By default, when a user logs in, Imanager will create a secure LDAP connection to eDirectory. First it will try the the JVM keystore.
If that fails it tries the Imanager specific keystore located in /var/opt/novell/iManager/nps/WEB-INF/iMKS.
Using the default settings, iManager populates this keystore on-the-fly by importing the eDirectory Root CA certificate. (This behavior can be changed via the /var/opt/novell/iManager/nps/WEB-INF/config.xml file.)
For more information please see the following:
By default, a temporary non-CA signed certificate is generated during the installation of Imanager. The temporary non-CA signed certificate is not signed and has a CN of Temporary Certificate and an expiration date of one year.
We recommend you replace this certificate as soon as possible prior to its expiration.
Moreover, when configuring iChain to authenticate to iManager a certificate chained to a CA must be used or the iChain to iManager authentication will fail.
There are multiple options for replacing the default temporary certificate initially used in iManager\Tomcat. Among the more popular are:
- generating a public and private key within eDirectory using Novell Certificate Server
- buy a signed server certificate from one of the many certificate vendors. Instructions on how to use 3rd party certificates vary. Please refer to the specific vendor website for more information.
- Use a Enterprise Issued Certificate that is accepted by all Enterprise Browsers.
Some Imanager plug-ins require secure LDAP access to function properly.
Refer to Novell documents for the current process
NOTE: This should work for 2.5 and 2.6 also.
NOTE: Imanager Mobile uses the default JDK on the system.
You may want to do this and add the Certificate Authority (CA) to the Keystore then this instance of iManager will work for all servers signed by the CA.
This is needed to use some tasks in these roles; here are the known roles that have tasks that require secure LDAP:
- Dynamic Groups
On Solaris, type:
On Linux, type:
Then execute this command to import the certificate into the web server's keystore:
./keytool -import -alias [alias_name] -file [full_path]/trustedrootcert.der -keystore [full_path]/jre/lib/security/cacerts
Here is an example of how to import several certificates into the same iManager instance:
for cert in `ls -1 ~/certs/*.der`; do ./keytool -import -alias [alias_name] -file [full_path]/trustedrootcert.der -keystore [full_path]/jre/lib/security/cacerts done
Here is the example output from one such import:
# ./keytool -import -alias outlaw -file ~/certs/OUTLAW.der -keystore ../lib/security/cacerts Enter keystore password: changeit Owner: O=OUTLAW, OU=Organizational CA Issuer: O=OUTLAW, OU=Organizational CA Serial number: 21c11ece729bd11dba93ccc92194fa612e592514320e9c2f9e5547efac502020127 Valid from: Sat Sep 18 10:59:19 EDT 2004 until: Thu Sep 18 10:59:19 EDT 2014 Certificate fingerprints: MD5: 24:4E:97:44:BE:91:BB:8F:87:DF:80:16:10:CA:9D:EA SHA1: 69:71:F1:51:31:E1:C7:D9:C3:81:7D:42:F7:55:3F:4F:1B:5E:FA:DE Trust this certificate? [no]: yes Certificate was added to keystore
Once the certificates are imported, you should restart Tomcat. Note that the commands listed must be run as 'root' or via sudo.
/etc/init.d/novell-tomcat4 stop /etc/init.d/novell-tomcat4 start
More Information#There might be more information for this subject on one of the following:
- [#1] - Replacing default certificates in iManager 2.7 (non-OES install) - based on 2015-03-12