Novell Home

My Favorites

Close

Please to see your favorites.

Using Java SSL (JSSE) with the DirXML eDirectory Driver

This document (7011721) is provided subject to the disclaimer at the end of this document.

Environment


NetIQ Identity Manager Driver - NDS / eDirectory

Situation

NDS certificate wizard is erroring out when trying to create the certificates to secure the channel on a an eDirectory driver. 
Is there another way to secure the channel on an eDirectory driver?

Resolution

Using Java SSL (JSSE) with the DirXML eDirectory Driver.

Setting up the DirXML eDir driver to use JSSE consists of two steps:
1. Create a server certificate in a Java keystore file.
2. Set up the Remote Loader connection parameters string on the DirXML Engine side so that the keystore file is used rather than a KMO.
The tasks are presented in detail below.

Note that task 1 as detailed below assumes that your organizational policy regarding use of certificates requires you to use certificates does not require you to use certificates generated by NPKI or some other organizational certificate authority. If this is not the case, see Appendix A for details on how to create a server certificate in a Java keystore file using an NPKI generated certificate.

The tools used to complete the tasks are the Java keytool program and Novell’s iManager. You can obtain keytool either by downloading the Java JRE or by using the JRE that comes with the DirXML or NetWare.

For more information on keytool see http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html
 
Tasks
1. Create a server certificate in a Java keystore file
a. Generate a key pair in the keystore:
i. keytool –genkey –alias dirxml_key –keyalg RSA –keysize 2048 –dname “cn=dirxml” –keypass <password> -keystore <filename> -storepass <password>
ii. example: keytool –genkey –alias dirxml_key –keyalg RSA –keysize 2048 –dname “cn=dirxml ” –keypass novell –keystore dirxml.keystore –storepass novell
iii. Note that the password for -keypass and the password for -storepass must be the same
b. Create a Self Signed certificate for that key pair
i. keytool –selfcert –alias dirxml_key –keypass <password> -keystore <filename> -storepass <password>
ii. example: keytool –selfcert –alias dirxml_key –keypass novell –keystore dirxml.keystore –storepass novell
2. Set up the eDirectory Driver Parameters to use the keystore file instead of a KMO
a. For both servers in the eDirectory to eDirectory connection do the following.
i. Copy the keystore file created in task 1 to somewhere relatively secure on the server.
ii. Paste the contents of keystore_options_single.xml to the Driver Parameters XML on the DirXML | Driver Configuration tab of the Property Page for the DirXML driver object.
1. In ConsoleOne this is done on the Driver Parameters Xml subtab.
2. In iManager this is done by pressing the Edit XML button under the Driver Parameters Label.
iii. Exit and re-enter the driver Property page.
iv. Edit the Driver Parameters
1. Set Name of keystore file to the full pathname on the server of the keystore file created in task 1.
2. Set the Name of certificate (key alias) to the alias used in task 1.
3. Set the Certificate password (key password) to the password used in task 1.
4. Leave Subscriber acts as server for SSL handshake ('yes' or 'no') as no.
5. Leave Disable mutual authentication ('yes' or 'no') as no.
v. Clear the Authentication ID field (where the KMO name would normally go
vi. Save the changes and restart the driver

Appendix A

Create an NPKI certificate in a Java keystore file
b. Export the self-signed certificate from your tree’s Certificate Authority in base-64 format.i. In iManager, select the eDirectory Administration/Modify Object task.
ii. Browse to your tree’s Certificate Authority. Click OK.
iii. Click on the Certificates tab.
iv. Click on Self Signed Certificate
v. Click on the Export button.
vi. In response to the question Do you want to export the private key with the certificate? select No and click Next.
vii. Select File in Base64 format and click Next.
viii. Click on Save the exported certificate to a file.
ix. Steps are similar if using ConsoleOne instead of iManager.
c. Import your tree’s self signed certificate into a new keystore file:
i. keytool –import –file <name of cert file> -trustcacerts –noprompt –keystore <filename> -storepass <password>.
ii. example: keytool –import –file tree_ca_root.b64 –trustcacerts –noprompt –keystore dirxml.keystore –storepass novell
d. Generate a key pair in the keystore:
i. keytool –genkey –alias dirxml_key –keyalg RSA –keysize 2048 –dname “<dn of your server>” –keypass <password> -keystore <filename> -storepass <password>
ii. example: keytool –genkey –alias dirxml_key –keyalg RSA –keysize 2048 –dname “cn=perin_nt1-tao.o=novell.t=perin-tao” –keypass novell –keystore dirxml.keystore –storepass novell
iii. Create a certificate signing request for the key pair just generated:
iv. keytool –certreq –alias dirxml_key –file <filename> -keypass <password> -keystore <filename> -storepass <password>
v. example: keytool –certreq –alias dirxml_key –file certreq.b64 –keypass novell –keystore dirxml.keystore –storepass novell

Additional Information

---------------- Contents of the keystore_options_single.xml file are below this line.  ----------------------------
<?xml version="1.0" encoding="UTF-8" ?>
<!--  this file contains options information for the eDirectory driver
        these options are only necessary if using JSSE based SSL
        and you are using the same keystore and certificate for both
        Subscriber and Publisher channels
-->
<driver-config name="Nds to Nds Driver">
    <driver-options>
        <keystore-name    display-name="Name of keystore file"></keystore-name>
        <server-key-alias    display-name="Name of certificate (key alias)"></server-key-alias>
        <server-key-password display-name="Certificate password (key password)"></server-key-password>
        <reverse-handshake display-name="Subscriber acts as server for SSL handshake ('yes' or 'no')">no</reverse-handshake>
        <disable-mutual-authentication display-name="Disable mutual authentication ('yes' or 'no') - only used if acting as server">no</disable-mutual-authentication>
    </driver-options>
</driver-config>

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7011721
  • Creation Date:29-JAN-13
  • Modified Date:29-JAN-13
    • NetIQIdentity Manager

Did this document solve your problem? Provide Feedback