How to clear the Security Alert window when browsing to iManager

  • 7000444
  • 21-May-2008
  • 18-Feb-2015

Environment

Novell iManager 2.7
Novell iManager 2.6
Novell Apache on NetWare 2.0.48
Novell SUSE Linux Enterprise Server 10
Novell Open Enterprise Server (Linux based)
Novell Open Enterprise Server (NetWare based)
Novell Certificate Server (PKIS)

Situation

When browsing to iManager 2.x a Security Alert window appears.

Resolution

The Security Alert window may warn on any of the following:

1. The security certificate was issued by a company you have not chosen to trust.
2. The security certificate has expired or is not yet valid.
3. The name on the security certificate is invalid or does not match the name of the site.



iManager uses Apache to help serve the page and Apache uses a certificate for security. A server certificate is signed by a Certificate Authority which is also known as the Root Certificate Authority. A web browser contains a certificate store where it stores all of the certificates it trusts such as Root Certificate Authorities, Intermediate Certificate Authorities and Personal certificates. When browing to a secure site, and avoid the security warning window, the browser's certificate store must contain (trust) the Root Certificate Authority, the certificate must be valid (not expired), and the certificate's subject name must match the domain name (or IP address) of the URL (i.e. https:///nps).



Novell Open Enterprise Server (NetWare based)


Using the default eDirectory certificate

1. By default Apache uses the SSL CertificateDNS certificate which is created in eDirectory (Apache conf file - sys:\Apache2\conf\http.conf by default ). In the httpd.conf file the line that points to the certificate is: SecureListen :443 "SSL CertificateDNS". The SSL CertificateDNS certificate uses the domain name as the subject name. To avoid receiving the security warning "The name on the security certificate is invalid or does not match the name of the site" on the Security Alert, the certificate's subject name must match the domain name in the URL.

To view the subject name on a server certificate open iManager | Novell Certificate Access | Server Certificates then select the host server of the certificate and click on the certificate and the subject name should be displayed (i.e. Subject name: CN=server1.novell.com.O=novell). Use the CN value from the subject name (i.e. server1.novell.com) for the domain name in the URL (i.e. https://server1.novell.com/nps). If the correct information was entered then the subject name should now match:



2. The next step is to get the browser to trust the Certificate Authority (Organizational CA) that signed the SSL CertificateDNS . To get the browser to trust the Certificate Authority (CA) export the CA from the eDirectory tree and import that certificate into the browser's certificate store. The Organizational CA is found in the Security container in the eDirectory tree. Using iManager browse to the Certificate Authority object and modify the object then click on the Certificates tab. Check the Self Signed Certificate box and click Export.



Uncheck the Export private key box and click Next. Click on the Save the exported certificate and save the cert.der file to the file system.

To import the CA using a Linux desktop open the certificate store in the web browser and import the CA (Firefox - Tools | Options| Advanced| Encryption tab| View Certificate| Authorities| Import | Browse to the cert.der and check all the boxes and click OK)

To import the CA using a Windows desktop double-click on the cert.der and click Install Certificate, keep all of the defaults and click Yes when prompted to install this certificate.



3. Open up iManager in a browser (using the same URL in step 1) and if everything worked correctly Security Alert window will no longer pop-up and iManager will go directly to the login page.

How to use a Third-Party or Custom eDirectory certificate

If iManager is configured to use a Third-Party certificate or a custom created eDirectory certificate follow these steps:

1. Generate a Certificate Signing Request (CSR) by creating a new server certificate. In iManager go to Novell Certificate Server |
Create Server Certificate, browse to the server running iManager, give the certificate a name (it is suggested to keep this simple, i.e. iManagerCert, because later we will configure Apache to use this certificate), click Custom and click Next. If generating a CSR for a Third-Party certificate, then click External certificate authority; otherwise, click on Organizational certificate authority and click Next. Keep the defaults for Step 3 of the wizard and click Next. Edit the Subject name, click on the Reverse the DN order button and set the CN value to the same domain value that will be used when browsing to iManager (i.e. .CN=.O=novell). This is an important step because this will determine whether the subject name will match the URL. Validity period can be extended otherwise the certificate will expire after the default 2 years (Third-Party certificates will not have this option). Keep the defaults for Step 5 of the wizard and click Next (Third-Party certificates will not have this option). Click Finish.

Note: Third-Party CSRs will need to be sent to the Third-Party company to get signed then imported into eDirectory before following the steps below
.

2. Unload Apache from the system console (ap2webdn)

3. Edit the Apache conf file found in sys:\Apache2\conf\http.conf. Change the SecureListen :443 "SSL CertificateDNS" line to
SecureListen :443 "iManagerCert".

4. Load Apache from the system console (ap2webup) where you should then see the Apache console listening on port 443 and 80.

5. The next step is to get the browser to trust the Certificate Authority (Organizational CA) that signed the certificate . To get the browser to trust the Certificate Authority (CA) export the CA from the eDirectory tree and import that certificate into the browser's certificate store. The Organizational CA is found in the Security container in the eDirectory tree. Using iManager browse to the Certificate Authority object and modify the object then click on the Certificates tab. Check the Self Signed Certificate box and click Export.



