24.1 Replacing the Temporary Self-Signed Certificates for iManager

Standalone iManager installations include a temporary, self-signed certificate for use by Tomcat. It has an expiration date of one year. NetIQ provides this certificate to help you get your system up and running so you can securely use iManager immediately after you install the product. NetIQ and OpenSSL do not recommend using self-signed certificates except for testing purposes. Instead, you should replace the temporary certificate with a secure one.

Tomcat stores the self-signed certificate in a keystore that uses Tomcat (JKS) format file. Normally, you would import a private key to replace the certificate. However, the keytool that you use to modify the Tomcat keystore cannot import a private key. The tool only uses a self-generated key.

This section explains how to generate a public/private key pair in eDirectory using NetIQ Certificate Server and to replace the temporary certificate. If you are using eDirectory, you can use NetIQ Certificate Server to securely generate, track, store, and revoke certificates with no further investment.

NOTE:The information in this section does not apply to OES Linux, which installs both Tomcat and Apache. The OES Linux documentation includes information about replacing the self-signed Apache/Tomcat certificate.

24.1.1 Replacing the iManager Self-Signed Certificates on Linux

This section describes how to create a keypair in eDirectory and export the Public, Private, and Root Certificate Authority (CA) keys with a PKCS#12 file on the Linux platform. This includes modifying Tomcat's server.xml configuration file to use the PKCS12 directive and point the configuration to an actual P12 file rather than use the default JKS keystore.

This process uses the following files:

  • /var/opt/novell/novlwww/.keystore, which holds the temporary keypair

  • /opt/novell/jdk1.7.0_25/jre/lib/security/cacerts, which holds the trusted root certificates

  • /etc/opt/novell/tomcat8/server.xml, which is used for configuring Tomcat's use of certificates

To replace the self-signed certificates on Linux:

  1. To create a new certificate, complete the following steps:

    1. Log in to iManager.

    2. Click NetIQ Certificate Server > Create Server Certificate.

    3. Select the appropriate server.

    4. Specify a nickname for the server.

    5. Accept the rest of the certificate defaults.

  2. To export the server certificate to the Tomcat home directory, complete the following steps:

    1. In iManager, select Directory Administration > Modify Object.

    2. Browse to and select the Key Material Object (KMO) object.

    3. Click Certificates > Export.

    4. Specify a password.

    5. Save the server certificate as a PKCS#12 (.pfx) in the /var/opt/novell/novlwww directory.

  3. To convert the .pfx file to a .pem file, complete the following steps:

    1. Enter a command, such as openssl pkcs12 -in newtomcert.pfx -out newtomcert.pem.

    2. Specify the same password for the certificate that you specified in Step 2.

    3. Specify a password for the new .pem file.

      You can use the same password, if desired.

  4. To convert the .pem file to a .p12 file, complete the following steps:

    1. Enter a command, such as openssl pkcs12 -export -in newtomcert.pem -out newtomcert.p12 -name "New Tomcat".

    2. Specify the same password for the certificate that you specified in Step 3.

    3. Specify a password for the new .p12 file.

      You can use the same password, if desired.

  5. To stop Tomcat, enter the following command:

    /etc/init.d/novell-tomcat8 stop
  6. To ensure that Tomcat uses the newly created .p12 certificate file, add keystoreType, keystoreFile, and keystorePass variables to the Tomcat configuration file, by default /etc/opt/novell/tomcat8/server.xml. For example:

    <Connector className="org.apache.coyote.http11.Http11AprProtocol"
     port="8443" minProcessors="5" maxProcessors="75" enableLookups="true"
     acceptCount="100" debug="0" scheme="https" secure="true"
     useURIValidationHack="false" disableUploadTimeout="true">
       <Factory className="org.apache.coyote.http11.Http11AprProtocol"
     clientAuth="false" protocol="TLS" keystoreType="PKCS12"  keystoreFile="/var/opt/novell/novlwww/newtomcert.p12" keystorePass="password" />
    </Connector>

    Or,

    <Connector className="org.apache.coyote.http11.Http11NioProtocol"
     port="8443" minProcessors="5" maxProcessors="75" enableLookups="true"
     acceptCount="100" debug="0" scheme="https" secure="true"
     useURIValidationHack="false" disableUploadTimeout="true">
       <Factory className="org.apache.coyote.http11.Http11NioProtocol"
     clientAuth="false" protocol="TLS" keystoreType="PKCS12"  keystoreFile="/var/opt/novell/novlwww/newtomcert.p12" keystorePass="password" />
    </Connector>

    NOTE:When setting the keystore type to PKCS12, you must specify the entire path to the certificate file, as Tomcat will no longer default to using the Tomcat home path.

