4.2 Post-Installation Tasks for iManager 2.7 SP1

This section explains how to add additional plug-ins and how to configure iManager with a permanent certificate. You must also grant administrator user’s rights to the /opt/novell directory.

4.2.1 Granting File Access Rights to the Novell Service Group

After the graphical installer quits, use the following procedure to restart the Tomcat Web server and to grant the new novell services group file access rights to /opt/novell.

  1. From the Computer menu, select Gnome Terminal.

  2. Log in as root by entering su, then enter the root password.

  3. Stop the Tomcat Web server by entering /etc/init.d/novell-tomcat5 stop.

  4. Enter chmod 775 /opt/novell/ to change the rights to the /opt/novell directory.

  5. Enter chown idmsa:novell /opt/novell to grant any user that is a member of the novell group the rights that the user idmsa has to the /opt/novell directory.

  6. To verify that the changes took place, enter ls -l /opt.

    The novell directory rights should be drwxrwxr-x 10 idmsa novell.

  7. Start the Tomcat Web server by entering /etc/init.d/novell-tomcat5 start.

  8. Enter exit twice to log out as root and close the Gnome Terminal.

  9. Proceed to Section 4.2.2, Installing Additional Plug-Ins.

4.2.2 Installing Additional Plug-Ins

iManager can detect if there are additional plug-in updates that need to be installed.

  1. Launch iManager by pointing your browser to https://172.17.2.117:8443/nps/iManager.html.

  2. Select Accept this certificate permanently in the temporary certificate message, then click OK.

  3. Click OK in the security error.

    Section 4.2.4, Configuring iManager With a Trusted Certificate explains how to set up a permanent certificate for iManager to use.

  4. Use the following information to log in, then click Login.

    • Username: admin

    • Password: n0v3ll (or the password you chose)

    • Tree: 172.17.2.117

    Logging into iManager

  5. Select Configure Logging into iManager in the iManager header frame.

  6. Select Plug-in Installation > Available Novell Plug-in Modules. All of the plug-ins that are available to install and that need to be updated are listed here.

  7. Click the box by the Name column to select all of the plug-ins, then click Install.

    Name column

    This can take a long time, depending upon how many plug-ins need to be installed.

  8. Click Close twice after all of the modules have been successfully installed, then close the Web browser.

    Support pack 1 is installed during this update.

Tomcat must be restarted for iManager to display the new plug-ins.

  1. From the Computer menu, select Gnome Terminal.

  2. Log in as root by entering su, then enter the root password.

  3. Enter /etc/init.d/novell-tomcat5 stop.

  4. When the prompt is returned, enter /etc/init.d/novell-tomcat5 start.

  5. Enter exit twice to log out as root and close the Gnome Terminal.

    The next time you launch iManager, all of the new plug-ins are displayed.

  6. Proceed to Section 4.2.3, Configuring eDirectory and iManager for Role-Based Services.

4.2.3 Configuring eDirectory and iManager for Role-Based Services

Role-Based Services allows you control who has access to features in iManager. For security reasons, it is best practice to use iManager with the Role-Based Services enabled.

In order for your system to be like the Resource Kit image, a container needs to be created before enabling the Role-Based Services.

Creating the Services Container

  1. Launch iManager by pointing your browser to https://172.17.2.117:8443/nps/iManager.html.

  2. Click OK in the security error.

    Section 4.2.4, Configuring iManager With a Trusted Certificate explains how to set up a permanent certificate for iManager to use.

  3. Use the following information to log in, then click Login.

    • Username: admin

    • Password: n0v3ll

    • Tree: 172.17.2.117

    Logging into iManager

  4. Select View Objects Logging into iManager in the iManager header frame.

  5. Select the system container. The objects that are stored under the system container are displayed on the right.

    Creating a container

  6. Click New, then select Create Object.

    Create Object

  7. Select domain, then click OK.

    Selecting the domain class

  8. In the domain name field, specify services as the name of the domain.

  9. Leave the context as system, then click OK.

    Specifying the name services for the domain

  10. Click OK in the completion message.

    Completion message

    The container is now created, and the Role-Based Services can now be enabled.

  11. Proceed to Enabling Role-Based Services.

Enabling Role-Based Services

  1. Select Configure Completion message in the iManager header frame.

  2. Select Role Based Services > RBS Configuration.

  3. Select the RBS Configuration Wizard link.

    RBS Configuration Wizard

  4. Read the welcome message, then click Next.

    Welcome page

  5. Leave the default value of Role Based Service 2 in the Name field.

    Defining the name and container for the collection

  6. Browse to and select the services.system container for the Container field, then click Next.

    Specifying the services container

  7. Leave all of the modules selected so that they can be installed.

    List of modules to be installed

  8. Browse to and select the tree .META for the Scope field.

    Defining the scope of the role

  9. Leave Assign Rights and Inheritable selected, then click Start.

  10. After the wizard completes, click Close.

    RBS Configuration Wizard completed message

  11. Proceed to Section 4.2.4, Configuring iManager With a Trusted Certificate.

4.2.4 Configuring iManager With a Trusted Certificate

When iManager 2.7 SP1 is installed on a Linux server and that server does not have the Apache Web service installed, the server is using iManager 2.7 SP1's Tomcat Web service for HTTP\HTTPS. A certificate and keystore are used for secure HTTPS traffic between a client Web browser and iManager's Tomcat service. This certificate must be accepted by all client browsers connecting to iManager.

By default, a temporary non-trusted CA signed certificate is generated once during the installation of iManager. This non-trusted signed certificate has a CN of Temporary Certificate and an expiration date of one year. You can replace this certificate with a certificate signed by a trusted CA. If you configure Access Manager to authenticate to iManager, a certificate chained to a CA must be used or the Access Manager to iManager authentication fails.

The following steps were taken from TID 3092268 with minor modifications to adapt to the Resource Kit requirements.

  1. Launch iManager by pointing your browser to https://172.17.2.117:8443/nps/iManager.html

  2. Click OK in the security error.

  3. Use the following information to log in, then click Login.

    • Username: admin

    • Password: n0v3ll (or the password you chose)

    • Tree: 172.17.2.117

    Logging into iManager

  4. Select Novell Certificate Server > Create Server Certificate.

  5. Browse to and select the server metaserver1.metaserver1.servers.system for the Server field.

    Selecting the server

  6. Specify a meaningful name in the Nickname field, such as imanager.

    Certificate nickname

  7. Choose Custom for the Creation method, then click Next.

    Selecting customer for the creation method

  8. Select Organizational certificate authority to have the eDirectory tree’s certificate authority sign the certificate, then click Next.

  9. In Step 3 of the wizard, accept the defaults, then click Next.

    Specifying key size and usage for the certificate

    The default values are:

    • Key type: SSL or TLS

    • Key usage: Key encipherment and Digital signature

    • Allow private key to be exported

    • Enable extended key usage

    • Extended key type: Server

    • Extended key usage: Server authentication

  10. Click New to add a new Subject Alternative Name.

    Creating a new Subject Alternative Name

  11. For Type, select IP address. In the Name field, specify 172.17.2.117, then click OK.

    Creating an alternative name of IP

  12. Create a second Subject Alternative Name by clicking New again.

    Creating a subject alternative name for the certificate

  13. For Type, select DNS name. In the Name field, specify metaserver1.idm, then click OK.

    Creating an alternative name of DNS

  14. Verify that only the two alternative names are listed.

    The two alternative names

  15. Set the Signature algorithm to SHA1-RA.

    Setting the signature algorithm

  16. Set the Validity period to Maximum.

    Setting the validity period to maximum

    The maximum validity period is ten years. Certificates should expire intermittently to increase the level of security. Depending upon your company’s policies, a ten-year validity period might be too long.

  17. There are no Custom Extensions to add, so click Next.

  18. In Step 5 of the wizard, select Your organization’s certificate, then click Next.

    Selecting Your organization’s certificate

  19. Review the Summary page, then click Finish.

  20. Read the success message, then click Close.

    Creation a success message

  21. Under Roles and Tasks, select Directory Administration > Modify Object.

  22. Browse to and select the KMO object named imanager-metaserver1, then click OK.

    KMO object named imanager-metaserver1

    The context of the object is metaserver1.servers.system.

  23. Click the Certificates tab, then select Trusted Root Certificate.

    Trusted Root Certificate tab

  24. Select the certificate check box, then click Export.

    Exporting the certificate

    The certificate is listed by the nickname.

  25. In the Certificates field, select imanager.

    Select the imanager certificate

  26. Leave the Export private key option selected and specify a password (the Resource Kit uses the password changeit), then click Next.

  27. Select Save the exported certificate.

    Save the exported certificate

  28. Click Save File.

  29. Close Web the browser window after the file is saved.

  30. Click OK to close the export wizard.

  31. Exit iManager.

  32. Proceed to Section 4.2.5, Converting the Certificate File to the Appropriate File Type.

4.2.5 Converting the Certificate File to the Appropriate File Type

You must convert the pkcs12.pfx file to a .pem, then finally to a .p12 file so that it can be consumed by Tomcat.

NOTE:The example uses changeit for every password and passphrase.

  1. From the Computer menu, select Gnome Terminal.

  2. Log in as root by entering su, then enter the root password.

  3. Change to the directory where the cert.pxf certificate file was saved.

  4. Enter openssl pkcs12 -in cert.pfx -out imanagercert.pem.

  5. Specify an import password.

  6. Specify a PEM passphrase twice.

  7. Enter openssl pkcs12 -export -in imanagercert.pem -out imanagercert.p12 -name “iManager”.

  8. Specify the passphrase for imanagercert.pem.

  9. Specify the export password twice.

  10. Move the imanagercert.p12 file by entering:

    mv imanagercert.p12 /var/opt/novell/novlwww/

  11. Change the owner of the new directory novlwww by entering:

    chown novlwww /var/opt/novell/novlwww/imanagercert.p12

  12. Change the permission on the imanagercer.p12 file by entering:

    chmod 654 /var/opt/novell/novlwww/imanagercert.p12

  13. Remove the files from the working directory by entering:

    rm cert.pfx imanagercert.pem

  14. Stop Tomcat by entering /etc/init.d/novell-tomcat5 stop.

  15. To edit the Tomcat configuration file, enter gedit /etc/opt/novell/tomcat5/server.xml.

  16. Locate the clientAuth="false" protocol="TLS" line. 

    <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->

    <Connector port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="false" sslprotocol="TLS" />

  17. Add the following statements regarding keystoreType and keystoreFile, substituting the applicable p12 filename.

    <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="false" sslprotocol="TLS" 
keystoreType="PKCS12" keystoreFile="/var/opt/novell/novlwww/imanagercert.p12" />

    When the keystore type is changed to PKCS12, you must specify the entire path because Tomcat no longer defaults to using the Tomcat home path.

  18. Select File > Save to save the changes, then select File > Quit to exit the editor.

  19. Restart Tomcat by entering /etc/init.d/novell-tomcat5 start.

    The next time you log into iManager, it prompts you to accept this certificate.

  20. Enter exit twice to log out as root and close the Gnome Terminal.

  21. Proceed to Installing Designer 3.0.1 for Identity Manager.