39.1 Securing LDAP Synchronization

If your LDAP directory service requires a secure LDAP connection (LDAPS), you must configure Novell Vibe with a root certificate. The root certificate identifies the root certificate authority (CA) for your Vibe site, which enables you to generate a self-signed root certificate based on your eDirectory tree.

39.1.1 Understanding How Vibe Uses the Root Certificate for Your eDirectory Tree

You can generate a root certificate for your eDirectory tree by using either ConsoleOne or iManager, then import the root certificate into the Java keystore file (cacerts) on the Vibe server to make it accessible to Vibe. The default location for the Java keystore file is:

Linux:

/usr/java/jdkversion/jre/lib/security

Windows:

c:\Program Files\Java\jdkversion\jre/lib/security

NOTE:For iManager instructions, see TID 3176104: How to Enable SSL for Teaming LDAP Synchronization and Authentication in the Novell Support Knowledgebase. If you are using Active Directory rather than eDirectory, consult your Active Directory documentation for a procedure comparable to the one provided in Section 39.1.2, Generating a Root Certificate in ConsoleOne.

39.1.2 Generating a Root Certificate in ConsoleOne

  1. On Linux or Windows, start ConsoleOne and authenticate to your eDirectory tree.

  2. Expand the Security container, right-click the Tree_Name CA object, then click Properties.

  3. Click Certificates > Self Signed Certificate.

  4. Click Validate to update the certificate status, then click OK to close the Certificate Validation dialog box.

  5. Click Export to export your eDirectory root certificate into a file that can be imported into the Java keystore file.

  6. Click Next to accept the default of No for exporting a private key file along with the root certificate.

  7. Select the output format for the root certificate file.

    Either DER or Base64 format can be imported into the Java keystore file.

  8. In the Filename field, specify the location where you want to create the root certificate file and the filename to use, such as SelfSignedRootCert.der.

    IMPORTANT:You need to be able to access this file from the Vibe server. Specify an accessible location or copy it to the Vibe server after you create it.

  9. Click Next to display a summary of the options you have selected, then click Finish to generate the root certificate file.

  10. Click Cancel to close the Self Signed Certificate properties page of the Tree_Name CA object.

  11. Exit ConsoleOne.

  12. (Conditional) If necessary, copy the root certificate file to a convenient location on the Vibe server.

39.1.3 Importing the Root Certificate into the Java Keystore

  1. On the Vibe server, make sure that you have access to the root certificate file.

  2. Make sure that you can access the keytool tool:

    Linux:

    /usr/java/jdkversion/bin/keytool
    

    Windows:

    c:\Program Files\Java\jdkversion\bin\keytool.exe

    For convenient use, you might need to add its location to the PATH environment variable.

  3. Use the following command to import the root certificate into the Java keystore:

    keytool -import -alias ldap_server_dns_name 
            -keystore path_to_java_keystore_file 
            -file root_certificate_file
    

    For example:

    keytool -import -alias ldapserver.yourcompanyname.com 
            -keystore /usr/java/jdkversion/jre/lib/security/cacerts 
            -file /certs/SelfSignedRootCert.der
    
  4. When prompted, enter the password for the Java keystore.

    IMPORTANT:The default password used by Tomcat is changeit. If you want to specify a password other than this, then you must also specify this password in the server.xml Tomcat configuration file, as described in Changing Your Password for the Keystore File.

    Do not forget the password you specify.

  5. Enter yes to accept the certificate import.

  6. Use the following command to verify that the root certificate has been imported into the Java keystore:

    keytool -list -keystore path_to_java_keystore_file
    
  7. Enter the root certificate password to list the root certificate information.

  8. Restart Vibe so that Tomcat rereads the updated Java keystore file.

You are now ready to configure your Vibe site for secure LDAP synchronization, as described in Adding Vibe Users from Your LDAP Directory in Basic Installation in the Novell Vibe 3.4 Installation Guide.