This section explains how to add additional plug-ins and how to configure iManager with a permanent certificate. You must also grant administrator user’s rights to the /opt/novell directory.
After the graphical installer quits, use the following procedure to restart the Tomcat Web server and to grant the new novell services group file access rights to /opt/novell.
From the
menu, select .Log in as root by entering su, then enter the root password.
Stop the Tomcat Web server by entering /etc/init.d/novell-tomcat5 stop.
Enter chmod 775 /opt/novell/ to change the rights to the /opt/novell directory.
Enter chown idmsa:novell /opt/novell to grant any user that is a member of the novell group the rights that the user idmsa has to the /opt/novell directory.
To verify that the changes took place, enter ls -l /opt.
The novell directory rights should be drwxrwxr-x 10 idmsa novell.
Start the Tomcat Web server by entering /etc/init.d/novell-tomcat5 start.
Enter exit twice to log out as root and close the Gnome Terminal.
Proceed to Section 4.2.2, Installing Additional Plug-Ins.
iManager can detect if there are additional plug-in updates that need to be installed.
Launch iManager by pointing your browser to https://172.17.2.117:8443/nps/iManager.html.
Select
in the temporary certificate message, then click .Click
in the security error.Section 4.2.4, Configuring iManager With a Trusted Certificate explains how to set up a permanent certificate for iManager to use.
Use the following information to log in, then click
.Username: admin
Password: n0v3ll (or the password you chose)
Tree: 172.17.2.117
Select
in the iManager header frame.Select
. All of the plug-ins that are available to install and that need to be updated are listed here.Click the box by the
column to select all of the plug-ins, then click .This can take a long time, depending upon how many plug-ins need to be installed.
Click
twice after all of the modules have been successfully installed, then close the Web browser.Support pack 1 is installed during this update.
Tomcat must be restarted for iManager to display the new plug-ins.
From the
menu, select .Log in as root by entering su, then enter the root password.
Enter /etc/init.d/novell-tomcat5 stop.
When the prompt is returned, enter /etc/init.d/novell-tomcat5 start.
Enter exit twice to log out as root and close the Gnome Terminal.
The next time you launch iManager, all of the new plug-ins are displayed.
Proceed to Section 4.2.3, Configuring eDirectory and iManager for Role-Based Services.
Role-Based Services allows you control who has access to features in iManager. For security reasons, it is best practice to use iManager with the Role-Based Services enabled.
In order for your system to be like the Resource Kit image, a container needs to be created before enabling the Role-Based Services.
Launch iManager by pointing your browser to https://172.17.2.117:8443/nps/iManager.html.
Click
in the security error.Section 4.2.4, Configuring iManager With a Trusted Certificate explains how to set up a permanent certificate for iManager to use.
Use the following information to log in, then click
.Username: admin
Password: n0v3ll
Tree: 172.17.2.117
Select
in the iManager header frame.Select the system container. The objects that are stored under the system container are displayed on the right.
Click
, then select .Select
, then click .In the services as the name of the domain.
field, specifyLeave the context as system, then click .
Click
in the completion message.The container is now created, and the Role-Based Services can now be enabled.
Proceed to Enabling Role-Based Services.
Select
in the iManager header frame.Select
> .Select the
link.Read the welcome message, then click
.Leave the default value of Role Based Service 2 in the
field.Browse to and select the services.system container for the
field, then click .Leave all of the modules selected so that they can be installed.
Browse to and select the tree .META for the
field.Leave
and selected, then click .After the wizard completes, click
.Proceed to Section 4.2.4, Configuring iManager With a Trusted Certificate.
When iManager 2.7 SP1 is installed on a Linux server and that server does not have the Apache Web service installed, the server is using iManager 2.7 SP1's Tomcat Web service for HTTP\HTTPS. A certificate and keystore are used for secure HTTPS traffic between a client Web browser and iManager's Tomcat service. This certificate must be accepted by all client browsers connecting to iManager.
