This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
How NAM Utilizes Certificates
How NAM Utilizes Certificates

Version management

Difference between version and

At line 1 added 133 lines
The Identity Server uses the following key pairs for secure communication. In a production environment, you should exchange the key pairs that are created at installation time with certificates from a trusted Certificate Authority.
!!! [NAM|Novell Access Manager] Keystores
The Administration Console creates a keystore in the file system of the device that is assigned to the keystore.
* Linux Device: /opt/novell/devman/jcc/certs/<device>
* Windows Device: C:\Program Files\novell\devman\jcc\certs/<device>
!!!Identity Server Keystores
Access Manager creates the following keystores for each Identity Server cluster configuration.
!!NIDP-signing
The test-signing key pair is used by:
* the various protocols to sign authentication requests
* to sign communication with providers on the [SOAP back-channel]
* to sign Web Service Provider profiles
The NIDP-signing keystore contains the certificate that is used for signing the assertion or specific parts of the assertion.
!NIDP-encryption
The NIDP-encryption keystore contains the certificate that is used to encrypt specific fields or data in assertions.
!NIDP-provider
The NIDP-provider keystore contains the certificate that you configure when you set up the Identity Server to provide introductions to service providers that are trusted members of a service domain. The subject name of this certificate needs to match the DNS name of the service domain.
!NDIP-consumer
The NDIP-consumer keystore contains the certificate that you configure when you set up the Identity Server to consume authentications provided by other identity providers that are trusted members of a service domain. The subject name of this certificate needs to match the DNS name of the service domain.
!!Access Gateway Keystores
Access Manager creates the following keystores for each Access Gateway or cluster.
!Signing
The Signing keystore contains the certificate that is used for signing the assertion or specific parts of the assertion.
!Encryption
The Encryption keystore contains the certificate that is used to encrypt specific fields or data in assertions.
!ESP Mutual SSL
THe ESP Mutual SSL keystore contains the certificate that is used for SSL when you have established SSL communication between the Access Gateway and the Identity Server. The public key (trusted root) of the certificate authority that created the certificate needs to be in the Identity Server’s trust store.
!Proxy Key Store
The Proxy Key Store keystore contains the certificate that is used for SSL when you have enabled SSL between a reverse proxy and the browsers. The public key (trusted root) of the certificate authority that created the certificate needs to be in browser’s trust store for the SSL connection to work without warnings. If you create multiple reverse proxies and enable them for SSL, each reverse proxy needs a certificate, and the subject name of the certificate needs to match the DNS name of the reverse proxy.
NOTE: The Proxy Key Store keystore does not use the default location; it is located in the /opt/novell/conf/keys directory.
!!J2EE Agent Keystores
Access Manager creates the following keystores for each J2EE Agent.
!Signing
The Signing keystore contains the certificate that is used for signing the assertion or specific parts of the assertion.
!Encryption
The Encryption keystore contains the certificate that is used to encrypt specific fields or data in assertions.
!ESP Mutual SSL
The ESP Mutual SSL keystore contains the certificate that is used for SSL, when you have established SSL communication between the J2EE agent and the Identity Server. The public key (trusted root) of the certificate authority that created the certificate needs to be in the Identity Server’s trust store.
!!SSL VPN Keystores
Access Manager creates the following keystores for each SSL VPN server or cluster.
!Signing
The Signing keystore contains the certificate that is used for signing the assertion or specific parts of the assertion.
!Encryption
The Encryption keystore contains the certificate that is used to encrypt specific fields or data in assertions.
!ESP Mutual SSL
The ESP Mutual SSL keystore contains the certificate that is used for SSL when you have established SSL communication between the ESP-enabled SSL VPN server and the Identity Server. The public key (trusted root) of the certificate authority that created the certificate needs to be in the Identity Server’s trust store.
!SSLVPN Secure Tunnel
The SSLVPN Secure Tunnel keystore contains the certificate that encrypts the data exchanged between SSL VPN client and the SSL VPN server, after the SSL VPN connection is made.
NOTE: This keystore does not use the default location; it is located in the /etc/opt/novell/sslvpn/certs directory.
!SSL Connector
The SSL Connector keystore contains the certificate that encrypts authentication information between the SSL VPN client browser and the SSL VPN server.
!!Keystores When Multiple Devices Are Installed on the Administration Console
Access Manager creates the following keystore when the Identity Server and the SSL VPN server are installed on the Administration Console.
!COMMON_TOMCAT_CLUSTER
The COMMON_TOMCAT_CLUSTER keystore contains the certificate that is used for SSL connections.
The location of this keystore depends upon which device was installed last:
* the Identity Server or the SSL VPN server.
* If the Identity Server was installed last, it is in the idp directory.
* If the SSL VPN server was installed last, it is in the sslvpn directory.
!!AKA
Why Novell can not use consistent name is beyond me. The names I have found are:
%%zebra-table
%%sortable
%%table-filter
||File System||Under Certificates||Admin Console||Description
|connector.keystore|NIDP-connector|SSL Certificate|Displays the SSL connector keystore. Click this option to access the keystore and replace the SSL certificate as necessary. This certificate is used for SSL connections.
|signing.keystore|NIDP-signing|Signing|Displays the signing certificate keystore. Click this option to access the keystore and replace the signing certificate as necessary. The signing certificate is used to sign the assertion or specific parts of the assertion.
|encryption.keystore|NIDP-encryption|Encryption|Displays the encryption certificate keystore. The encryption certificate is used to encrypt specific fields or data in the assertions.
|truststore.keystore|NIDP-provider|Provider|Displays the identity provider keystore. Click this option to access the keystore and replace the identity provider certificate.
|provider.keystore|NIDP-consumer|Consumer|Displays the identity consumer keystore. Click this option to access the keystore and replace the identity consumer certificate as necessary.
|not known|Administration Console|Administration Console|Certificate used by Admin Console. AFAIK, if the IDP and the Admin Console is on the same box, they run on the same port as the IDP communications and therefore will use the same certificate. This will be the certificate that is displayed to the browsers.
/%
/%
/%
!IDP Keystore File System Locations
On the IDP Servers, the certificate keystores are at:
{{{
/opt/novell/devman/jcc/certs/idp/
}}}
!Names used in Admin Console:
* Identity Servers -> Edit -> General -> Name -> SSL Certificate
* Identity Servers -> Edit -> General -> Identity Provider -> SSL Certificate
* Identity Servers -> Edit -> General -> Identity Consumer -> SSL Certificate
* Identity Servers -> Edit -> Security -> Keys and Certificates:
** Encryption - NIDP-encryption
** Signing - NIDP-signing
** SSL - NIDP-connector
** Provider - NIDP-connector
** Consumer - NIDP-connector
* Identity Servers -> Edit -> Security -> Trust Stores:
** NIDP Trust Store - NIDP-truststore
** OCSP Trust Store - NIDP-truststore
!!Certificate Issues with NAM
Occasionally we have seen certificates get "stuck" and not be properly replaced within the IDPs. Novell support provided the following instructions to correct this condition:
* Remove or move the certificate keystore out of the /opt/novell/devman/jcc/certs/idp(id)/ directory on the IDP Servers (if there are multiple ID numbers in the /opt/novell/devman/jcc/certs/idp directory, look in the Admin Console -> Auditing -> General logging, and locate the appropriate ID number for the ISP)
* From the Admin Console, go to Access Manager > Auditing > Troubleshooting > Certificates
* Select all the certificates for the agent and Re-push the certificates
* Restart the IDP.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop