This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Importing Certificates In Imanager
Importing Certificates In Imanager

Version management

Difference between version and

At line 1 added 110 lines
!!! Overview[1]
When iManager 2.7 is installed on a Linux server (non-OES) Tomcat web service is used for HTTP\HTTPs . The [Imanager] service uses two sets of certificates for securing two different types of [SSL]/[TLS] traffic.
!! [LDAP] [Certificate]
The [LDAP] [Certificate] secures the [Imanager] and [EDirectory].
By default, when a user logs in, [Imanager] will create a secure [LDAP] connection to eDirectory. First it will try the the JVM [keystore].
If that fails it tries the [Imanager] specific [keystore] located in /var/opt/novell/iManager/nps/WEB-INF/iMKS.
Using the default settings, iManager populates this [keystore] on-the-fly by importing the [eDirectory] Root [Certificate Authority] certificate. (This behavior can be changed via the /var/opt/novell/iManager/nps/WEB-INF/config.xml file.)
For more information please see the following:
* [http://support.novell.com/cgi-bin/search/searchtid.cgi?/7006113.htm]
* [https://www.netiq.com/documentation/imanager/]
!! [Tomcat] [Certificate].
The [Tomcat] [Certificate] and keystore are used for secure HTTPS traffic between a client web browser and [iManager]'s [Tomcat] service.
The [Tomcat] [Certificate] must be accepted by all client browsers connecting to [Imanager].
By default, a temporary non-CA signed certificate is generated during the installation of [Imanager]. The temporary non-CA signed certificate is not signed and has a CN of Temporary Certificate and an expiration date of one year.
We __recommend__ you replace this certificate as soon as possible prior to its expiration.
Moreover, when configuring [iChain] to authenticate to iManager a certificate chained to a CA must be used or the iChain to iManager authentication will fail.
There are multiple options for replacing the default temporary certificate initially used in iManager\Tomcat. Among the more popular are:
* generating a public and private key within eDirectory using Novell Certificate Server
* buy a signed server certificate from one of the many certificate vendors. Instructions on how to use 3rd party certificates vary. Please refer to the specific vendor website for more information.
* Use a Enterprise Issued Certificate that is accepted by all Enterprise Browsers.
----
Some [Imanager] plug-ins require secure LDAP access to function properly.
Refer to Novell documents for the current process
NOTE: This should work for 2.5 and 2.6 also.
NOTE: [Imanager] Mobile uses the default JDK on the system.
You may want to do this and add the [Certificate Authority] (CA) to the Keystore then this instance of iManager will work for all servers signed by the CA.
[Configuring iManager for SSL/TLS Connection to eDirectory|http://www.novell.com/documentation/imanager20/imanager20/data/am4ajce.html]
[iManager 2.6 docs|http://www.novell.com/documentation/imanager26/index.html?page=/documentation/imanager26/imanager_admin_26/data/bx8g5g8.html]
This is needed to use some tasks in these roles; here are the known roles that have tasks that require secure LDAP:
*Dynamic Groups
*Passwords
On Solaris/Linux, iManager uses the keystore that is part of the JRE it installs on the server.
On __Solaris__, type:
{{{cd /opt/novell/jre/bin}}}
On __Linux__, type:
{{{cd /opt/novell/java/jre/bin}}}
Then execute this command to import the certificate into the web server's keystore:
{{{
./keytool -import -alias [alias_name] -file [full_path]/trustedrootcert.der -keystore [full_path]/jre/lib/security/cacerts
}}}
Here is an example of how to import several certificates into the same iManager instance:
{{{
for cert in `ls -1 ~/certs/*.der`; do
./keytool -import -alias [alias_name] -file [full_path]/trustedrootcert.der -keystore [full_path]/jre/lib/security/cacerts
done
}}}
Here is the example output from one such import:
{{{
# ./keytool -import -alias outlaw -file ~/certs/OUTLAW.der -keystore ../lib/security/cacerts
Enter keystore password: changeit
Owner: O=OUTLAW, OU=Organizational CA
Issuer: O=OUTLAW, OU=Organizational CA
Serial number: 21c11ece729bd11dba93ccc92194fa612e592514320e9c2f9e5547efac502020127
Valid from: Sat Sep 18 10:59:19 EDT 2004 until: Thu Sep 18 10:59:19 EDT 2014
Certificate fingerprints:
MD5: 24:4E:97:44:BE:91:BB:8F:87:DF:80:16:10:CA:9D:EA
SHA1: 69:71:F1:51:31:E1:C7:D9:C3:81:7D:42:F7:55:3F:4F:1B:5E:FA:DE
Trust this certificate? [no]: yes
Certificate was added to keystore
}}}
Once the certificates are imported, you should restart Tomcat. Note that the commands listed must be run as 'root' or via sudo.
!Solaris:
{{{
/var/opt/novell/tomcat4/bin/shutdown.sh
/var/opt/novell/tomcat4/bin/startup.sh
}}}
!Linux:
{{{
/etc/init.d/novell-tomcat4 stop
/etc/init.d/novell-tomcat4 start
}}}
!! Category
%%category [eDirectory]%%
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
_----
* [#1] - [Replacing default certificates in iManager 2.7 (non-OES install)|http://www.novell.com/support/kb/doc.php?id=3092268|target='_blank'] - based on 2015-03-12
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop