<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview[1]
When iManager 2.7 is installed on a Linux server (non-OES) Tomcat web service is used for HTTP\HTTPs . The [Imanager] service uses two sets of certificates for securing two different types of [SSL]/[TLS] traffic.

!! [LDAP] [Certificate]
The [LDAP] [Certificate] secures the [Imanager]  and [EDirectory]. 

By default, when a user logs in, [Imanager] will create a secure [LDAP] connection to eDirectory. First it will try the the JVM [keystore]. 

If that fails it tries the [Imanager] specific [keystore] located in /var/opt/novell/iManager/nps/WEB-INF/iMKS. 

Using the default settings, iManager populates this [keystore] on-the-fly by importing the [eDirectory] Root [Certificate Authority] certificate. (This behavior can be changed via the /var/opt/novell/iManager/nps/WEB-INF/config.xml file.)

For more information please see the following:
* [http://support.novell.com/cgi-bin/search/searchtid.cgi?/7006113.htm]
* [https://www.netiq.com/documentation/imanager/]

!! [Tomcat] [Certificate].
The [Tomcat] [Certificate] and keystore are used for secure HTTPS traffic between a client web browser and [iManager]'s [Tomcat] service. 

The [Tomcat] [Certificate] must be accepted by all client browsers connecting to [Imanager]. 

By default, a temporary non-CA signed certificate is generated during the installation of [Imanager]. The temporary non-CA signed certificate is not signed and has a CN of Temporary Certificate and an expiration date of one year. 

We __recommend__ you replace this certificate as soon as possible prior to its expiration.

Moreover, when configuring [iChain] to authenticate to iManager a certificate chained to a CA must be used or the iChain to iManager authentication will fail.

There are multiple options for replacing the default temporary certificate initially used in iManager\Tomcat. Among the more popular are:
* generating a public and private key within eDirectory using Novell Certificate Server
* buy a signed server certificate from one of the many certificate vendors. Instructions on how to use 3rd party certificates vary. Please refer to the specific vendor website for more information.
* Use a Enterprise Issued Certificate that is accepted by all Enterprise Browsers.


----
Some [Imanager] plug-ins require secure LDAP access to function properly.  

Refer to Novell documents for the current process

NOTE: This should work for 2.5 and 2.6 also. 

NOTE: [Imanager] Mobile uses the default JDK on the system.

You may want to do this and add the [Certificate Authority] (CA) to the Keystore then this instance of iManager will work for all servers signed by the CA.

[Configuring iManager for SSL/TLS Connection to eDirectory|http://www.novell.com/documentation/imanager20/imanager20/data/am4ajce.html]

[iManager 2.6 docs|http://www.novell.com/documentation/imanager26/index.html?page=/documentation/imanager26/imanager_admin_26/data/bx8g5g8.html]

This is needed to use some tasks in these roles; here are the known roles that have tasks that require secure LDAP:

*Dynamic Groups
*Passwords
On Solaris/Linux, iManager uses the keystore that is part of the JRE it installs on the server.


On __Solaris__, type:
{{{cd /opt/novell/jre/bin}}}

On __Linux__, type:
{{{cd /opt/novell/java/jre/bin}}}

Then execute this command to import the certificate into the web server's keystore:
{{{
./keytool -import -alias [alias_name] -file [full_path]/trustedrootcert.der -keystore [full_path]/jre/lib/security/cacerts
}}}

Here is an example of how to import several certificates into the same iManager instance:
{{{
for cert in `ls -1 ~/certs/*.der`; do
./keytool -import -alias [alias_name] -file [full_path]/trustedrootcert.der -keystore [full_path]/jre/lib/security/cacerts
done
}}}

Here is the example output from one such import:
{{{
# ./keytool -import -alias outlaw -file ~/certs/OUTLAW.der -keystore ../lib/security/cacerts 
Enter keystore password:  changeit
Owner: O=OUTLAW, OU=Organizational CA
Issuer: O=OUTLAW, OU=Organizational CA
Serial number: 21c11ece729bd11dba93ccc92194fa612e592514320e9c2f9e5547efac502020127
Valid from: Sat Sep 18 10:59:19 EDT 2004 until: Thu Sep 18 10:59:19 EDT 2014
Certificate fingerprints:
         MD5:  24:4E:97:44:BE:91:BB:8F:87:DF:80:16:10:CA:9D:EA
         SHA1: 69:71:F1:51:31:E1:C7:D9:C3:81:7D:42:F7:55:3F:4F:1B:5E:FA:DE
Trust this certificate? [no]:  yes
Certificate was added to keystore
}}}

Once the certificates are imported, you should restart Tomcat.  Note that the commands listed must be run as 'root' or via sudo.

!Solaris:
{{{
/var/opt/novell/tomcat4/bin/shutdown.sh
/var/opt/novell/tomcat4/bin/startup.sh
}}}
!Linux:
{{{
/etc/init.d/novell-tomcat4 stop
/etc/init.d/novell-tomcat4 start
}}}


!! Category
%%category [eDirectory]%%

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
_----
* [#1] - [Replacing default certificates in iManager 2.7 (non-OES install)|http://www.novell.com/support/kb/doc.php?id=3092268|target='_blank'] - based on 2015-03-12
</pre>