Importing Certificates In Imanager


When iManager 2.7 is installed on a Linux server (non-OES) Tomcat web service is used for HTTP\HTTPs . The Imanager service uses two sets of certificates for securing two different types of SSL/TLS traffic.

LDAP Certificate#

The LDAP Certificate secures the Imanager and EDirectory.

By default, when a user logs in, Imanager will create a secure LDAP connection to eDirectory. First it will try the the JVM keystore.

If that fails it tries the Imanager specific keystore located in /var/opt/novell/iManager/nps/WEB-INF/iMKS.

Using the default settings, iManager populates this keystore on-the-fly by importing the eDirectory Root Certificate Authority certificate. (This behavior can be changed via the /var/opt/novell/iManager/nps/WEB-INF/config.xml file.)

For more information please see the following:

Tomcat Certificate.#

The Tomcat Certificate and keystore are used for secure HTTPS traffic between a client web browser and iManager's Tomcat service.

The Tomcat Certificate must be accepted by all client browsers connecting to Imanager.

By default, a temporary non-CA signed certificate is generated during the installation of Imanager. The temporary non-CA signed certificate is not signed and has a CN of Temporary Certificate and an expiration date of one year.

We recommend you replace this certificate as soon as possible prior to its expiration.

Moreover, when configuring iChain to authenticate to iManager a certificate chained to a CA must be used or the iChain to iManager authentication will fail.

There are multiple options for replacing the default temporary certificate initially used in iManager\Tomcat. Among the more popular are:

  • generating a public and private key within eDirectory using Novell Certificate Server
  • buy a signed server certificate from one of the many certificate vendors. Instructions on how to use 3rd party certificates vary. Please refer to the specific vendor website for more information.
  • Use a Enterprise Issued Certificate that is accepted by all Enterprise Browsers.

Some Imanager plug-ins require secure LDAP access to function properly.

Refer to Novell documents for the current process

NOTE: This should work for 2.5 and 2.6 also.

NOTE: Imanager Mobile uses the default JDK on the system.

You may want to do this and add the Certificate Authority (CA) to the Keystore then this instance of iManager will work for all servers signed by the CA.

Configuring iManager for SSL/TLS Connection to eDirectory

iManager 2.6 docs

This is needed to use some tasks in these roles; here are the known roles that have tasks that require secure LDAP:

  • Dynamic Groups
  • Passwords
On Solaris/Linux, iManager uses the keystore that is part of the JRE it installs on the server.

On Solaris, type:

cd /opt/novell/jre/bin

On Linux, type:

cd /opt/novell/java/jre/bin

Then execute this command to import the certificate into the web server's keystore:

./keytool -import -alias [alias_name] -file [full_path]/trustedrootcert.der -keystore [full_path]/jre/lib/security/cacerts

Here is an example of how to import several certificates into the same iManager instance:

for cert in `ls -1 ~/certs/*.der`; do
./keytool -import -alias [alias_name] -file [full_path]/trustedrootcert.der -keystore [full_path]/jre/lib/security/cacerts

Here is the example output from one such import:

# ./keytool -import -alias outlaw -file ~/certs/OUTLAW.der -keystore ../lib/security/cacerts 
Enter keystore password:  changeit
Owner: O=OUTLAW, OU=Organizational CA
Issuer: O=OUTLAW, OU=Organizational CA
Serial number: 21c11ece729bd11dba93ccc92194fa612e592514320e9c2f9e5547efac502020127
Valid from: Sat Sep 18 10:59:19 EDT 2004 until: Thu Sep 18 10:59:19 EDT 2014
Certificate fingerprints:
         MD5:  24:4E:97:44:BE:91:BB:8F:87:DF:80:16:10:CA:9D:EA
         SHA1: 69:71:F1:51:31:E1:C7:D9:C3:81:7D:42:F7:55:3F:4F:1B:5E:FA:DE
Trust this certificate? [no]:  yes
Certificate was added to keystore

Once the certificates are imported, you should restart Tomcat. Note that the commands listed must be run as 'root' or via sudo.




/etc/init.d/novell-tomcat4 stop
/etc/init.d/novell-tomcat4 start



More Information#

There might be more information for this subject on one of the following: _----