31.2 Securing LDAP Synchronization

If your LDAP directory service requires a secure LDAP connection (LDAPS), you must configure Novell Filr with a root certificate. The root certificate identifies the root certificate authority (CA) for your Filr site, which enables you to export a self-signed root certificate based on your eDirectory or Active Directory tree.

31.2.1 Exporting a Root Certificate

Exporting a Root Certificate for eDirectory

  1. Launch and log in to iManager for your tree.

  2. Click Directory Administration.

  3. Click Modify Object.

  4. Click the magnifying glass icon to browse to and select the “Tree Name CA” object in the Security container of the eDirectory tree.

  5. Click OK.

  6. Click the Certificates tab.

  7. Select the check box for the root certificate (this is not the certificate titled Self Signed Certificate, but rather the root certificate), then click Validate.

  8. Select the check box for the root certificate, then click Export.

  9. Deselect Export private key, then click Next.

  10. Click Save the exported certificate, then select File in binary DER format.

  11. Save the file to a location where it can be accessed later and with a file name that you can remember, such as SelfSignCert.der.

  12. Click Close > OK.

  13. Continue with Section 31.2.2, Importing the Root Certificate into the Java Keystore.

Exporting the Root Certificate for Active Directory

  1. On the Windows server, click Start > Run, then enter mmc.

  2. In MMC, type Ctrl+M.

  3. If the Internet Information Services (IIS) Manager snap-in is not installed on your Windows server, install it.

  4. With IIS selected, click Add, then click OK.

  5. In the left frame, click Internet Information Services, then click a Windows server that Filr can connect to for synchronizing users.

  6. In the Filter list, scroll down to Server Certificates and double-click the icon.

  7. In the Actions list, click Create Self-Signed Certificate.

  8. Name the certificate with a name you can remember, such as the server name, then click OK.

  9. Type Ctrl+M, select the Certificates plug-in, then click Add.

  10. Select Computer account, then click Next.

  11. Click Finish.

  12. In the Snap-ins dialog, click OK.

  13. In MMC, expand the Certificates plug-in, expand Personal, then click Certificates.

  14. Right-click the certificate you created, select All Tasks, then click Export....

  15. In the Certificate Export wizard, click Next.

  16. Ensure that No, do not export the private key is selected, then click Next.

  17. Ensure that DER encoded binary is selected, then click Next.

  18. Name the certificate, then click Next.

  19. Click Finish > OK.

    The certificate is saved in C:\Users\Your-User-Name.

  20. Ensure that the certificate is accessible from your management browser.

  21. Continue with Section 31.2.2, Importing the Root Certificate into the Java Keystore.

31.2.2 Importing the Root Certificate into the Java Keystore

  1. Navigate to the management console of your Novell Appliance:

    https://ip_address:9443
    
  2. Click the Appliance System Configuration icon.

    The Novell Appliance Configuration page is displayed.

  3. Click Digital Certificates.

  4. In the Key Store drop-down list, select JVM Certificates.

  5. Click File > Import > Trusted Certificate.

    A .der certificate is required for the import to be successful.

  6. Browse to and select the trusted root certificate that you want to import.

    If you want to import multiple certificates, ensure that the certificate names are different for each certificate.

  7. Do not make any changes to the Alias field. It is populated by default.

  8. Click OK.

    The certificate should now be displayed in the list of JVM certificates.

  9. Restart Filr so that Tomcat rereads the updated Java keystore file.

    You can restart the Filr service as described in Section 2.7, Changing System Services Configuration.

You are now ready to configure your Filr site for secure LDAP synchronization, as described in Section 18.1, Synchronizing Users and Groups from an LDAP Directory.