30.1 Securing LDAP Synchronization

If your LDAP directory service requires a secure LDAP connection (LDAPS), you must configure Teaming with a root certificate. The root certificate identifies the root certificate authority (CA) for your Teaming site, which enables you to generate a self-signed root certificate based on your eDirectory™ tree.

30.1.1 Understanding How Teaming Uses the Root Certificate for Your eDirectory Tree

You can generate a root certificate for your eDirectory tree using either ConsoleOne® or iManager, then you import the root certificate into the Java keystore file (cacerts) on the Teaming server to make it accessible to Teaming. The default location for the Java keystore file is:

Linux:

/usr/java/jdkversion/jre/lib/security

Windows:

c:\Program Files\Java\jdkversion\jre/lib/security

NOTE:For iManager instructions, see TID 3176104: How to Enable SSL for Teaming LDAP Synchronization and Authentication in the Novell Support Knowledgebase. If you are using Active Directory* rather than eDirectory, consult your Active Directory documentation for a procedure comparable to the one provided in Generating a Root Certificate in ConsoleOne.

30.1.2 Generating a Root Certificate in ConsoleOne

  1. On Linux or Windows, start ConsoleOne and authenticate to your eDirectory tree.

  2. Expand the Security container, right-click the Tree_Name CA object, then click Properties.

  3. Click Certificates > Self Signed Certificate.

  4. Click Validate to update the certificate status, then click OK to close the Certificate Validation dialog box.

  5. Click Export to export your eDirectory root certificate into a file that can be imported into the Java keystore file.

  6. Click Next to accept the default of No for exporting a private key file along with the root certificate.

  7. Select the output format for the root certificate file.

    Either DER or Base64 format can be imported into the Java keystore file.

  8. In the Filename field, specify the location where you want to create the root certificate file and the filename to use, such as SelfSignedRootCert.der.

    IMPORTANT:You need to be able to access this file from the Teaming server. Specify an accessible location or copy it to the Teaming server after you create it.

  9. Click Next to display a summary of the options you have selected, then click Finish to generate the root certificate file.

  10. Click Cancel to close the Self Signed Certificate properties page of the Tree_Name CA object.

  11. Exit ConsoleOne.

  12. (Conditional) If necessary, copy the root certificate file to a convenient location on the Teaming server.

30.1.3 Importing the Root Certificate into the Java Keystore

  1. On the Teaming server, make sure that you have access to the root certificate file.

  2. Make sure that you can access the keytool tool:

    Linux:

    /usr/java/jdkversion/bin/keytool
    

    Windows:

    c:\Program Files\Java\jdkversion\bin\keytool.exe

    For convenient use, you might need to add its location to the PATH environment variable.

  3. Use the following command to import the root certificate into the Java keystore:

    keytool -import -alias ldap_server_dns_name 
            -keystore path_to_java_keystore_file 
            -file root_certificate_file
    

    For example:

    keytool -import -alias ldapserver.yourcompanyname.com 
            -keystore /usr/java/jdkversion/jre/lib/security/cacerts 
            -file /certs/SelfSignedRootCert.der
    
  4. When prompted, specify a password for the root certificate, then confirm the password.

    IMPORTANT:The default password used by Tomcat is changeit. If you want to specify a password other than this, then you must also specify this password in the server.xml Tomcat configuration file, as described in Changing Your Password for the Keystore File.

    Do not forget the password you specify.

  5. Enter yes to accept the certificate import.

  6. Use the following command to verify that the root certificate has been imported into the Java keystore:

    keytool -list -keystore path_to_java_keystore_file
    
  7. Enter the root certificate password to list the root certificate information.

  8. Restart Teaming so that Tomcat rereads the updated Java keystore file.

You are now ready to configure your Teaming site for secure LDAP synchronization, as described in Adding Teaming Users from Your LDAP Directory in Basic Installation in the Novell Teaming 2.1 Installation Guide.