Environment
NetIQ Identity Manager Roles Based Provisioning Module 4.0.2 running on a linux server
Situation
How to you secure the connection to the Identity Manager 4.0.2 Role Based Provisioning Module (User Application) main page using your Tree Certificate Authority?
Resolution
1) Export the Certificate Authority from your eDirectory server using iManager
a. Go to: http://[IPAddressOfServer:PORT]/nps For Example: https://1.1.1.1:8443/nps
b. Login with eDirectory admin username, password and the treename or ip address of your IDM server.
c. Go to Directory Administration role > Modify Object task
d. Browse to the CA object in the Security container called CA.Security (Ex: TestIDM-tree CA.Security)
e. Click the Certificates tab > Self Signed Certificate sub tab
f. Check “Self Signed Certificateâ€
g. Click Export
h. Uncheck for "Export private keyâ€
i. Leave the Export format "DER"> Click Next.
j. Click "Save the exported certificate to a file.†> then click the Save File button.
k. Save the file in /opt/novell/idm/rbpm/jboss/server/IDMProv/conf/ and save the certificate as treename-CA.der (Example: TestIDM-tree-CA.der) .
l. Click Close.
2) Export idm java to your path temporarily. You should point to the version of java you are using with IDM RBPM. In a new IDM 4.0.2 install it is likely using /opt/novell/idm/jre/bin. However if you are on current patches and have upgraded to Java 1.7 it will be using a different Java version. If you followed the instructions correctly during the upgrade process, you can look in one of several locations to find the java version you are using. One way is in the configupdate.sh file. At the beginning of the big long command it will point to a java version. Or another way may be to look in the /etc/init.d/jboss_init in the JAVAPTH statement. Then execute a path statement in your terminal window so the bin directory in the java version you are using.
Something like this: export PATH=$PATH:/opt/novell/idm/jre/bin/
Or this: export PATH=$PATH:/opt/novell/idm/jre1.7.0_51/bin/
3) Change to your rbpm conf directory
In the same terminal window execute:
cd /opt/novell/idm/rbpm/jboss/server/IDMProv/conf/
4)Create a keystore
A few important Key points:
-When asked for your first and last name you should supply the fully qualified DNS name of server for example... TestIDM.lab.novell.com
-Spelling is very important, if things are incorrectly spelled in these step you will receive errors when generating your signed certificate from the signing authority.
-Always a good idea to save a copy of the information you supplied in a simple text file, this comes in handy when you apply to the signing authority and when importing your certificate, this will ensure you are supplying the same information.
From the terminal window in the /opt/novell/idm/rbpm/jboss/server/IDMProv/conf/ directory execute:
keytool -genkey -alias [keystore name] -keyalg RSA -keystore [your keystore name.keystore] -validity 3650
Example: keytool -genkey -alias idm -keyalg RSA -keystore idm.keystore -validity 3650
You will be prompted for your password,
Enter keystore password: password
You will be prompted for first and last name. Enter the full DNS server name. For Example:
What is your first and last name?
[Unknown]: TestIDM.lab.novell.com
You will be prompted for your orginzational unit, organization, City, State & Country. Enter values for them. Then confirm your answers. For Example:
What is the name of your organizational unit?
[Unknown]: NTS
What is the name of your organization?
[Unknown]: NetIQ
What is the name of your City or Locality?
[Unknown]: Provo
What is the name of your State or Province?
[Unknown]: Utah
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=TestIDM.lab.novell.com, OU=NTS, O=NetIQ, L=Provo, ST=Utah, C=US correct?
