This AppNote describes a quick and easy way to configure certificates for iManager plug-ins, to communicate with eDirectory over a secure channel.
Automatic method of certificate configuration
Configuring a certificate for Windows
Configuring a certificate for Linux (SLES, SLED, OES Linux)
Manual method of certificate configuration
Starting and stopping the Tomcat server
Some iManager plugins that store secret information on eDirectory use the SSL protocol for secure transmission. This requires a server certificate to be imported into the local key store, which is later used by iManager.
The certificate configuration process involves the following steps:
- Exporting a Root Certificate
- Importing an eDirectory Certificate into the Keystore
The entire process is documented here. Though it may look simple, often it takes days for an expert to finish the job. There are many small steps where one can slip, leading to frustration and taking lots of time to complete a simple but apparently difficult task.
This AppNote explains how to complete this daunting task in a few minutes, no matter whether you are a novice or expert. Read on to find out how this is possible.
Automatic Method of Certificate Configuration
Here I will explain how easy it is to import the certificate from eDirectory using the automated tools. There are different configuration parameters and different tools for each platform, so I will discuss each platform separately. You can move on to the section that's relevant to you.
For each directory, you should import the certificate separately; it's OK to import the certificate only once for each directory. Even if you import the certificate multiple times using these tools, there will not be any problem - it will just create duplicate entries in the certificate store.
Configuring a Certificate for Windows
I have written a tool named ImportCert to automatically import the certificate for Windows system. You can download the tool from this location:
Note that you have to run this tool on the same machine where the standalone iManager is installed. Once you have downloaded the ImportCert tool, follow the steps below.
1. Launch the ImportCert tool on your system. You will see the dialog below.
Figure 1 - ImportCert on Windows
2. Specify the IP address of the eDirectory server. If the eDirectory is running on the same machine, you can specify IP address as 127.0.0.1.
Figure 2 - Importing certificate from local eDirectory
3. Click Browse to select the Java SDK path used by iManager.
This path is identified by JAVA_HOME environment variable. If you have more than one Java SDK installed, use the path specified by JAVA_HOME variable. If you are not sure, you can import the certificate for each java SDK on your system.
Figure 3 - Selecting the JDK path in ImportCert
4. Once you have entered the IP address and java SDK path, click Install Certificate. This will retrieve the certificate from specified eDirectory and then import it into the local Java key store.
During the import process, you will see the animation icon moving at the top right side of the screen. On successful completion, you will see the message below.
Figure 4 - Successful completion of importing certificate
If the specified eDirectory server is not reachable, or the wrong JDK path is entered, an error message will be displayed.
5. Once you have finished importing the certificate, restart the tomcat server for the new certificate to take effect. Refer to the Starting and Stopping the Tomcat Server section at the end of the article for more details.
Configuring a Certificate for Linux (SLES, SLED, OES Linux)
For Linux, I have written the ImportCertLinux tool, which does the same task as the ImportCert tool on Windows systems. You can download this tool here:
It comes with full source code and dependent LDAP libraries. You can even tweak the code to make it work on a different flavor of Linux.
Building the ImportCertLinux Binary
Before you use this tool, you need to build the binary for your Linux system. For that, follow the steps below.
1. Download the ImportCertLinux.zip file from this location:
2. Extract the file to the /ImportCertLinux folder. This folder contains full source code along with required header and library files.
3. Before you build this program, set the library path using the command specified below.
# export LD_LIBRARY_PATH=/ImportCertLinux/lib
3. Launch the shell and move to the /ImportCertLinux/src directory. It contains the source files and a make file for building the executable.
4. Build the ImportCertLinux binary by typing the "make" command. On successful completion of build process, you will see this screen:
Figure 5 - Building the ImportCertLinux binary
Using the ImportCertLinux to Import the Certificate
Once you have built the ImportCertLinux properly, you can now use it to configure the certificate.
1. ImportCertLinux depends upon couple of LDAP libraries. So before running this tool, set up the library path using this command:
This path may be different on your machine and depends upon where you have extracted the zip file.
2. Run the ImportCertLinux without any parameters to see the usage. You will see this screen:
Figure 6 - Using the ImportCertLinux tool
The -c option allows you to specify the certificate store path based on your system configuration. The default certificate store path is derived from the $JAVA_HOME environment variable, and the final certificate path is $JAVA_HOME/jre/lib/security/cacerts.
3. If the certificate store path on your machine is the same as the default path, then you can simply specify the target eDirectory server address:
./ImportCertLinux <eDir address>
If the certificate path is different on your machine, then you can specify using ?c option as follows:
./ImportCertLinux ?c /opt/novell/lib/java2/jre/lib/security/cacerts <eDir address>
On successfully importing the certificate, you will see the results as shown below:
Figure 7 - Importing the certificate using the ImportCertLinux tool
4. Restart the Tomcat server for new certificate to take effect. Refer to the Starting and Stopping the Tomcat Server section at the end of the article for more details.
Manual Steps for Configuring a Certificate for iManager
The above sections explain the quick and automatic method of importing the certificate. Now I will briefly explain the manual steps involved in the same task. This will help you to understand what exactly happens in the background while you import the certificate using these tools.
1. Export the trusted root certificate from eDirectory in DER format using iManager. Refer to the iManager documentation for more details.
2. Copy this certificate to the machine where iManager is running.
3. Open the command window and move to the bin directory of JDK. For example on my machine, this path is ?C:\j2sdk1.5\bin?.
4. Use the keytool to import the certificate into the key store on different platform as follows:
keytool -import ?alias alias_name -file sys:trustedrootcert.der -keystore
keytool -import -alias alias_name -file c:\trustedrootcert.der -keystore
keytool -import -alias alias_name -file /trustedrootcert.der -keystore $JAVA_HOME/jre/lib/security/cacerts
5. Specify "changeit" as the key store password and then type "yes" to trust the certificate. If everything goes well, you will see the message "Certificate added to keystore" indicating success:
Figure 8 - Manually importing the certificate using keytool
Starting and Stopping the Tomcat Server
Once you have finished importing the certificate for iManager, you must restart the Tomcat server for the changes to take effect. Here are the commands for restarting tomcat server on Linux and Windows systems.
1. Stop the tomcat service - "net stop tomcat"
2. Start the tomcat service - "net start tomcat"
1. Stop the tomcat server - "$CATALINA_HOME/bin/shutdown.sh"
2. Start the tomcat server - "$CATALINA_HOME/bin/startup.sh"
Here "$CATALINE_HOME" refers to the path where tomcat is installed.
In this AppNote you've seen how easily and quickly you can configure a certificate, using the automated tools rather than doing the same work manually. I hope this will help you to complete the task quickly and efficiently.
For any comments and suggestions, drop me an e-mail at: email@example.com.
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.