1) Export the new CA Certificate as der file. First cd /opt/novell/devman/bin then run following being sure to replace <password> with admin password.
|source/opt/novell/eDirectory/bin/ndspath && /opt/novell/java/bin/java -cp certtool.jar:/opt/novell/lib64/npki.jarcom.novell.nids.certmgr.DirCertTool -edirIP 127.0.0.1 -edirUsercn=admin.o=novell -edirPwd <password> -exportCACert -file ca.der|
Youan also export by going to Roles and Tasks in AC GUI -> NetIQ CertificateServer Role -> Configure Certificate Authority -> Certificates ->Export Self-Signed without private key as der
*If you can’t get to iManager on Primary AC you can download and use iManager Workstation, which can be extracted on Linux or Windows. See iManageron Netiq Download Site
2) Add exported CAcertificate to NAM keystores.
TheCA der file needs to be added manually through keytool in following locations.
IDPand AG: /opt/novell/devman/jcc/conf/jcc_devman.keystore
A)For AC devman.cacerts the keystore pass is devman.
Here is an example of importing the ca.der into devman.cacerts
|/opt/novell/java/bin/keytool -import -aliasconfigca_2 -keystore devman.cacerts -trustcacerts -file ca.der -storepassdevman|
*Do the same on any Secondary Acs.
B)For jcc_devman first you need to get the password for the keystore.
On each IDP and AG…
cd/opt/novell/devman/jcc and run: ./conf/ksinfo.shdump
Exampleof importing cert to jcc_devman.keystore
|/opt/novell/java/bin/keytool-import -alias edir_2 -keystore jcc_devman.keystore -trustcacerts -file ca.der-storepass U01eXoV6iyPLVA7|
C)For the remaining keystores the ca.der can be added via the Admin Console GUI.
Firstgo to Security -> Trusted roots and import it.
The original one will be calledconfigca. There really is no need toremove that one. Can just import it asconfigca_2 for example.
Nextadd it to:
- IDPcluster|’s truststore
- AGESP truststore
- ProxyTrust store
3) Replace existingcertificates already in use by NAM signed by original CA.
A)Recreate default certificates (Non NAM), however still used for config storeldap etc.
Inadmin Console GUI-> Roles and Tasks -> Netiq Certificate Server ->Create default Certificate.
- Step1 -> Browse to Admin Console server name and select it. (If secondary Admin Consoles.
- Step2 -> Click Radio button for “Yes” under Force the generation of new default certificates.
Ensurethe IP Addresses are correct for “SSL CertificateIP and SSLCertificateDNS”, if not specify in the available field.
- Step3 -> Click Finish and once done ensure the status of each completesproperly.
Alternative command line option is to run:
Enteradmin user with syntax like “admin.novell” and password when prompted.
B)Recreate Admin-Console Certificate used by tomcat instance that runs iManager.
- Goto AC GUI -> Security -> Certificates -> New -> Create a new certcalled admin-console_2.
Ensurethe subject name matches the FQDN name of the Admin Console and I’d recommendsetting months valid to something like 60.
- Oncecreated click on the new certificate and add it to keystore.
Thiswill add the new cert to the keystore on the Admin Console filesystem at/var/opt/novell/novlwww/.keystore.
- Clickthe browse button, then once all the keystores are presented, click on theAdmin-Console keystore.
- Clickthe “Replace” button and browse to the newly created admin-console_2cert. Ensure alias remains”tomcat”
C) Need to update/replace the Admin Console’s devman.keystore.
The devman.keystore.his keystore is used with device manager and listens on port 8444. NAM devices communicate on this port when sending health info etc to the Admin Console.
- Export the admin-conssole_2 cert you just recreated.
Beforewe export we need to see what keystore pass the existing devman.keystore is using. To find this out check the server.xml on the Admin Console at:
Search for “devman.keystore”. This should show up in devman connector section. Just take note of the value of keystorePass .e.
- Goto AC GUI -> Security ->Certificates -> export public/private key with jks format using the password in the server.xml.
- Copythis file to Admin Console filesystem at: /var/opt/novell/novlwww/devman.keystore.
Probablywant to rename the existing one first and ensure new file has same permissionsand ownership as original.
- After the default certificates are created, need to restart eDirectory and novell-ac on the Admin Console. Execute the following at the terminal to do this.
ndsmanage stopall && rcnovell-ac restart
Note: When novell-ac is run it will also start eDirectory
These certificates are meant to be replaced.
If they are currently in use we need to replace them with either externally signed certs or certificates minted with new Certificate Authority. So need to verify if theyare in use.
Check the Security ->Certificates -> and note the test-* certificates that have a device associated withthem and replace them.
E)Take note of any other Certificates that have issuer of original Certificate Authority and replacethem as well.