[no]: yes
Enter key password for <idm>
(RETURN if same as keystore password): password
5) In your /opt/novell/idm/rbpm/jboss/server/IDMProv/conf/ directory, create a simple text file to store your keystore .csr file. From the terminal window in the /opt/novell/idm/rbpm/jboss/server/IDMProv/conf/ directory execute:
touch certreq.csr
6) Next create the certificate request in certreq.csr by executing:
keytool -certreq -v -alias [Keystore name you created when creating your keystore] -file [your.csr] -keypass [password you created in keystore] -keystore [your.keystore] -storepass [your password]
For Example: keytool -certreq -v -alias idm -file certreq.csr -keypass password -keystore idm.keystore -storepass password
You should see the following message:
Certificate request stored in file<certreq.csr>
Submit this to your CA
7) Issue a certificate using iManager
a. Go to (Novell) Certificate Server ---> Issue Certificate
b. Browse the certreq.csr file created on step 6)
c. Leave “Unspecified†selected as the Key type, and the rest of the default settings, Click Next.
d. Leave the defaults on the constraints, Click Next.
e. Change the Validity Period to Maximum, then Click Next.
f. Leave Save to “file in binary DER format†selected, and Click Next
g. Click Finish. Then click Download the issued certificate, and click the Save File button and save in DER format as certreq.der in the /opt/novell/idm/rbpm/jboss/server/IDMProv/conf/ directory.
8) Import your Root CA
IMPORTANT:
**The treename-CA.der is the cert that you exported on step 1) in .der format
**Make sure you specify "root" as your alias in this step
From the terminal window in the /opt/novell/idm/rbpm/jboss/server/IDMProv/conf/ directory execute:
keytool -import -trustcacerts -alias root -keystore [your.keystore] -file [treename-CA.der]
For Example: keytool -import -trustcacerts -alias root -keystore idm.keystore -file TestIDM-tree-CA.der
You will be prompted to enter the password.
Enter keystore password: password
You may receive a message:
Certificate already exists in the system-wide CA keystore under alias <o=TestIDM-tree, ou=organizational ca>
Do you still want to add it to your own keystore [no]: yes
If all goes well you should see a "Certificate was added to keystore" message.
9) Import your "Signed" certificate.
From the terminal window in the /opt/novell/idm/rbpm/jboss/server/IDMProv/conf/ directory execute:
keytool -import -alias [alias you used when creating the .csr] -keystore [your.keystore] -file certreq.der
For Example: keytool -import -alias idm -keystore idm.keystore -file certreq.der
You will be prompted to enter the password.
Enter keystore password: password
If all goes well you should receive "Certificate reply was installed in keystore"
10) To verify the signed certificate was imported correctly from the terminal window in the /opt/novell/idm/rbpm/jboss/server/IDMProv/conf/ directory execute:
keytool -list -v -alias idm -keystore idm.keystore
You should see your self signed and signed certificates listed in the output.
11) Enable SSL in JBoss
a. Change to /opt/novell/idm/rbpm/jboss/server/IDMProv/deploy/jbossweb.sar
cd /opt/novell/idm/rbpm/jboss/server/IDMProv/deploy/jbossweb.sar
b. Edit the server.xml file in /opt/novell/idm/rbpm/jboss/server/IDMProv/deploy/jbossweb.sar
vi server.xml
c. Enable SSL by adding the following section, or uncommenting and modifying the similar section under the SSL/TLS Connector Configuration section:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
maxThreads="150" strategy="ms"
keystoreFile="${jboss.server.home.dir}/conf/idm.keystore"
keystorePass="password"
sslProtocol="TLS"/>
**Note 1: Remember to point "keystoreFile" to the keystore you created. example: ${jboss.server.home.dir}/conf/server.keystore
**Note 2: Remember to change the keystorePass="password" to your keystore password
9) Restart your JBoss Server and test
/etc/init.d/jboss_init restart
When restarting the JBoss Server you should see the server running on ports 8180 and 8443
16:35:51,062 INFO [Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-8180
16:35:51,343 INFO [ChannelSocket] JK: ajp13 listening on /0.0.0.0:8109
16:35:51,359 INFO [JkMain] Jk running ID=0 time=0/156 config=null
16:35:51,375 INFO [Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-84 43 (or 8543, see Additional notes below)
16:35:51,390 INFO [Server] JBoss (MX MicroKernel) [4.0.2 (build: CVSTag=JBoss_4
_0_2 date=200505022023)] Started in 1m:32s:94ms
Additional Notes:
- You can access the secure connection at https://IPAddressOfServer:8443/IDMProv
- If you have iManager running on the same server, which uses 8443 by default in most installs, the secure IDMProv port will be “rolled up†to 8543. You can change this to a different port in the server.xml if you desire so it does not get “rolled upâ€.
