Replacing Open Enterprise Server 2 Linux Server Certificates



By: mfaris01

September 20, 2008 7:56 am

Reads: 478

Comments:3

Rating:0

Utilizing eDirectory for LDAP authentication for various other systems saves administrators time and effort. Using SSL/TLS for LDAP authentication against eDirectory increases security and adds peace of mind to various system’s administrators. The problem with this method is that, although Novell provides a 10 year Certificate of Authority (CA) for the eDirectory tree as a whole, individual server certificates are, by default, set to expire in 2 years. This can create a big mess for you and your connecting systems when they do.

In this article, we will replace our existing server certificates with newly created ones that are virtually the same, they just last until the CA itself expires. I’d attempted this several times using different avenues and had a lot of problems. Apache wouldn’t load or the cert wasn’t valid to the client using LDAPS. Just various run-of-the-mill, hair pulling frustrations.

The method I present here is sound and a lot simpler than what I’d tried in the past. All of it is done through iManager 2.7 and this is on OES 2 Linux.

Create New Certificate

First of all, we need to create a new server certificate with the new expiration date.

Login to iManager and expand Novell Certificate Access. Click on Server Certificates. You will see a list of server certificates. At the top of the frame, click on New.

Click to view.

Ensure that the appropriate server appears in the field. Enter a name for the new certificate.

Select Custom and click Next

Click to view.

The next screen defaults to Organizational Authority. If we were creating this certificate with an external CA then we would select External. For this article, we are using our own internal CA. Click Next.

Click to view.

I’ve left the next screen default since we want a server certificate and don’t want to change the encryption.

Click to view.

If you look in the middle, you will see the default Validity Period is 2 years, If you select Maximum it will set the certificate to expire when the CA expires, in our case, 10 years.
Click Next

Click to view.

I left the next screen to default.

Click to view.

The last screen gives you a summary of the selections your made. Notice the expiration date. If you need to make changes, click back until you get the option screen you need to change. When you are satisfied with your choices, click Finish and the certificate will be created.

Export Certificate

Go back to the Novell Certificate Access option and select Server Certificates. You will see your new certificate in the list. Place a check mark next to it and at the top of the frame select Export.

Click to view.

In the drop-down list at the top, select the certificate we just created. Ensure that the private key box is checked along with the “Include” box. Enter a password for the certificate and click Next.

Click to view.

Click Save the exported certificate link and save the file to your Desktop. (We’ll need it again in a moment)
The file is saved as “cert.pfx” If there is a file with that name, it is not overwritten, but saved with the file name incremented, i.e., cert(2).pfx

SAS Service Object

By default, LDAP and Apache use “SSL CertificateDNS” as their certificate and by examining the properties of the SAS Service Object we’ll verify this. The SAS Service Object allows you to define what certificates in eDirectory are synchronized with the certificate files in the file system.

Under Novell Certificate Access click on SAS Service Object.

Click to view.

Select the SAS Service Object for the server we’re targeting.

Click to view.

Here, we see the eDirectory certificate and the paths to synchronize for the certificate and key files.

Click to view.

If you click on the certificate name you can modify the parameters – changing these will adverse affect Apache and the /etc/apache2/vhosts/vhost-ssl.conf will need to be modified to reflect the new paths.

Leave the current settings.

We just wanted to verify the name of the synchronized certificate.
Click Cancel.

Replace Existing Certificate

By default, LDAP and Apache use “SSL CertificateDNS” as their certificate. This is the one we’ll be replacing. Now, iManager throws up some pretty intimidating messages with this process. Not too worry. When the certificate was originally created during the install process, there is a backup of this certificate created in /etc/ssl/servercerts/backup/, so we’re safe.

Once again, select the Novell Certificate Access option and Server Certificates. This time Check the certificate “SSL CertificateDNS” and at the top of the frame select Replace.

Click to view.

This is the message I was speaking of earlier. Click OK.

Click to view.

Browse to the file Cert.pfx you saved on your Desktop. Enter the password you set to the certificate.
Click OK.

Since we’re adding only one certificate, click Next.
Click Finish on the next frame.

The next screen will tell you of your Success.

Verifying LDAP Certificate

Now let’s ensure that LDAP is pointing to the “SSL CertificateDNS” certificate.

Click the LDAP Options under LDAP

Click to view.

Click the LDAP Server Tab and then select the LDAP server.

Click to view.

Click Connections, at the top and verify the proper certificate is chosen. If not, then select the proper certificate and click Apply.

Click to view.

Click OK to close.

Let’s look in the certificate directory to see if the new certificates are there.

Click to view.

Wait, those are the old files from April. The server itself will need to be rebooted. Upon reboot, eDirectory will synchronize the files from eDirectory. Let’s check them now.

Click to view.

There they are. And backups were made of the previous files in the backup directory.

Testing

Open a browser and attempt HTTPS to the server. View the Certificate.

Click to view.

Notice the expiration date is now 2018.

We’re done.

Conclusion

There are many parts of OES 2 and Linux in general that require configuration from the command line. This is a significant change to your OES 2 server that can be performed entirely from iManager. All we used the CDL for was file listing.

Enjoy.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: , , , , , , ,
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

3 Comments

  1. By:rdseepaul

    Is it possible to do this for eDir on Netware 6.5 ?

  2. By:uwelabs

    That is in iManager I get an success, but the new certificates are not copied to /etc/ssl/servercerts.
    (Everything else did work fine.)
    Any idea?
    Kind regards, Uwe.

Comment