Utilizing eDirectory for LDAP authentication for various other systems saves administrators time and effort. Using SSL/TLS for LDAP authentication against eDirectory increases security and adds peace of mind to various system’s administrators. The problem with this method is that, although Novell provides a 10 year Certificate of Authority (CA) for the eDirectory tree as a whole, individual server certificates are, by default, set to expire in 2 years. This can create a big mess for you and your connecting systems when they do.
In this article, we will replace our existing server certificates with newly created ones that are virtually the same, they just last until the CA itself expires. I’d attempted this several times using different avenues and had a lot of problems. Apache wouldn’t load or the cert wasn’t valid to the client using LDAPS. Just various run-of-the-mill, hair pulling frustrations.
The method I present here is sound and a lot simpler than what I’d tried in the past. All of it is done through iManager 2.7 and this is on OES 2 Linux.
First of all, we need to create a new server certificate with the new expiration date.
Login to iManager and expand Novell Certificate Access. Click on Server Certificates. You will see a list of server certificates. At the top of the frame, click on New.
Ensure that the appropriate server appears in the field. Enter a name for the new certificate.
Select Custom and click Next
The next screen defaults to Organizational Authority. If we were creating this certificate with an external CA then we would select External. For this article, we are using our own internal CA. Click Next.
I’ve left the next screen default since we want a server certificate and don’t want to change the encryption.
If you look in the middle, you will see the default Validity Period is 2 years, If you select Maximum it will set the certificate to expire when the CA expires, in our case, 10 years.
I left the next screen to default.
The last screen gives you a summary of the selections your made. Notice the expiration date. If you need to make changes, click back until you get the option screen you need to change. When you are satisfied with your choices, click Finish and the certificate will be created.
Go back to the Novell Certificate Access option and select Server Certificates. You will see your new certificate in the list. Place a check mark next to it and at the top of the frame select Export.
In the drop-down list at the top, select the certificate we just created. Ensure that the private key box is checked along with the “Include” box. Enter a password for the certificate and click Next.
Click Save the exported certificate link and save the file to your Desktop. (We’ll need it again in a moment)
The file is saved as “cert.pfx” If there is a file with that name, it is not overwritten, but saved with the file name incremented, i.e., cert(2).pfx
By default, LDAP and Apache use “SSL CertificateDNS” as their certificate and by examining the properties of the SAS Service Object we’ll verify this. The SAS Service Object allows you to define what certificates in eDirectory are synchronized with the certificate files in the file system.
Under Novell Certificate Access click on SAS Service Object.
Select the SAS Service Object for the server we’re targeting.
Here, we see the eDirectory certificate and the paths to synchronize for the certificate and key files.
If you click on the certificate name you can modify the parameters – changing these will adverse affect Apache and the /etc/apache2/vhosts/vhost-ssl.conf will need to be modified to reflect the new paths.
Leave the current settings.
We just wanted to verify the name of the synchronized certificate.
By default, LDAP and Apache use “SSL CertificateDNS” as their certificate. This is the one we’ll be replacing. Now, iManager throws up some pretty intimidating messages with this process. Not too worry. When the certificate was originally created during the install process, there is a backup of this certificate created in /etc/ssl/servercerts/backup/, so we’re safe.
Once again, select the Novell Certificate Access option and Server Certificates. This time Check the certificate “SSL CertificateDNS” and at the top of the frame select Replace.
This is the message I was speaking of earlier. Click OK.
Browse to the file Cert.pfx you saved on your Desktop. Enter the password you set to the certificate.
Since we’re adding only one certificate, click Next.
Click Finish on the next frame.
The next screen will tell you of your Success.
Now let’s ensure that LDAP is pointing to the “SSL CertificateDNS” certificate.
Click the LDAP Options under LDAP
Click the LDAP Server Tab and then select the LDAP server.
Click Connections, at the top and verify the proper certificate is chosen. If not, then select the proper certificate and click Apply.
Click OK to close.
Let’s look in the certificate directory to see if the new certificates are there.
Wait, those are the old files from April. The server itself will need to be rebooted. Upon reboot, eDirectory will synchronize the files from eDirectory. Let’s check them now.
There they are. And backups were made of the previous files in the backup directory.
Open a browser and attempt HTTPS to the server. View the Certificate.
Notice the expiration date is now 2018.
There are many parts of OES 2 and Linux in general that require configuration from the command line. This is a significant change to your OES 2 server that can be performed entirely from iManager. All we used the CDL for was file listing.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.