15.4 Enabling SSL for User Application

  1. Navigate to the /opt directory.

  2. Create a new directory called cacerts.

    mkdir -p /opt/cacerts

  3. Navigate to the /opt/netiq/jdk <version>/bin directory.

  4. Run the following command:

    ./keytool -genkey -alias mycerts -keyalg RSA -keystore /opt/certs/tomcat.ks -validity 3650 -keysize 1024 -dname "CN=<ip-address>,OU=<organizational unit>,O=<object>,L=<location>,S=<state>,C=<country>" -keypass <password> -storepass <password>

    For example,

    ./keytool -genkey -alias mycerts -keyalg RSA -keystore /opt/certs/tomcat.ks -validity 3650 -keysize 1024 -dname "CN=,OU=employee,O=department,L=bengaluru,S=karnataka,C=india" -keypass changeit -storepass changeit

  5. Create a file called tomcat.csr:

    touch /opt/certs/tomcat.csr

  6. Create a keystore and generate the *.csr file to be issued to eDirectory for converting *.csr to *.der format.

    ./keytool -certreq -v -alias mycerts -file /opt/certs/tomcat.csr -keypass changeit -keystore /opt/certs/tomcat.keystore -storepass changeit

  7. Generate the eDirectory self-signed certificate.

    1. Log in to iManager.

    2. Click Administration > Modify Object.

    3. Browse to the <tree name> ca.security, where <tree name> is the Identity Vault tree name.

    4. Click OK.

    5. Click Certificates.

    6. Select the self-signed certificate you want to use.

    7. Click Validate.

    8. Click Export.

    9. Clear the Export private key check box.

    10. Select DER from the Export format field.

    11. Click Next.

    12. Click Save the exported certificate.

    13. Click Close.

  8. Import the self-signed certificate that you created in step 7.

    ./keytool -import -trustcacerts -alias root -keystore /opt/certs/tomcat.ks -file /opt/certs/cert.der

  9. Create a certificate for the tomcat.csr certificate that you created in step 6.

    1. In iManager, click Roles and Tasks > NetIQ Certificate Server > Issue Certificate.

    2. Browse to the tomcat.csr file created in step 6.

    3. Click Next.

    4. Select the Certificate Type as Unspecified.

    5. Click Next.

    The tomcat.der file is now generated.

  10. Import the tomcat.der certificate to the keystore.

    ./keytool -import -alias mycerts -keystore /opt/certs/tomcat.keystore -file /opt/certs/tomcat.der

  11. Import the root and self-signed certificates to the Java cacerts location.

    ./keytool -import -trustcacerts -alias root -keystore /opt/netiq/jdk <version>/jre/lib/security/cacerts -file /opt/certs/cert.der

    ./keytool -import -alias mycerts -keystore /opt/netiq/jdk <version>/jre/lib/security/cacerts -file /opt/certs/tomcat.der