  7. To ensure that the .p12 certificate file functions appropriately, complete the following steps:

    1. Change the file’s ownership to the appropriate Tomcat user/group, by default novlwww. For example, chown novlwww:novlwww newtomcert.p12.

    2. Change the file permissions to user=rw, group=rw, and others=r. For example, chmod 654 newtomcert.p12.

  8. To restart Tomcat, enter the following command:

    /etc/init.d/novell-tomcat8 start

24.1.2 Replacing the iManager Self-Signed Certificates on Windows

This section describes how to create a keypair in eDirectory and export the Public, Private, and Root Certificate Authority (CA) keys with a PKCS#12 file on the Windows platform. This includes modifying Tomcat's server.xml configuration file to use the PKCS12 directive and point the configuration to an actual P12 file rather than use the default JKS keystore.

This process uses the following files:

  • C:\Program Files\Novell\Tomcat\conf\ssl\.keystore, which holds the temporary keypair

  • C:\Program Files\Novell\jre\lib\security\cacerts, which holds the trusted root certificates

  • C:\Program Files\Novell\Tomcat\conf\server.xml, which is used for configuring Tomcat's use of certificates

To replace the self-signed certificates on Windows:

  1. To create a new certificate, complete the following steps:

    1. Log in to iManager.

    2. Click NetIQ Certificate Server > Create Server Certificate.

    3. Select the appropriate server.

    4. Specify a nickname for the server.

    5. Accept the rest of the certificate defaults.

  2. To export the server certificate, complete the following steps:

    1. In iManager, select Directory Administration > Modify Object.

    2. Browse to and select the Key Material Object (KMO) object.

    3. Click Certificates > Export.

    4. Specify a password.

    5. Save the server certificate as a PKCS#12 (.pfx).

  3. To convert the .pfx file to a .pem file, complete the following steps:

    NOTE:OpenSSL is not installed on Windows by default. However, you can download a version for the Windows platform from OpenSSL website. Alternatively, you can convert the certificate on a Linux platform, on which OpenSSL is installed by default. For more information about using Linux to convert the file, see Replacing the Temporary Self-Signed Certificates for iManager.

    1. Enter a command, such as openssl pkcs12 -in newtomcert.pfx -out newtomcert.pem.

    2. Specify the same password for the certificate that you specified in Step 2.

    3. Specify a password for the new .pem file.

      You can use the same password, if desired.

  4. To convert the .pem file to a .p12 file, complete the following steps:

    1. Enter a command, such as openssl pkcs12 -export -in newtomcert.pem -out newtomcert.p12 -name "New Tomcat".

    2. Specify the same password for the certificate that you specified in Step 3.

    3. Specify a password for the new .p12 file.

      You can use the same password, if desired.

  5. Copy the .p12 file to the Tomcat certificate location, by default C:\Program Files\Novell\Tomcat\conf\ssl\.

  6. To stop the Tomcat Service, enter the following command:

    /etc/init.d/novell-tomcat8 stop
  7. To ensure that Tomcat uses the newly created .p12 certificate file, add keystoreType, keystoreFile, and keystorePass variables to the Tomcat server.xml file. For example:

    <Connector className="org.apache.coyote.http11.Http11AprProtocol"
     port="8443" minProcessors="5" maxProcessors="75" enableLookups="true"
     acceptCount="100" debug="0" scheme="https" secure="true"
     useURIValidationHack="false" disableUploadTimeout="true">
       <Factory className="org.apache.coyote.tomcat7.CoyoteServerSocketFactory"
     clientAuth="false" protocol="TLS" keystoreType="PKCS12"
     keystoreFile="/conf/ssl/newtomcert.p12" keystorePass="password" />

    Or,

    <Connector className="org.apache.coyote.http11.Http11NioProtocol"
     port="8443" minProcessors="5" maxProcessors="75" enableLookups="true"
     acceptCount="100" debug="0" scheme="https" secure="true"
     useURIValidationHack="false" disableUploadTimeout="true">
       <Factory className="org.apache.coyote.tomcat7.CoyoteServerSocketFactory"
     clientAuth="false" protocol="TLS" keystoreType="PKCS12"
     keystoreFile="/conf/ssl/newtomcert.p12" keystorePass="password" />

    When setting the keystore type to PKCS12, you must specify the entire path to the certificate file, as Tomcat will no longer default to using the Tomcat home path.

  8. Start the Tomcat service.