The identity applications use HTML forms for authentication. As a result, user credentials are exposed during log in. We strongly recommend that you enable SSL to protect sensitive information.
NOTE:When enabling SSL between Identity Manager engine and Remote Loader, only java keystore method is supported on the Remote Loader.
The procedure for enabling SSL varies depending on whether on you are working in a test or production environment, as in the following sections:
If you are in a test environment, you might want to use a self-signed certificate. The procedure below explains how to do this.
To enable SSL in a test environment:
Export the Certificate Authority from your eDirectory server using iManager:
Go to iManager.
Login with the eDirectory administrator’s username and password.
Go to Administration > Modify Object.
Browse to the CA object in the Security container called TreeName CA.Security. For example, IDMTESTTREE CA.Security.
Click OK.
Click Certificates > Self Signed Certificate.
Select the self-signed certificate you want to use.
Click the Export button.
Clear Export private key.
Click Export format and select DER.
Click Next.
Click Save the exported certificate.
Click Save File. iManager saves the file as cert.der.
Click Close.
Move the saved file to a location where you want to store the exported certificate.
Create a keystore:
In a command prompt, cd to your .../tomcat/conf directory and the keystore.
NOTE:The tomcat/conf path is the default path for a User Application installed on Tomcat. The path can vary, depending on how you installed the User Application and Tomcat.
To the keystore, use the following command:
keytool -genkey -alias [keystore name] -keyalg RSA -keystore [your keystore name.keystore] -validity 3650
You will be prompted for your password, first and last name, and possibly other pieces of information.
Here are a few important points to keep in mind as you answer the prompts:
When asked for your first and last name, you should supply the fully qualified name of the server. For example:
MyTomcatServer.NetIQ.com
Be sure your spelling is correct. If you spell any words incorrectly, you will see errors when you generate your signed certificate from the signing authority.
Save a copy of the information you provided in a simple text file. This will help to ensure that you supply the same information when you apply to the signing authority and when you import your certificate.
In your Tomcat conf directory, create a simple text file to store your keystore .csr file. Once this file is created, return to a command prompt and create the .csr with the following command:
keytool -certreq -v -alias [Keystore name you used when you created your keystore] -file [your.csr] -keypass [password you created in keystore] -keystore [your.keystore] -storepass [your password]
Issue a certificate using iManager:
Go to Certificate Server > Issue Certificate.
Browse to the .csr file created earlier.
Click Next. Then click Next again.
Select Unspecified as the certificate type.
Click Next. Then click Next again.
To install a signed certificate into the Tomcat application server with the identity applications :
Create a keystore using the keytool utility included in the JRE.
In a command prompt, cd to your .../tomcat/conf directory and create the keystore.
NOTE:The tomcat/conf path is the default path for a User Application installed on Tomcat. The path can vary, depending on how you installed the User Application and Tomcat.
keytool -genkey -alias [keystore name] -keyalg RSA -keystore [your keystore name.keystore] -validity 3650
You will be prompted for your password, first and last name, and possibly other pieces of information.
Here are a few important points to keep in mind as you answer the prompts:
When asked for your first and last name, you should supply the fully qualified name of the server (for example, MyTomcatServer.NetIQ.com).
Be sure your spelling is correct. If you spell any words incorrectly, you will see errors when you generate your signed certificate from the signing authority.
Save a copy of the information you provided in a simple text file. This will help to ensure that you supply the same information when you apply to the signing authority and when you import your certificate.
In your Tomcat conf directory, create a simple text file to store your keystore .csr file. Once this file is created, return to a command prompt and create the .csr with the following command:
keytool -certreq -v -alias [Keystore name you used when you created your keystore] -file [your.csr] -keypass [password you created in keystore] -keystore [your.keystore] -storepass [your password]
Submit your .csr file to your Certificate Authority (CA), such as VeriSign or Entrust.
Once you have received your signed certificate from your CA, you need to import it into your Tomcat Server.
To import your signed certificate:
Place a copy of your certificate in your Tomcat conf directory.
Be sure to create a backup copy of this certificate and store it in a safe location.
Convert the root CA to DER format:
Double-click on your certificate stored in the Tomcat conf directory.
This will open a pop-up Certificate dialog screen.
Click on the Certificate Path tab.
Highlight the root certificate (the certificated issue by the signing authority, such as Entrust or Verisign).
Click on View Certificate. This will open a new Certificate dialog for the root certificate.
Click on the Details tab.
Click copy to file. This will open the Export Certificate Wizard.
Click next when the Export Certificate Wizard opens.
Select DER encoded binary for X.509 (.CER) and click next.
Create a new file to store the newly formatted certificate and store it in your Tomcat conf directory.
Then click Finish.
Convert the signed certificate into DER format:
Double click on your certificate, which should be stored in the Tomcat conf directory.
This will open a pop-up Certificate dialog screen.
Click on the Details tab.
Click copy to file. This will open the Export Certificate Wizard.
Click next when the Export Certificate Wizard opens.
Select DER encoded binary for X.509 (.CER) and click next.
Create a new file to store the newly formatted certificate and store it in your Tomcat conf directory.
Then click Finish.
Open a command prompt and cd to your Tomcat conf directory.
Import your Root CA:
keytool -import -trustcacerts -alias root -keystore your.keystore -file yourRootCA.cer
Be sure to specify root as your alias in this step.
If all goes well, you should see a Certificate was added to keystore message.
Import your signed certificate.
keytool -import -alias [alias you used when creating the .csr] -keystore [your.keystore] -file [your DER converted Signed Cert.cer]
If all goes well, you should see a Certificate reply was installed in keystore message.
To verify that the signed certificate was imported correctly, you can run the following command in a command prompt from your Tomcat conf directory.
keytool -list -v -alias idm -keystore idm.keystore
You should see your self signed and signed certificates listed in the output.
Enable SSL in Tomcat.
Locate server.xml under .../tomcat/conf directory and open that file in a text editor. Enable SSL by uncommenting or adding the following section:
maxThreads="150" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${tomcat.server.home.dir}/conf/tomcat.jks"
keystorePass="changeit" sslProtocol ="TLS" />
NOTE:Remember to point keystoreFile to the keystore you created. For example: ${tomcat.server.home.dir}/conf/server.keystore. Also, remember to change the keystorePass="changeit" to your keystore password.
You may also need to add SSLEnabled="true" protocol="HTTP/1.1", as shown below:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/opt/certs/chap8.keystore"
keystorePass="changeit" />Restart your Tomcat server and test.