23.0 Understanding How Access Manager Uses Certificates

Access Manager allows you to manage centrally stored certificates used for digital signatures and data encryption. eDirectory™ resides on the Administration Console is the main certificate store for all of the Access Manager components. If you use Novell® Certificate Server™, you can continue to create certificates there and import them into Access Manager.

By default, all Access Manager components (Identity Server, Access Gateway, SSL VPN, and J2EE agents) trust the local Access Manager CA. However, if the Identity Server is configured to use an SSL certificate signed externally, the trust store of the embedded service provider for each component must be configured to trust this new CA.

Certificate management commands issued from a secondary Administration Console can work only if the primary console is also running properly. Other commands can work independent of the primary console.

You can create and distribute certificates to the following components:

To ensure the validity of X.509 certificates, Access Manager supports both Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) methods of verification.

Process Flow

You can install and distribute certificates to the Access Manager product components and configure how the components use certificates. This includes central storage, distribution, and expired certificate renewal. Figure 23-1 illustrates the primary administrative actions for certificate management in Access Manager:

Figure 23-1 Certificate Management

  1. Create the certificate and generate a certificate signing request (CSR). See Section 24.1, Creating Certificates.

  2. Send the CSR to the external CA for signing.

    A CA is a third-party or network authority that issues and manages security credentials and public keys for message encryption. The CA’s certificate is held in the configuration store of the computers that trust the CA.

  3. Import the signed certificate and CA chain into the configuration store. See Section 24.5, Importing Public Key Certificates (Trusted Roots).

  4. Assign certificates to devices. See Section 25.0, Assigning Certificates to Access Manager Devices.

If you are unfamiliar with public key cryptography concepts, see “Public Key Cryptography Basics” in the Novell Certificate Server 3.1.1 Guide.

See Section C.0, Certificates Terminology for information about certificate terminology.