The Okta Provisioning Agent uses certificates to establish secure communication between the agent and SCIM server. In certain situations, importing certificates into the Okta Provisioning Agent's certificate trust store may be needed for the connection to succeed. This can be useful in situations where a SCIM server is not returning a complete certificate chain or self-signed certificates are being used.

• On-Premise Provisioning
• Okta Provisioning Agent
• Windows Server
• Linux

Certificates can be imported into the Okta Provisioning Agent's certificate store by following the steps below:

Linux

1. Stop the Okta Provisioning Agent service.
2. Export the public certificate from the certificate authority, SCIM server, or web browser. This is the certificate used by the SCIM server.
3. Copy the certificate to the Linux server where the OPP Agent is installed.
4. Run a command similar to the following as root or as a sudo user with admin privileges: /opt/OktaProvisioningAgent/jre/bin/keytool -import -file <Path to public certificate> -alias my_cert -keystore /opt/OktaProvisioningAgent/jre/jre/lib/security/cacerts
   1. Fill in the correct information for this command, depending on where the certificate is stored. For example: /opt/OktaProvisioningAgent/jre/bin/keytool -import -file /home/admin/server.crt -alias my_cert -keystore /opt/OktaProvisioningAgent/jre/jre/lib/security/cacerts
5. Type in the Java keystore password. By default, this is changeit.
6. Import additional certificates as desired. Please note that each certificate must have a unique alias name. For example, my_cert1, my_cert2, etc.
7. Restart the Okta Provisioning Agent service and test SCIM connectivity.

Windows

1. Stop the Okta Provisioning Agent service.
2. Export the public certificate from the certificate authority, SCIM server, or web browser. This is the certificate used by the SCIM server.
3. Copy the certificate to the Linux server where the OPP Agent is installed.
4. Run a command similar to the following as a user with admin privileges: "C:\Program Files\Okta\On-Premises Provisioning Agent\current\jre\bin\keytool.exe" -import -file <Path to public certificate> -alias my_cert -keystore "C:\Program Files\Okta\On-Premises Provisioning Agent\current\jre\lib\security\cacerts"
   1. Fill in the correct information for this command, depending on where the certificate is stored. For example: "C:\Program Files\Okta\On-Premises Provisioning Agent\current\jre\bin\keytool.exe" -import -file C:\server.crt -alias my_cert -keystore "C:\Program Files\Okta\On-Premises Provisioning Agent\current\jre\lib\security\cacerts"
5. Type in the Java keystore password. By default, this is changeit.
6. Import additional certificates as desired. Please note that each certificate must have a unique alias name. For example, my_cert1, my_cert2, etc.
7. Restart the Okta Provisioning Agent service and test SCIM connectivity.

For complete documentation on the JRE "keytool" program, please refer to the Oracle documentation below.

Lastly, it is not recommended to use self-signed certificates in a production environment. While the steps above can assist with remediating an issue where the Okta Provisioning Agent is failing due to a self-signed certificate, it is recommended to address the root cause as well and ensure that all production SCIM servers have signed certificates.

Related References

• Java keytool documentation