G.3 Install Inter‑Server Communications Security

  1. Make sure you have fulfilled the prerequisites (see Section G.1, Fulfill the Installation Prerequisites) and gathered the information you need during installation (see Section G.2, Gather Information for Installation).

  2. On the server running iManager, start Tomcat if it is not running by entering tomcat4 at the server’s main console prompt.

  3. Run the following executable from the Novell ZENworks 7 Server Management with Support Pack 1 Program CD:

    \zfs\tedpol\sfiles\securityinstall\setup.exe

    This starts the Inter-Server Communications Security Installation Wizard.

    Software License Agreement page.

  4. If you agree with the Software License Agreement, click Accept, then click Next to display the Certificate Authority Information page.

    Certificate Authority Information page.

  5. Fill in the fields from the information you previously gathered:

    DNS/IP address: Enter the TCP/IP address or DNS name of the server running the ZENworks Certificate Authority (where iManager is running).

    IMPORTANT:For NetWare servers, DNS names cannot have underscores. We recommend that you use dashes instead of underscores as word separators.

    Port: This is the port number to use when communicating with iManager. It is most likely 443 if SSL is used. It can be 80 if Tomcat is integrated with a Web server, or 8080 if not.

    Use SSL: By default, this check box is selected. Deselect to disable if you are not using SSL.

    iManager username: Enter the iManager name (excluding context) of the user with rights to iManager. Installation halts if the username cannot authenticate. The username/password combination grants the user access to the Certificate Authority server’s signing functionality.

    iManager password: Specify the iManager password of the user with rights to iManager.

  6. When finished with the Certificate Authority Information page, click Next to display the Target Server Identification page.

    If any information is invalid, the following dialog box is displayed:

    Accept Certificate dialog box.

    If this dialog box is displayed, click Yes to continue with the Target Server Identification page.

    Target Server Identification Page

  7. Click a radio button to use one of the following methods for selecting server IP addresses or DNS names:

    • List  

      You can make three types of entries in this field:

      • IP addresses of servers

      • DNS names of servers

      • Delimited ASCII file of server IP addresses and/or DNS names

        For this option, you can access the following dialog box to fill in the field:

        Import Server List dialog box.

        1. Browse for and select the delimited ASCII text file containing the list of IP addresses and/or DNS names that you previously created (see Section G.2, Gather Information for Installation).

        2. Click the down arrow button for the File Delimiter field.

          You can use only one of the following delimiter characters in the text file that lists your servers’ addresses:

             semicolon (;)    colon (:)    comma (,)    forward slash (/)    backslash (\)    pipe (|)    carriage return    carriage return line feed    tab

        3. Select the character (which must be valid for the whole file).

        4. Click OK.

        All of the addresses contained in the text file are available to add into the Target servers list box.

        IMPORTANT:For NetWare servers, DNS names cannot have underscores. We recommend that you use dashes instead of underscores as word separators.

        In the Target servers list box, you can remove unwanted IP addresses and DNS names from those that you import from the file.

    • Wildcard  

      You can use the multiple-character (*) or single-character (?) wildcards in any IP address field. Any numbers you enter are exactly matched.

      The * wildcard character can only be used by itself in a field, meaning any number from 0 to 255 is matched. You cannot use the * and ? wildcard characters in the same field.

      The ? wildcard character can be used in place of a number, and any number found between 0 and 9 is considered a match. However, the ? character cannot be used consecutively. For example, ?3, 3?, 3?3, ?3?, ?33, and 33? are all valid; but, ??3 and 3?? are not valid.

      For example:

      10.1?.10.*

      could return the following IP addresses:

      • 10.10.10.0 through 10.10.10.255
      • 10.11.10.0 through 10.11.10.255
      • 10.12.10.0 through 10.12.10.255
      • 10.13.10.0 through 10.13.10.255

      and so on, where the two uses of 10 are exactly matched, 1? matches any numbers from 10 through 19, and * matches any numbers from 0 through 255.

      In the Target servers list box you can remove unwanted IP addresses from the list that you create using wildcard characters.

    • Range  

      Specify an IP address range. Wildcards cannot be used with this method.

      All servers having IP addresses within the given range are available for adding to the list.

      In the Target servers list box you can remove unwanted IP addresses from the list that you create using a range.

    Any server having an IP address matching the patterns you provide is available for adding to the list.

  8. Click Add servers to add your selected servers to the Target servers list box.

    If you see IP addresses in the list that you do not want to include, select the IP addresses, then click Remove. You can use the Ctrl and Shift keys to select multiple addresses for removal.

  9. Repeat Step 7 and Step 8 as necessary for each method you use to add servers to the list.

    You can use all three methods, one at a time, to fill in the Target servers list box.

  10. Click Next when finished adding your servers’ IP addresses to the list box to view the Summary page.

    Summary page.

  11. Select the Pause signing when necessary to display messages and report errors check box if you want to view detailed messages as signing errors are encountered.

    This causes the process to pause on an error. You can then click the View Log button to review the error information. The log also lists information for each success. It is stored as \zfs\security.txt in the user’s home directory (such as c:\documents and settings\administrator) on the workstation being used to install the security.

  12. On the Summary page, review the IP addresses and DNS names listed for correctness.

    To make changes, click Back.

    If you click Cancel here, the information you gathered on the Target Server Identification page is not saved.

    For servers where an error is encountered, the information is listed in a log file so that you can rerun the wizard for those servers. To view the log file, click View log on the Certificate Signing page.

  13. To begin signing the certificates on each listed server, click Finish.

    Signing is done sequentially, one server at a time. The signing progress is displayed for each server, as shown in the following examples:

    Certificate Signing Process dialog box, showing first certificate being signed.
    Certificate Signing Process dialog box, showing next certificate being signed.

  14. If you receive a general I/O error for an instance of iManager running on a Linux or Solaris server, in order for that instance of iManager to use XMLRPC and to continue the installation program, do the following to set the correct permissions:

    1. To set the group on the \security directory to be “novlwww,” enter the following shell command on the server where iManager is running:

      chown root:novlwww /opt/novell/java/jre/lib/security

    2. To verify that the permissions are set correctly, enter:

      chmod 775 /opt/novell/java/jre/lib/security

      Certificate signing continues.

  15. One of two dialog boxes is displayed during or at the conclusion of certificate signing:

    • Continue: This dialog box is displayed if the Pause signing when necessary to display messages and report errors option is selected and an error is encountered. The following options are available:

      Button to Click

      Result

      Back

      Allows you to make corrections to previous wizard pages, visit the server to fix the problem, then click Finish to continue.

      No

      Returns you to the Certificate Signing page, where you can view the error information for the offending server by clicking the View log button.

      Yes

      Just logs the error and continues with signing the rest of the certificates.

    • Certificate signing progress: This dialog box indicates that the signing session has completed. It indicates whether there are errors. The following options are available:

      Button to Click

      Result

      No

      Both the dialog box and the wizard are exited.

      Yes

      Accesses the Log window, where you can do the following:

      • Click Save to save the log file for future use. It lists all machines that are processed, including information for both successes and failures in signing certificates.

      • Click Close to exit both the dialog box and the wizard.

    IMPORTANT:If you click Cancel before all servers have had their certificates signed, the signing process stops and does not finish. However, the certificates for all servers processed so far remain signed.

  16. If you selected to view the installation error log, it is displayed in your default text file viewer:

    Log file (named security.txt) displayed in Notepad.

    After all certificates have been signed, servers with a certificate signed by this Certificate Authority are able to communicate securely with each other across non-secured connections, but only after enabling the security.

  17. To enable the security, continue with Section G.4, Enable Inter‑Server Communications Security.