42.3 Enabling SSL with a External CA Signed Certificate

For a production environment, use a signed certificate issued by a valid Certificate Authority. This section explains how to import a signed certificate into the default Tomcat application server for the identity applications.

This procedure assumes that you have a signed certificate from a valid Certificate Authority. For more information, see Creating a Keystore and Certificate Signing Request.

To use a signed certificate and SSL:

  1. Copy the certificate in the configuration directory of your application server.

    Linux: /opt/netiq/idm/apps/tomcat/conf

    Windows: C:\NetIQ\idm\apps\tomcat\conf

  2. To convert the root certificate to DER format, complete the following steps:

    1. Double-click on your certificate stored in the conf directory.

    2. In the Certificate dialog, click Certificate Path.

    3. Select the root certificate that you received from the signing authority.

    4. Click View Certificate.

    5. Click Details > copy to file.

    6. In the Export Certificate Wizard, click next.

    7. Select DER encoded binary for X.509 (.CER) and then click next.

    8. Create a new file to store the newly formatted certificate and store it in the conf directory for your application server.

    9. Click Finish.

  3. To import the converted certificate, complete the following steps:

    1. In a command prompt, navigate to the conf directory for your application server. For example, /opt/netiq/idm/apps/tomcat/conf or C:\NetIQ\idm\apps\tomcat\conf.

    2. Enter the following command:

      keytool -import -trustcacerts -alias root -keystore keystore_name -file yourRootCA.der

      For example:

      keytool -import -trustcacerts -alias root -keystore tomcat.ks -file IDMTESTREE.der

      NOTE:You must specify root as your alias.

      After importing the certificate, the server displays Certificate was added to keystore.

    3. Verify that the signed certificate is imported correctly into the conf directory using the following command:

      keytool -list -v -alias root -keystore keystore_name

      For example:

      keytool -list -v -alias root -keystore tomcat.ks

      The server lists your certificates.

  4. NetIQ recommends you to import the signed certificates to idm.jks. This is a centralized keystore that stores all the certificates used by the identity applications and Identity Reporting. For example:

    Linux: keytool -import -trustcacerts -alias root -keystore /opt/netiq/idm/apps/tomcat/conf/idm.jks -file IDMTESTREE.der

    Windows: keytool -import -trustcacerts -alias root -keystore C:\NetIQ\idm\jre\lib\security\cacerts -file IDMTESTREE.der

  5. Update the SSL settings for the application server, see Updating the SSL Settings for the Application Server.

  6. Update the SSL settings in the Configuration utility. For more information, see Updating the SSL Settings in the Configuration Utility.

  7. Update the SSL settings for Self Service Password Reset. For more information, see Updating the SSL Settings for Self Service Password Reset

  8. Restart Tomcat.