By default, a temporary non-trusted CA signed certificate is generated once during the installation of iManager. This non-trusted signed certificate has a CN of Temporary Certificate and an expiration date of one year. You can replace this certificate with a certificate signed by a trusted CA. If you configure Access Manager to authenticate to iManager, a certificate chained to a CA must be used or the Access Manager to iManager authentication fails.
The following steps were taken from TID 3092268 with minor modifications to adapt to the Resource Kit requirements.
Launch iManager by pointing your browser to https://172.17.2.117:8443/nps/iManager.html
Click
in the security error.Use the following information to log in, then click
.Username: admin
Password: n0v3ll (or the password you chose)
Tree: 172.17.2.117
Select
> .Browse to and select the server metaserver1.metaserver1.servers.system for the
field.Specify a meaningful name in the
field, such as imanager.Choose
for the , then clickSelect
to have the eDirectory tree’s certificate authority sign the certificate, then click .In Step 3 of the wizard, accept the defaults, then click
.The default values are:
Key type:
Key usage:
and
Extended key type:
Extended key usage:
Click
to add a new .For 172.17.2.117, then click .
, select . In the field, specifyCreate a second
by clicking again.For metaserver1.idm, then click .
, select . In the field, specifyVerify that only the two alternative names are listed.
Set the
to .Set the
to .The maximum validity period is ten years. Certificates should expire intermittently to increase the level of security. Depending upon your company’s policies, a ten-year validity period might be too long.
There are no
to add, so click .In Step 5 of the wizard, select
, then click .Review the Summary page, then click
.Read the success message, then click
.Under
select > .Browse to and select the KMO object named imanager-metaserver1, then click
.The context of the object is metaserver1.servers.system.
Click the
tab, then select .Select the certificate check box, then click
.The certificate is listed by the nickname.
In the
field, select .Leave the
option selected and specify a password (the Resource Kit uses the password changeit), then click .Select
.Click
.Close Web the browser window after the file is saved.
Click
to close the export wizard.Exit iManager.
Proceed to Section 4.2.5, Converting the Certificate File to the Appropriate File Type.
You must convert the pkcs12.pfx file to a .pem, then finally to a .p12 file so that it can be consumed by Tomcat.
NOTE:The example uses
for every password and passphrase.From the
menu, select .Log in as root by entering su, then enter the root password.
Change to the directory where the cert.pxf certificate file was saved.
Enter openssl pkcs12 -in cert.pfx -out imanagercert.pem.
Specify an import password.
Specify a PEM passphrase twice.
Enter openssl pkcs12 -export -in imanagercert.pem -out imanagercert.p12 -name “iManager”.
Specify the passphrase for imanagercert.pem.
Specify the export password twice.
Move the imanagercert.p12 file by entering:
mv imanagercert.p12 /var/opt/novell/novlwww/
Change the owner of the new directory novlwww by entering:
chown novlwww /var/opt/novell/novlwww/imanagercert.p12
Change the permission on the imanagercer.p12 file by entering:
chmod 654 /var/opt/novell/novlwww/imanagercert.p12
Remove the files from the working directory by entering:
rm cert.pfx imanagercert.pem
Stop Tomcat by entering /etc/init.d/novell-tomcat5 stop.
To edit the Tomcat configuration file, enter gedit /etc/opt/novell/tomcat5/server.xml.
Locate the clientAuth="false" protocol="TLS" line.
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="false" sslprotocol="TLS" />
Add the following statements regarding keystoreType and keystoreFile, substituting the applicable p12 filename.
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="false" sslprotocol="TLS"
keystoreType="PKCS12" keystoreFile="/var/opt/novell/novlwww/imanagercert.p12" />
When the keystore type is changed to PKCS12, you must specify the entire path because Tomcat no longer defaults to using the Tomcat home path.
Select
to save the changes, then select to exit the editor.Restart Tomcat by entering /etc/init.d/novell-tomcat5 start.
The next time you log into iManager, it prompts you to accept this certificate.
Enter exit twice to log out as root and close the Gnome Terminal.
Proceed to Installing Designer 3.0.1 for Identity Manager.