6.1 Updating the Identity Audit Certificate Infrastructure

You can change the internal Identity Audit CA and embedded product certificates to certificates signed by your enterprise CA so you can integrate Identity Audit with your enterprise security infrastructure.

WARNING:Although the process of using certificates signed by external CAs is relatively simple, the consequences of failing to change all required components are serious. Logging applications might fail to communicate with your Secure Logging Server, so events are not recorded.

To update your Identity Audit certificate infrastructure with a custom certificate:

  1. Identify all Secure Logging Servers and Identity Manager servers where certificates are located.

  2. Use AudCGen to generate a CSR for the Secure Logging Server.

    For information on generating a CSR with AudCGen, see Creating Logging Application Certificates.

  3. Have the CSR signed by your enterprise CA.

    If necessary, convert the returned certificate to a Base64-encoded .pem file.

  4. Shut down all Secure Logging Servers and Identity Manager servers.

  5. Delete and purge all application cache (lcache) files.

  6. In iManager, update the Secure Logging Certificate File and Secure Logging Privatekey File properties in the Secure Logging Server configuration to point to the new, signed root certificate key pair:

    1. In iManager select Auditing and Logging > Logging Server Options > Modify Object for Logging Server.

      The Logging Server Options has Channels, Notifications, and Log Applications options.

    2. Select the Configuration option.

    3. Update the path in the Secure Logging Certificate File field.

    4. Update the path in the Secure Logging Privatekey File field, then click OK to save the changes.

      For more information on the Secure Logging Server configuration, see Logging Server Object Attributes in the Novell Audit 2.0 Administration Guide.

  7. Use AudCGen to generate a new public certificate for Identity Manager.

    IMPORTANT:The certificate signed by your enterprise CA must be used as the authoritative root certificate.

    For information on generating a certificate for Identity Manager, see Creating Logging Application Certificates.

  8. Update the Identity Manager Instrumentation so it uses the public certificate signed by the Secure Logging Server’s root certificate key pair. For more information, see Enabling the Identity Manager Instrumentation to Use a Custom Certificate.

  9. Restart eDirectory™ or the Remote Loader.

After you update your Identity Audit certificate infrastructure with a custom certificate, the only required maintenance is to update the certificate when it expires.