. The plugin connects to this port and the OpenDJ truststore MUST contain this certificate. This certificate is exported to openidm/samples/security/openidm-localhost-cert.txt file.
The OpenDJ plugin use a private key to encrypt the message before sends over to OpenIDM. The private key alias configured with ds-cfg-ssl-cert-nickname property. When the OpenIDM decrypts this message it needs to have the public key. This MUST be imported into the security/keystore.jceks file with the same alias configured ds-cfg-realm.
How to generate and configure new self-signed certificate
Create a private key for the certificate (Optional if LDAPS is configured):
In this case, the value of the -dname argument should be changed so that it is suitable for your environment.
You will be interactively prompted for both a password to protect the contents of the keystore and a password to protect the private key. Both passwords should be the same.
Generate a self-signed certificate for the key with the command (Optional if LDAPS is configured):
When you are prompted for the keystore password, enter the same password that you provided previously.
Create a text file with the keystore password config/keystore.pin (Optional if LDAPS is configured):
The file should only contain the password that you chose to protect the contents of the keystore.
Export the public key for the certificate that you just created:
Import that exported public key and the certificate into the truststore of OpenIDM (This allows the OpenDJ to mutual authenticate with the private key):
Export the public key for the certificate of PasswordSync Service from OpenIDM keystore (you can use openidm/samples/security/openidm-localhost-cert.txt):
Create a new trust store and/or import the server certificate into OpenDJ truststore (The plugin use this key to encrypt the message):
Type yes when you are prompted about whether you want to trust the certificate.
Make sure all certificates and private key are in place:
If you don't use LDAPS then you need to enable the two keymanagers in config/config.ldif
dn: cn=JKS,cn=Key Manager Providers,cn=config
dn: cn=JKS,cn=Trust Manager Providers,cn=config
To get more details you can enable the debug logger
dn: cn=File-Based Debug Logger,cn=Loggers,cn=config
cn: File-Based Debug Logger
Customize the configuration of the Notification Handler.
You have configured the Password notification handler.
default value: password
default value: for-username
Specifies the attribute types that this plug-in will send along with the password change.
Specifies the log file location where the changed passwords are written when the plug-in cannot contact OpenIDM.
If this value is 0, then the updates are made synchronously in the foreground.
Specifies the nickname (also called the alias) of the certificate that the plug-in will use when performing SSL communication.
The alias of the private key that should be used to decrypt the session key.
The subject dn of the certificate that should be used to encrypt the session key.
Specifies the name of the key manager that is used.
Specifies the name of the trust manager that is used.
Start the OpenDJ instance:
You should notice a line like this in logs/server:
 category=EXTENSIONS severity=INFORMATION msgID=1049147 msg=Loaded extension from file '.../OpenDJ-2.4.0/lib/extensions/openidm-account-status-notification-handler.jar' (build <unknown>, revision <unknown>)
Activating the plugin so that password changes are captured and processed by the plugin:
Test REST Service
Connect as cn=Directory Manager:
Connect as user: