Manually Creating NDS-to-NDS eDirectory Driver Certificates with ConsoleOne

  • 3578820
  • 21-Mar-2007
  • 12-Jan-2018

Environment

Novell Identity Manager 3.5.1
Novell Identity Manager 3.6.1
Novell Identity Manager 4.x

Situation

In an environment where access between environments is limited to the port where Novell Identity Manager (IDM) communication will take place the certificate wizard may not work properly due to a lack of communication allowed via NCP (by default, port 524).  As a result a manual method is employed to create the certificates used for the eDirectory drivers connecting the systems on an allowed port (8196 by default).  Also in cases where a problem with the administration tool prevents the wizard from running properly the certificates can be created manually.

Resolution

Taken Directly from the Novell Documentation.
Configuring Secure Data Transfers using ConsoleOne

Note:   At this time there is no way to accomplish the same tasks using iManager.  It will fail if you attempt the same steps using iManager, you must use ConsoleOne.

Configuring secure data transfers using ConsoleOne includes the following tasks:

  • Creating the Key Material Objects
  • Creating a Single KMO for a Tree or

Creating the Key Material Objects

Key Material Objects (KMOs) are used in eDirectory to store certificate and public/private key data. A minimum of two KMOs (one KMO per tree) must be created for use with the DirXML Driver for eDirectory. To use a certificate from one tree in another tree, the Trusted Root certificate from the first tree's Certificate Authority must be exported for use in the second tree.

The key pair name of a KMO is the part of the eDirectory object name that appears before the dash (-). The part of the object name that appears after the dash is the eDirectory server name to which the KMO belongs. When using the name of a KMO in the driver configuration, always use the key pair name. For example, if the name of the eDirectory object is 'Driver Cert - SRV1_TAO', the key pair name is 'Driver Cert'.

Exporting the Trusted Root from a Tree

  1. In ConsoleOne®, click the Security container, then right-click the Certificate Authority object.

  2. Click Properties, then Certificates-Self-Signed Certificate.

  3. Click Export.

  4. Click File in Binary DER Format, then click Export.

Creating a Single KMO for a Tree

Using a single KMO per tree causes both sides of a channel to authenticate using a certificate issued by a common Certificate Authority. This means that one tree will need a certificate issued by the other tree. (It is also possible to use certificates signed by Certificate Authorities other than eDirectory.)

To create the KMOs, authenticate to both eDirectory trees in ConsoleOne, then complete these procedures:

  • Exporting the Trusted Root from a Tree

Export the trust root using the Certificate Authority from the first tree.

  • Creating the KMO for the First Tree

This certificate must be signed by the tree's Certificate Authority

  • Creating the KMO for the Second Tree

This certificate must be signed by the first tree's Certificate Authority.

NOTE: The pair of KMOs must use the same RSA key sizes to communicate.

Creating the KMO for the First Tree

  1. In ConsoleOne, right-click the container containing the eDirectory Server object on which the DirXML driver will run.

  2. Click New > Object.

  3. Click NDSPKI:Key Material, then click OK.

  4. Specify a name for the KMO object.

  5. Make sure the Standard radio button is selected in the Creation Method box, then click Next.

  6. Make sure the certificate parameters meet your needs, then click Finish.

Creating the KMO for the Second Tree

  1. In ConsoleOne, right-click the container containing the eDirectory Server object on which the DirXML driver will run.

  2. Click New > Object.

  3. Click NDSPKI:Key Material, then click OK.

  4. Specify a name for the KMO object.

  5. Click Custom, then click Next.

  6. Click External Certificate Authority (to indicate that the certificate will be generated by the first tree), then click Next.

  7. Specify the RSA key size (if applicable), then click Next.

  8. Click Next, then click Finish to generate a Certificate Signing Request (CSR).

  9. Click System Clipboard in Base64 Format, then click Save.

  10. Click the eDirectory Server object for the first tree, click Tools, then click Issue Certificate.

  11. Paste the CSR created in Step 8 into the CSR window, then click Next.

  12. Click Next to generate a certificate signed by the first tree's Certificate Authority.

  13. Click SSL or TLS to indicate that the certificate is to be used for SSL authentication, then click Next.

  14. Specify the validity period you want, then click Next.

  15. Click Finish to create the certificate.

  16. Click System Clipboard in Base64 Format, then click Save.

  17. Right-click the KMO in the second tree, click Properties, then click Certificates-Public Key Certificate.

  18. Click Import.

  19. Click Read from File.

  20. Enter the filename of the Trusted Root certificate you exported from the first tree, then click Next.

  21. Paste the certificate created by the first tree's Certificate Authority into the certificate window.

  22. Click Finish.

Additional Information