To configure SSL on eDirectory, create a keystore file:
Export the eDirectory CA trusted root certificate.
From the Roles and Tasks menu, click eDirectory Administration > Modify Object to open the Modify Object page.
Use the Object selector icon to browse to the Organizational CA, then click OK.
The Organizational CA is present under the Security container at the top level of the tree.
Select the Certificates tab, then select Self Signed Certificate.
Click Export.
When you are prompted to export the private key along with the certificate, select No, then click Next.
Select File in Base64 format as the file format to which the certificate is to be saved, then click Next.
Click Save the Exported Certificate to a File to save the issued certificate as NOVELLCASELFSIGNEDCERT.B64.
Import this certificate into the Java trusted-certificate keystore by executing the following command:
java-home/jre/bin/keytool -import -alias novellca -file NOVELLCASELFSIGNEDCERT.B64 -keystore java-home/jre/lib/security/cacerts -storepass changeit
The Java keytool comes with the Java installation. You use the keytool to build a keystore file, which contains encrypted passwords.
Type Yes when prompted to trust a certificate.
Import the exported certificate into a new keystore file by executing the following command:
java-home/jre/bin/keytool -import -alias novellca -file NOVELLCASELFSIGNEDCERT.B64 -keystore java-home/jre/lib/security/ndsagentcert -storepass novell1
java-home/jre/lib/security/ndsagentcert is referred as the client's keystore in the subsequent steps.
When prompted to trust a certificate, type Yes.
Generate the public and private key pair for the agent in the client's keystore file by executing the following command:
java-home/jre/bin/keytool -genkey -alias ndsagent -keyalg RSA -dname "CN=137.65.146.24, OU=DirXML, O=Novell, L=Provo, S=Utah, C=US" -keypass novell1 -keystore javahome/jre/lib/security/ndsagentcert -storepass novell1
NOTE: The keypass and storepass must be the same.
Generate a Certificate Signing Request (CSR) in the novellagent.csr file.
To guarantee the identity of the client, a certificate is needed to authenticate the key pair ownership. To do this, generate a Certificate Signing Request (CSR) in the novellagent.csr file by executing the following command:
java-home/jre/bin/keytool -certreq -alias ndsagent -file novellagent.csr -keypass novell1 -keystore javahome/jre/lib/security/ndsagentcert -storepass novell1
In iManager, log in to eDirectory as an administrator with the appropriate rights.
From the Roles and Tasks menu, click Novell Certificate Server > Issue Certificate.
Enter novellagent.csr as the filename or browse to select it, then click Next.
Select SSL or TLS as the key type, then click Next.
Verify the certificate parameters, then click Next.
Select File in Binary DER Format as the file format to which the certificate is to be saved.
Click Next to view the parameters of the issued certificate.
Click Download the Issued Certificate, save the certificate as issuedcertificate.der, then click Close.
The certificate now needs to be stored in the ndsagentcert keystore with the key pair.
Execute the following command:
java-home/jre/bin/keytool -import -trustcacerts -alias ndsagent -file ISSUEDCERTIFICATE.DER -keypass novell1 -keystore java-home/jre/lib/security/ndsagentcert -storepass novell1
When prompted to trust a certificate, type Yes.
At this point, your ndsagentcert keystore consists of the client's CA selfsigned certificate and your key, and a Certificate Authority has signed it.
The file should contain at least two entries, which are keys. It might also contain objects.
Your key entry should show "Certificate chain length: 2". The first certificate is your key; the second certificate is the CA that signed it.
java-home/jre/bin/keytool -list -v -keystore java-home/jre/lib/security/ndsagentcert -storepass novell1
NOTE: Ndsagentcert is the keystore file that is to be used with a full directory path while configuring SSL for the driver.