2.7 Understanding the NetIQ Certificate Server

NetIQ Certificate Server allows you to mint, issue, and manage digital certificates by creating a Security container object and an Organizational Certificate Authority (CA) object. The Organizational CA object enables secure data transmissions and is required for Web-related products. The first eDirectory SP4 server will automatically create and physically store the Security container object and Organizational CA object for the entire eDirectory tree. Both objects are created and must remain at the top of the eDirectory tree.

Only one Organizational CA object can exist in an eDirectory tree. After the Organizational CA object is created on a server, it cannot be moved to another server. Deleting and re-creating an Organizational CA object invalidates any certificates associated with the Organizational CA.

IMPORTANT:Make sure that the first eDirectory server is the server that you intend to permanently host the Organizational CA object and that the server will be a reliable, accessible, and continuing part of your network.

If this is not the first eDirectory server on the network, the installation program finds and references the eDirectory server that holds the Organizational CA object. The installation program accesses the Security container and creates a Server Certificate object.

If an Organizational CA object is not available on the network, Web-related products will not function.

2.7.1 Rights Required to Perform Tasks on NetIQ Certificate Server

To complete the tasks associated with setting up NetIQ Certificate Server, the administrator needs to have rights as described in the following table.

NetIQ Certificate Server Task

Rights Required

Base security setup for installing the first server into a new tree or upgrading the first server in a tree where there is no base security previously installed

Supervisor right at the root of the tree

Supervisor right on the Security container

Base security setup for installing subsequent servers

Supervisor right on the server’s container

Supervisor right on the W0 object (located inside the Security container)

Creating the Organizational CA

Supervisor right on the Security container

Creating Server Certificate objects

Supervisor right on the server’s container

Read right to the NDSPKI:Private Key attribute on the Organizational CA’s object

The root administrator can also delegate the authority to use the Organizational CA by assigning the following rights to subcontainer administrators. Subcontainer administrators require the following rights to install NetIQ eDirectory with SSL security:

  • Read right to the NDSPKI:Private Key attribute on the Organizational CA’s object, located in the Security container.

  • Supervisor right to the W0 object located in the Security container, inside the KAP object.

These rights are assigned to a group or a role, where all the administrative users are defined. For a complete list of required rights to perform specific tasks associated with NetIQ Certificate Server, see Section 25.0, Understanding the Certificate Server.

2.7.2 Ensuring Secure eDirectory Operations on Linux Computers

eDirectory includes Public Key Cryptography Services (PKCS), which contains the NetIQ Certificate Server that provides Public Key Infrastructure (PKI) services, Novell International Cryptographic Infrastructure (NICI), and SAS-SSL server.

The following sections provide information about performing secure eDirectory operations:

For information about using external certificate authority, see Section 25.0, Understanding the Certificate Server.

Verifying Whether NICI Is Installed and Initialized on the Server

Verify the following conditions, which indicate that the NICI module has been properly installed and initialized:

  • The file /etc/nici.cfg exists

  • The directory /var/novell/nici exists

  • The file /var/novell/nici/primenici exists

If these conditions are not met, follow the procedure in the next section, Initializing the NICI Module on the Server.

Initializing the NICI Module on the Server

  1. Stop the eDirectory server.

    • On Linux systems, enter

      /etc/init.d/ndsd stop

    IMPORTANT:We recommend you to use ndsmanage to start and stop ndsd.

  2. Verify whether the NICI package is installed.

    • On Linux systems, enter

      rpm -qa | grep nic i

  3. (Conditional) If the NICI package is not installed, install it now.

    You will not be able to proceed if the NICI package is not installed.

  4. Start the eDirectory server.

    • On Linux systems, enter:

      /etc/init.d/ndsd start

    IMPORTANT:We recommend you to use ndsmanage to start and stop ndsd.

Starting the Certificate Server (PKI Services)

To start PKI services, enter:

npki -1

Stopping the Certificate Server (PKI Services)

To stop PKI services, enter:

npki -u

Creating an Organizational Certificate Authority Object

  1. Launch NetIQ iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see “Creating an Organizational Certificate Authority Object” in the NetIQ Certificate Server 3.3 Administration Guide.

  3. Click the Roles and Tasks button Roles and Tasks button.

  4. Click NetIQ Certificate Server > Configure Certificate Authority.

    If no Organizational Certificate Authority object exists, this opens the Create an Organizational Certificate Authority Object dialog box and the corresponding wizard that creates the object. Follow the prompts to create the object. For specific information on the dialog box or any of the wizard pages, click Help.

NOTE:You can have only one Organizational CA for your eDirectory tree. For more information about creating an Organizational CA, see Create an Organizational Certificate Authority for Your Organization.

Creating a Server Certificate Object

Server Certificate objects are created in the container that holds the eDirectory Server object. Depending on your needs, you might create a separate Server Certificate object for each cryptography-enabled application on the server. Or you might create one Server Certificate object for all applications used on that server.

NOTE:The terms Server Certificate Object and Key Material Object (KMO) are synonymous. The schema name of the eDirectory object is NDSPKI:Key Material.

  1. Launch NetIQ iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Creating a Server Certificate Object.

  3. Click the Roles and Tasks button Roles and Tasks button.

  4. Click NetIQ Certificate Server > Create Server Certificate.

    This opens the Create Server Certificate Wizard. Follow the prompts to create the object. For specific information on any of the wizard pages, click Help.

Exporting an Organizational CA's Self-Signed Certificate

A self-signed certificate can be used for verifying the identity of the Organizational CA and the validity of a certificate signed by the Organizational CA.

From the Organizational CA’s property page, you can view the certificates and properties associated with this object. From the Self-Signed Certificate property page, you can export the self-signed certificate to a file for use in cryptography-enabled applications.

The self-signed certificate that resides in the Organizational CA is the same as the Trusted Root certificate in a Server Certificate object that has a certificate signed by the Organizational CA. Any service that recognizes the Organizational CA’s self-signed certificate as a trusted root will accept a valid user or server certificate signed by the Organizational CA.

  1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

  2. Click Directory Administration > Modify Object.

  3. Specify the name and context of an Organizational Certificate Authority object, then click OK.

    Organizational Certificate Authority objects are located in Security container.

  4. Click the Certificates tab, then click Self-Signed Certificate.

  5. Click Export.

    This opens the Export Certificate Wizard. Follow the prompts to export the certificate. For specific information on any of the wizard pages, click Help.

  6. On the Export Certificate Summary page, click Save the Exported Certificate to a File.

    The certificate is saved to a file and is available to be imported into a cryptography-enabled application as the trusted root.

  7. Click Close.

Include this file in all command line operations that establish secure connections to eDirectory