a. Go to: http://[IPAddressOfServer:PORT]/nps For Example: https://1.1.1.1:8443/nps
b. Login with eDirectory admin username, password and the treename or ip address of your IDM server.
c. Go to Directory Administration role > Modify Object task
d. Browse to the CA object in the Security container called CA.Security (Ex: TestIDM-tree CA.Security)
e. Click the Certificates tab > Self Signed Certificate sub tab
f. Check “Self Signed Certificateâ€
g. Click Export
h. Uncheck for "Export private keyâ€
i. Leave the Export format "DER"> Click Next.
j. Click "Save the exported certificate to a file.†> then click the Save File button.
k. Save the file in /opt/novell/idm/rbpm/jboss/server/IDMProv/conf/ and save the certificate as treename-CA.der (Example: TestIDM-tree-CA.der) .
l. Click Close.
2) Export idm java to your path temporarily. You should point to the version of java you are using with IDM RBPM. In a new IDM 4.0.2 install it is likely using /opt/novell/idm/jre/bin. However if you are on current patches and have upgraded to Java 1.7 it will be using a different Java version. If you followed the instructions correctly during the upgrade process, you can look in one of several locations to find the java version you are using. One way is in the configupdate.sh file. At the beginning of the big long command it will point to a java version. Or another way may be to look in the /etc/init.d/jboss_init in the JAVAPTH statement. Then execute a path statement in your terminal window so the bin directory in the java version you are using.
Something like this: export PATH=$PATH:/opt/novell/idm/jre/bin/
Or this: export PATH=$PATH:/opt/novell/idm/jre1.7.0_51/bin/
3) Change to your rbpm conf directory
In the same terminal window execute:
cd /opt/novell/idm/rbpm/jboss/server/IDMProv/conf/
4)Create a keystore
A few important Key points:
-When asked for your first and last name you should supply the fully qualified DNS name of server for example... TestIDM.lab.novell.com
-Spelling is very important, if things are incorrectly spelled in these step you will receive errors when generating your signed certificate from the signing authority.
-Always a good idea to save a copy of the information you supplied in a simple text file, this comes in handy when you apply to the signing authority and when importing your certificate, this will ensure you are supplying the same information.
From the terminal window in the /opt/novell/idm/rbpm/jboss/server/IDMProv/conf/ directory execute:
keytool -genkey -alias [keystore name] -keyalg RSA -keystore [your keystore name.keystore] -validity 3650
Example: keytool -genkey -alias idm -keyalg RSA -keystore idm.keystore -validity 3650
You will be prompted for your password,
Enter keystore password: password
You will be prompted for first and last name. Enter the full DNS server name. For Example:
What is your first and last name?
[Unknown]: TestIDM.lab.novell.com
You will be prompted for your orginzational unit, organization, City, State & Country. Enter values for them. Then confirm your answers. For Example:
What is the name of your organizational unit?
[Unknown]: NTS
What is the name of your organization?
[Unknown]: NetIQ
What is the name of your City or Locality?
[Unknown]: Provo
What is the name of your State or Province?
[Unknown]: Utah
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=TestIDM.lab.novell.com, OU=NTS, O=NetIQ, L=Provo, ST=Utah, C=US correct?
[no]: yes
Enter key password for <idm>
(RETURN if same as keystore password): password
5) In your /opt/novell/idm/rbpm/jboss/server/IDMProv/conf/ directory, create a simple text file to store your keystore .csr file. From the terminal window in the /opt/novell/idm/rbpm/jboss/server/IDMProv/conf/ directory execute:
touch certreq.csr
6) Next create the certificate request in certreq.csr by executing:
keytool -certreq -v -alias [Keystore name you created when creating your keystore] -file [your.csr] -keypass [password you created in keystore] -keystore [your.keystore] -storepass [your password]
For Example: keytool -certreq -v -alias idm -file certreq.csr -keypass password -keystore idm.keystore -storepass password
You should see the following message:
Certificate request stored in file<certreq.csr>
Submit this to your CA
7) Issue a certificate using iManager
a. Go to (Novell) Certificate Server ---> Issue Certificate
b. Browse the certreq.csr file created on step 6)
c. Leave “Unspecified†selected as the Key type, and the rest of the default settings, Click Next.
