83.3 Trusted Root Certificates and LDAP Authentication

LDAP authentication, as described in Section 36.3.4, Providing LDAP Authentication for GroupWise Users, relies on the presence of a trusted root certificate (often named rootcert.der) located on your LDAP server. A trusted root certificate is automatically created for a server when you install eDirectory on that server. However, circumstances might arise where you need to create one manually. You can do this in ConsoleOne.

  1. Make sure that Novell International Cryptography Infrastructure (NICI) is installed on the workstation where you run ConsoleOne.

    If necessary, you can download NICI from the Novell Product Downloads site.

  2. In ConsoleOne, click Help > About Snapins and verify that the following snap-ins are installed:

    • Novell LDAP

    • Novell Certificate Server

    • Novell Modular Authentication Services (NMAS)

    You can download these snap-ins from the Novell Product Downloads site. After these snap-ins are installed, you can generate a trusted root certificate for the LDAP server.

  3. In ConsoleOne, check current SSL/TLS configuration of the LDAP server:

    1. Browse to and right-click the LDAP Server object in your eDirectory tree (typically named LDAP Server - server_name), then click Properties.

    2. Click SSL/TLS Configuration.

      SSL/TLS Configuration property page
    3. Note the name of the server certificate (typically SSL CertificateDNS).

    4. Make sure that Disable SSL Port is not selected.

  4. Export a trusted root certificate:

    1. Browse to and right-click the SSL Certificate object identified in Step 3.c, then click Properties.

    2. Click Certificates.

      Certificates property page
  5. Click Validate, then click OK.

  6. Click Export.

  7. When asked if you want to export the private key with the certificate, select No, then click Next.

  8. In the Output Format box, select File in Binary DER Format.

  9. In the Filename field, specify the full path and file name for the trusted root certificate.

    IMPORTANT:For use with GroupWise, the name of the trusted root certificate file can consist of 8 characters plus the .der extension. It cannot be a long file name. The most convenient location for the trusted root certificate for use with GroupWise is in the directory where the POA software is installed. By default, the POA looks for a file named ngwkey.der.

  10. Click Next, then click Finish.

You are now ready to configure the POA for LDAP authentication, as described in Section 36.3.4, Providing LDAP Authentication for GroupWise Users.