After you install iManager, you can modify the configuration settings, such as enabling IPv6 addressing or changing the authorized user for an eDirectory tree. Also, NetIQ recommends that you replace the self-signed certificates that the installation process created.
Standalone iManager installations include a temporary, self-signed certificate for use by Tomcat. It has an expiration date of one year. NetIQ provides this certificate to help you get your system up and running so you can securely use iManager immediately after you install the product. NetIQ and OpenSSL do not recommend using self-signed certificates except for testing purposes. Instead, you should replace the temporary certificate with a secure one.
Tomcat stores the self-signed certificate in a keystore that uses Tomcat (JKS) format file. Normally, you would import a private key to replace the certificate. However, the keytool that you use to modify the Tomcat keystore cannot import a private key. The tool only uses a self-generated key.
This section explains how to generate a public/private key pair in eDirectory using NetIQ Certificate Server and to replace the temporary certificate. If you are using eDirectory, you can use NetIQ Certificate Server to securely generate, track, store, and revoke certificates with no further investment.
This section describes how to create a keypair in eDirectory and export the Public, Private, and Root Certificate Authority (CA) keys with a PKCS#12 file. This includes modifying Tomcat's server.xml configuration file to use the PKCS12 directive and point the configuration to an actual P12 file rather than use the default JKS keystore.
This process uses the following files:
C:\Program Files\Novell\Tomcat\conf\ssl\.keystore, which holds the temporary keypair
C:\Program Files\Novell\jre\lib\security\cacerts, which holds the trusted root certificates
C:\Program Files\Novell\Tomcat\conf\server.xml, which is used for configuring Tomcat's use of certificates
To replace the self-signed certificates:
To create a new certificate, complete the following steps:
Log in to iManager.
Click NetIQ Certificate Server > Create Server Certificate.
Select the appropriate server.
Specify a nickname for the server.
Accept the rest of the certificate defaults.
To export the server certificate, complete the following steps:
In iManager, select Directory Administration > Modify Object.
Browse to and select the Key Material Object (KMO) object.
Click Certificates > Export.
Specify a password.
Save the server certificate as a PKCS#12 (.pfx).
To convert the .pfx file to a .pem file, complete the following steps:
NOTE:OpenSSL is not installed by default. However, you can download a version from the OpenSSL website.
Enter a command, such as openssl pkcs12 -in newtomcert.pfx -out newtomcert.pem.
Specify the same password for the certificate that you specified in Step 2.
Specify a password for the new .pem file.
You can use the same password, if desired.
To convert the .pem file to a .p12 file, complete the following steps:
Enter a command, such as openssl pkcs12 -export -in newtomcert.pem -out newtomcert.p12 -name "New Tomcat".
Specify the same password for the certificate that you specified in Step 3.
Specify a password for the new .p12 file.
You can use the same password, if desired.
Copy the .p12 file to the Tomcat certificate location, by default C:\Program Files\Novell\Tomcat\conf\ssl\.
Stop the Tomcat Service by using the services.msc startup script.
To ensure that Tomcat uses the newly created .p12 certificate file, add keystoreType, keystoreFile, and keystorePass variables to the Tomcat server.xml file. For example:
<Connector className="org.apache.coyote.http11.Http11AprProtocol"
port="8443" minProcessors="5" maxProcessors="75" enableLookups="true"
acceptCount="100" debug="0" scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true">
<Factory className="org.apache.coyote.tomcat7.CoyoteServerSocketFactory"
clientAuth="false" protocol="TLS" keystoreType="PKCS12"
keystoreFile="C:\Program Files\Novell\Tomcat\conf\ssl\newtomcert.p12" keystorePass="password" />
Or,
<Connector className="org.apache.coyote.http11.Http11NioProtocol"
port="8443" minProcessors="5" maxProcessors="75" enableLookups="true"
acceptCount="100" debug="0" scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true">
<Factory className="org.apache.coyote.tomcat7.CoyoteServerSocketFactory"
clientAuth="false" protocol="TLS" keystoreType="PKCS12"
keystoreFile="C:\Program Files\Novell\Tomcat\conf\ssl\newtomcert.p12" keystorePass="password" />
When setting the keystore type to PKCS12, you must specify the entire path to the certificate file, as Tomcat will no longer default to using the Tomcat home path.
Start the Tomcat service by using the services.msc startup script.
After installing iManager, you can enable iManager to use IPv6 addresses.
Open the catalina.properties file in the installation directory, located by default installation_directory\Tomcat\conf.
Set the following configuration entries in the properties file:
java.net.preferIPv4Stack=false
java.net.preferIPv4Addresses=true
Restart Tomcat.
After installing iManager, you can modify the credentials for the authorized user and the appropriate eDirectory tree name that this user manages. For more information, see “iManager Authorized Users and Groups” in the NetIQ iManager Administration Guide.
Log in to iManager.
In the Configure view, select iManager Server > Configure iManager > Security.
Update the user credentials and tree name.