iManager / iMonitor certificate errors



By: bishopg

July 31, 2008 10:53 am

Reads: 254

Comments:1

Rating:0

Do you use iMonitor and iManager on the same server? Are you tired of the Security Alert dialog every time you switch between the 2? If so, then fix it!

This is iManager 2.7 on Windows, with eDirectory 8.7.3.9.

After a fresh installation of iManager, when you connect you will get this Security Alert.

Of the 3 items checked, there are 2 problems: there is no trust chain for the certificate, and the name in the certificate is different to the server you connected to. If you view the certificate…

… you can see that the certificate was issued by Temporary Certificate, for Temporary Certificate, which is clearly not the name of your server.

If you have iMonitor and iManager open on the same server, when you switch between them, you will get the security alert each time you change / refresh a page, as a different certificate is presented by each service.

This is how we set our Windows server to use the same certificate for iMonitor and iManager. The assumption is made that you have the trusted root installed into your browser, so that the certificate chain can be verified. I have created the certificate in ConsoleOne, but the concept should be similar using iManager.

Step 1: Create new KMO (certificate)

  1. Right click on the OU containing your server, click New, Object….
  2. In the New Object dialog, select NDSPKI:Key Material + click OK.
  3. In the Create Server Certificate (Key Material) dialog, select the appropriate server in the Server: dropdown.
  4. Enter Certificate name (e.g. KMO_HTTPS_76)
  5. Select the Custom radio button.
  6. Click Next.
  7. Select appropriate Certificate Authority (typically Organizational certificate authority.)
  8. Click Next.
  9. Select appropriate Key size (2048).
  10. Ensure that the SSL or TLS radio button is selected.
  11. Ensure that Set the Key Usage Extension to Critical is unchecked.
  12. Ensure that Allow Private Key to be Exported is checked.
  13. Click Next.
  14. Edit Subject name to show .CN=<name you use to connect> (e.g. .CN=server76 – Note leading period!)
  15. Set Validity period as appropriate.
  16. Click Next.
  17. Select appropriate trusted root certificate (typically Your organization’s certificate.)
  18. Click Next.
  19. Check that the parameters are correct, then click Finish.

The certificate is created in the OU holding the server (you might need to refresh to see it.)

Step 2: Set Http server to use new certificate

  1. Double-click Http Server – <server name>.
  2. Select the Other tab.
  3. Expand the httpKeyMaterialObject attribute.
  4. Double-click value (probably set to IP AG…..)
  5. Click the Browse button.
  6. Select the newly created certificate.
  7. Click OK.
  8. Restart NDS to pick up new certificate.

Connect to iMonitor + you should NOT get the Security Alert (assuming that you have the trusted root cert installed.)

Step 3: Export the new certificate

  1. Connect to iManager (you will get the Security Alert as iManager was installed with a ‘Temporary Certificate.)
  2. Click Yes to proceed.
  3. Login as an administrator.
  4. Click the Directory Administration role.
  5. Click the Modify Object role.
  6. Click the magnifying glass to open the browse box.
  7. Browse to, and select the new certificate.
  8. Click OK.
  9. Click the Certificates tab.
  10. Tick the box next to the new certificate.
  11. Click Export.
  12. In the Certificates drop down, select the new certificate (e.g. KMO_HTTPS_76.)
  13. Ensure that Export private key is selected.
  14. Enter an appropriate password.
  15. Confirm the password.
  16. Click Next.
  17. Click Save the Exported Certificate.
  18. In the File Download dialog, click Save.
  19. Browse to a suitable location and enter an appropriate name (e.g. KMO_HTTPS_76) a .pfx extension will be added.

Step 4: Convert new certificate to appropriate format

For this you will need OpenSSL (or similar.) You can download OpenSSL for windows from http://www.openssl.org/related/binaries.html (We have a previous version of iManager which runs on Apache, containing Openssl in \novell\apache\bin\)

Convert .pfx file to a .pem file.

  1. Open a cmd prompt and navigate to the location of the new certificate file.
  2. Enter \novell\Apache\bin\openssl.exe pkcs12 -in KMO_HTTPS_76.pfx -out KMO_HTTPS_76.pem.
  3. Enter the password used to export the certificate.
  4. Enter a password for the .pem file that you are creating. (This can be the same as when exporting with iManager.)
  5. Confirm password for the .pem file. (if you mistype the password a file will be generated, but you will get an error, so delete the file and run the command again.)

Convert the .pem file to a .p12 file.

  1. Enter E:\Certs>\novell\Apache\bin\openssl.exe pkcs12 -export -in KMO_HTTPS_76.pem -out KMO_HTTPS_76.p12 -name “iManager” (You can enter whatever name you want.)
  2. Enter the password used to convert the .pfx file to a .pem file.
  3. Enter a password for the .p12 file that you are creating. (Again, this can be the same.)
  4. Confirm password for the .p12 file. (if you mistype the password a file will be generated, but you will get an error, so delete the file and run the command again.)

Step 5: Configure iManager to use the new certificate.

  1. Copy the .p12 file to the tomcat certificate location on the iManager server. (C:\Program Files\Novell\Tomcat\conf\ssl\)
  2. Stop the Tomcat5 service.
  3. Edit the C:\Program Files\Novell\Tomcat\conf\server.xml file.
  4. Locate the section relating to the SSL Connector for the port you access iManager on (e.g. <!– Define a SSL Coyote HTTP/1.1 Connector on port 8443 –>.)
  5. You need to add a parameter for keystoreType, and amend the keystoreFile & keystorePass parameters.
    • Add: keystoreType=PKCS12
    • Amend: keystoreFile=C:\Program Files\Novell\Tomcat\conf\ssl\KMO_HTTPS_76.p12
    • Amend: keystorePass=<password entered when generating the .p12 file> (e.g. keystorePass=password123)

    Original entry

        <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
        <Connector acceptCount="100" clientAuth="false" debug="0" disableUploadTimeout="true" enableLookups="false" keystoreFile="conf/ssl/.keystore" keystorePass="changeit" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8443" scheme="https" secure="true" sslProtocol="TLS"/>
    
    

    Amended entry

        <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
        <Connector acceptCount="100" clientAuth="false" debug="0" disableUploadTimeout="true" enableLookups="false" keystoreType="PKCS12" keystoreFile="C:\Program Files\Novell\Tomcat\conf\ssl\KMO_HTTPS_57.p12" keystorePass="NEWPASSWORD" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8443" scheme="https" secure="true" sslProtocol="TLS"/>
    
    
  6. Start the Tomcat5 service.
  7. Connect to iManager

You should NOT get the Security Alert now, and double clicking on the padlock will show the certificate you created, where the Issued to: name is that of the server.

You can now happily alternate between iMonitor and iManager and not get the annoying Security Alert each time you update a screen!

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

1 Comment

  1. By:clovercne

    Excellent ! This has been annoying me for ages, great to know how to fix it now.

Comment