Uncheck the Export private key box and click Next. Click on the Save the exported certificate and save the cert.der file to the file system.

To import the CA using a Linux desktop and open the certificate store in the web browser and import the CA (Firefox - Tools | Options| Advanced| Encryption tab| View Certificate| Authorities| Import | Browse to the cert.der and check all the boxes and click OK)

To import the CA using a Windows desktop then simply double-click on the cert.der and click Install Certificate, keep all of the defaults and click Yes when prompted to install this certificate.



6. Open up iManager in a browser (using the CN value from the previously created certificate's subject name as the domain name i.e. https://server1.novell.com/nps) and if everything worked correctly Security Alert should not appear and iManager will go directly to the login page.

Novell Open Enterprise Server (Linux based)

Using the default eDirectory certificate in Linux

1. By default Apache uses to the SSL CertificateDNS certificate which is created in eDirectory. The certificate is named servercert.pem and serverkey.pem found in the /etc/ssl/servercerts directory. To continue using this certificate follow the steps under the section Using the default eDirectory certificate.

2. The next step is to get the browser to trust the Certificate Authority (Organizational CA) that signed the SSL CertificateDNS . To get the browser to trust the Certificate Authority (CA) export the CA from the eDirectory tree and import that certificate into the browser's certificate store. The Organizational CA is found in the Security container in the eDirectory tree. Using iManager browse to the Certificate Authority object and modify the object then click on the Certificates tab. Check the Self Signed Certificate box and click Export.



Uncheck the Export private key box and click Next. Click on the Save the exported certificate and save the cert.der file to the file system.

To import the CA using a Linux desktop open the certificate store in the web browser and import the CA (Firefox - Tools | Options| Advanced| Encryption tab| View Certificate| Authorities| Import | Browse to the cert.der and check all the boxes and click OK)

To import the CA using a Windows desktop then simply double-click on the cert.der and click Install Certificate, keep all of the defaults and click Yes when prompted to install this certificate.



3. Open up iManager in a browser (using the CN value from the previously created certificate's subject name as the domain name i.e. https://server1.novell.com/nps) and if everything worked correctly the Security Alert window should not appears and iManager will go directly to the login page.

How to use a Third-Party or Custom eDirectory certificate in Linux


1. To create a custom certificate then refer to step 1 of section How to use a Third-Party or Custom eDirectory certificate

2. Configure Apache in Linux to use this certificate by following the TID # 7009962.

3. The next step is to get the browser to trust the Certificate Authority (Organizational CA) that signed the certificate . To get the browser to trust the Certificate Authority (CA) export the CA from the eDirectory tree and import that certificate into the browser's certificate store. The Organizational CA is found in the Security container in the eDirectory tree. Using iManager browse to the Certificate Authority object and modify the object then click on the Certificates tab. Check the Self Signed Certificate box and click Export.



Uncheck the Export private key box and click Next. Click on the Save the exported certificate and save the cert.der file to the file system.

To import the CA using a Linux desktop open the certificate store in the web browser and import the CA (Firefox - Tools | Options| Advanced| Encryption tab| View Certificate| Authorities| Import | Browse to the cert.der and check all the boxes and click OK)

To import the CA using a Windows desktop then simply double-click on the cert.der and click Install Certificate, keep all of the defaults and click Yes when prompted to install this certificate.



4. Open up iManager in a browser (using the CN value from the previously created certificate's subject name as the domain name i.e. https://server1.novell.com/nps) and if everything worked correctly the Security Alert window should not appear and iManager will go directly to the login page.

Novell SUSE Linux Enterprise Server 10

1. When iManager is installed Tomcat, by default it will use a temporary certificate that is valid for one year. To replace this certificate follow TID # 3092268 Replacing default certificates in iManager 2.7 (non-OES install). Note that in step 1 of TID # 3092268 will lead through the generation of a new default certificate in eDirectory in which the certificate's subject name will be the server's domain name by default. To avoid receiving the security warning "The name on the security certificate is invalid or does not match the name of the site" on the Security Alert, the certificate's subject name must match the domain name in the URL. To create a custom certificate with a different subject name then refer to step 1 of section How to use a Third-Party or Custom eDirectory certificate.



2. To get the browser to trust the Certificate Authority (CA) we must export the CA from the eDirectory tree and import that certificate into the browser's certificate store. The Organizational CA is found in the Security container in the eDirectory tree. Using iManager browse to the Certificate Authority object and modify the object then click on the Certificates tab. Check the Self Signed Certificate box and click Export.



Uncheck the Export private key box and click Next. Click on the Save the exported certificate and save the cert.der file to the file system.

To import the CA using a Linux desktop open the certificate store in the web browser and import the CA (Firefox - Tools | Options| Advanced| Encryption tab| View Certificate| Authorities| Import | Browse to the cert.der and check all the boxes and click OK)

To import the CA using a Windows desktop then simply double-click on the cert.der and click Install Certificate, keep all of the defaults and click Yes when prompted to install this certificate.



3. Open up iManager in a browser (using the CN value from the previously created certificate's subject name as the domain name i.e. https://server1.novell.com/nps) and if everything worked correctly the Security Alert window should not appear and iManager will go directly to the login page.