Replacing default certificates in iManager 2.7 (non-OES install)
This document (3092268) is provided subject to the disclaimer at the end of this document.
Novell eDirectory 8.8 for Linux
SUSE Linux Enterprise Server 10
Novell Certificate Server (PKIS)
When iManager 2.7 is installed on a Linux server (non-OES) Tomcat5 web service is used for HTTP\HTTPs . This service uses two sets of certificates for securing two different types of SSL traffic. This document discusses the second type of certificate (Tomcat certificate) described below.
For more information please see the following:
2. Tomcat certificate.
- is not signed,
- has a CN of "Temporary Certificate", and
- has an expiration date of one year.
There are multiple options for replacing the default temporary certificate initially used in iManager\Tomcat. Among the more popular are:
- generating a public and private key within eDirectory using Novell Certificate Server
- buy a signed server certificate from one of the many certificate vendors.
- create the keypair in eDirectory
- export the Public, Private and Root CA keys via a PKCS#12 file onto the Linux file system
- modify Tomcat's server.xml configuration file in order to use the PKCS12 directive and point to an actual P12 file.
The temporary keypair is held in the /var/opt/novell/novlwww/.keystore file.
The file for configuring Tomcat's use of certificates is /etc/opt/novell/tomcat5/server.xml
Below are the steps to replace the Temporary Certificate with an eDirectory certificate:
1. Create a new Server Certificate.
Login to iManager and select the Novell Certificate Server role | Create Server Certificate - Select server and choose a Nickname | Next | Finish2. Export the Server Certificate to the tomcat home directory (/var/opt/novell/novlwww).
3. Convert the pkcs12 (pfx) file to a PEM file.
- Login to iManager and select the Directory Administration role | Modify Object | Browse to and select the Server Certificate (created in step 1)
- Select the Certificates Tab
- Select the Certificate to use and select Export
- Select the Server Certificate from the drop down menu (select the Certificate created in step 1)
- Also confirm "Export private key" is selected, and enter a password
(For demonstration purposes, we will use the password of "changeit")
- Next | Click "Save the exported certificate" link and save the file to the /var/opt/novell/novlwww/ directory where iManager default keystore is installed.
nts32:/var/opt/novell/novlwww # openssl pkcs12 -in cert.pfx -out cert.pem4. Convert the .pem file to a .p12 file.
Enter Import Password:
Input the password used in step 2. (Step 2 used "changeit")
MAC verified OK
Once the password is verified, you will be prompted to enter a new password to protect the new PEM file. You can use the same password, or a different password, if desired. This new password is used to protect the private key.
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
nts32:/var/opt/novell/novlwww # openssl pkcs12 -export -in cert.pem -out cert.p12 -name "nts32-iManager"5. Stop Tomcat
Enter pass phrase for cert.pem:
Enter Export Password:
Verifying - Enter Export Password:
The "pass phrase" for cert.pem is the password used in Step 3. When prompted to "Enter Export Password"you must use use the password "changeit". Tomcat will use this password by default. The certificate is secure due to its directory location.
/etc/init.d/novell-tomcat5 stop6. Edit the tomcat configuration file (/etc/opt/novell/tomcat5/server.xml), modifying the Connector port="8443" section:
Tomcat5 (iManager 2.7)maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"
Tomcat4 (for iManager 2.6)
port="8443" minProcessors="5" maxProcessors="75" enableLookups="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" protocol="TLS" keystoreType="PKCS12"
to add the bold statements regarding keystoreType and keystoreFile while substituting in the applicable .p12 filename.
NOTE: When the keystore type is changed to PKCS12, you must specify the entire path as Tomcat will no longer default to using the Tomcat home path.
7. Change the .p12 file ownership to novlwww and permissions to user=rw, group=rx and others=r.
nts32:/var/opt/novell/novlwww # chown novlwww cert.p128. Restart Tomcat
nts32:/var/opt/novell/novlwww # chmod 654 cert.p12
nts32:/var/opt/novell/novlwww # /etc/init.d/novell-tomcat5 start9. Open a web browser and go to https://ip_address:8443/nps/iManager.html
When connecting to iManager and selecting to view the certificate during the Security Alert dialog, one can see that the subject name is the server's name, the certificate has a two year expiration and there exists a Certification Path up to the tree's Organizational CA.
If there are any problems look for error messages in /var/opt/novell/tomcat5/logs/catalina.out
Change the P12 file ownership to novlwww and permissions to user=rw, group=rx and others=r.
- updated link to point to direct documentation location (of self-signed certs) vs. generic documentation site.
- updated for readability with bullets and font changes for files and iManager mouse clicks.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:3092268
- Creation Date:11-OCT-07
- Modified Date:11-SEP-15
- NovellPKIS (Certificate Server)
- SUSESUSE Linux Enterprise Server
Did this document solve your problem? Provide Feedback