d. Leave the defaults on the constraints, Click Next.
e. Change the Validity Period to Maximum, then Click Next.
f. Leave Save to “file in binary DER format†selected, and Click Next
g. Click Finish. Then click Download the issued certificate, and click the Save File button and save in DER format as certreq.der in the /opt/novell/idm/rbpm/jboss/server/IDMProv/conf/ directory.
8) Import your Root CA
IMPORTANT:
**The treename-CA.der is the cert that you exported on step 1) in .der format
**Make sure you specify "root" as your alias in this step
From the terminal window in the /opt/novell/idm/rbpm/jboss/server/IDMProv/conf/ directory execute:
keytool -import -trustcacerts -alias root -keystore [your.keystore] -file [treename-CA.der]
For Example: keytool -import -trustcacerts -alias root -keystore idm.keystore -file TestIDM-tree-CA.der
You will be prompted to enter the password.
Enter keystore password: password
You may receive a message:
Certificate already exists in the system-wide CA keystore under alias <o=TestIDM-tree, ou=organizational ca>
Do you still want to add it to your own keystore [no]: yes
If all goes well you should see a "Certificate was added to keystore" message.
9) Import your "Signed" certificate.
From the terminal window in the /opt/novell/idm/rbpm/jboss/server/IDMProv/conf/ directory execute:
keytool -import -alias [alias you used when creating the .csr] -keystore [your.keystore] -file certreq.der
For Example: keytool -import -alias idm -keystore idm.keystore -file certreq.der
You will be prompted to enter the password.
Enter keystore password: password
If all goes well you should receive "Certificate reply was installed in keystore"
10) To verify the signed certificate was imported correctly from the terminal window in the /opt/novell/idm/rbpm/jboss/server/IDMProv/conf/ directory execute:
keytool -list -v -alias idm -keystore idm.keystore
You should see your self signed and signed certificates listed in the output.
11) Enable SSL in JBoss
a. Change to /opt/novell/idm/rbpm/jboss/server/IDMProv/deploy/jbossweb.sar
cd /opt/novell/idm/rbpm/jboss/server/IDMProv/deploy/jbossweb.sar
b. Edit the server.xml file in /opt/novell/idm/rbpm/jboss/server/IDMProv/deploy/jbossweb.sar
vi server.xml
c. Enable SSL by adding the following section, or uncommenting and modifying the similar section under the SSL/TLS Connector Configuration section:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
maxThreads="150" strategy="ms"
keystoreFile="${jboss.server.home.dir}/conf/idm.keystore"
keystorePass="password"
sslProtocol="TLS"/>
**Note 1: Remember to point "keystoreFile" to the keystore you created. example: ${jboss.server.home.dir}/conf/server.keystore
**Note 2: Remember to change the keystorePass="password" to your keystore password
9) Restart your JBoss Server and test
/etc/init.d/jboss_init restart
When restarting the JBoss Server you should see the server running on ports 8180 and 8443
16:35:51,062 INFO [Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-8180
16:35:51,343 INFO [ChannelSocket] JK: ajp13 listening on /0.0.0.0:8109
16:35:51,359 INFO [JkMain] Jk running ID=0 time=0/156 config=null
16:35:51,375 INFO [Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-84 43 (or 8543, see Additional notes below)
16:35:51,390 INFO [Server] JBoss (MX MicroKernel) [4.0.2 (build: CVSTag=JBoss_4
_0_2 date=200505022023)] Started in 1m:32s:94ms
Additional Notes:
- You can access the secure connection at https://IPAddressOfServer:8443/IDMProv
- If you have iManager running on the same server, which uses 8443 by default in most installs, the secure IDMProv port will be “rolled up†to 8543. You can change this to a different port in the server.xml if you desire so it does not get “rolled upâ€.