Authentication to a Middle Tier Server from a Desktop Management Agent is based on a challenge-response mechanism. When a Middle Tier Server challenges an agent for authentication, it sends an X.509 certificate. The agent verifies the integrity and trust of the certificate, and secrets are exchanged using public-key/private-key and session-key encryption techniques.
During installation, a NetIdentity certificate is installed on the Middle Tier Server. On NetWare, this certificate is signed by the Certificate Authority (CA) of the tree where the server belongs. On Windows 2000, this is a self-signed dummy certificate. Although they are cryptographically valid, these certificates are not signed by trusted root authorities, and should not be trusted outside of a controlled environment. By default, the Desktop Management Agent installation accepts such self-signed certificates, but this is a configurable installation parameter. When deployed outside a controlled network, Middle Tier Servers must be configured with a certificate that is signed by a trusted Root Certificate authority. They must also be configured to enforce strict trust checking.
If a valid SSL certificate (that is, one signed by a trusted root authority) already exists for the server, the NetIdentity authentication process can use the same certificate.
If the server is a NetWare server, make a note of the key-pair name for the SSL certificate (this is the name of the certificate object as visible in ConsoleOne). For a Windows 2000 server, make a note of the friendly name of the certificate.
Using a browser, bring up the NSAdmin page for the Middle Tier Server (http://ip-address/oneNet/nsadmin).
In the General configuration page, set the value for the Certificate Name to the name from Step 1.
Submit the change.
Restart the Middle Tier Server.
If a valid SSL certificate is not present for the server, a valid X.509 certificate (that is, a certificate signed by a trusted root CA) needs to be configured for the server.
Obtain a certificate signed by a trusted root CA. Follow the steps outlined in Generating a Certificate Signing Request and Installing the Root CA on the Middle Tier Server for the appropriate platform.
If the key-pair name, or friendly name (depending on the platform) is different from “NetIdentity,” configure the Middle Tier Server with the appropriate name. See Step 1 through Step 4 in the procedure above.
Restart the Middle Tier Server.
NOTE:In either case, if the certificate was signed by a CA that is not in the list of trusted root CAs, the self-signed certificate of the CA must be imported on each workstation. For more information, see Importing a Certificate on the Windows Workstation.
After the Middle Tier Server has been configured with a certificate that is signed by a trusted root CA, Desktop Management Agents can be configured to enforce strict trust verification for NetIdentity certificates. Modify the following registry key setting:
HKEY_LOCAL_MACHINE\Software\Novell\Client\Policies\NetIdentity "Strict Trust"= dword:0x00000001
By default, the Strict Trust value is 0 (zero). Absence of the value, or setting it to 0x0 (zero) allows all certificates to be accepted. Setting it to 0x1 configures the Desktop Management Agents to reject certificates whose trust cannot be fully verified.