3.5 Creating a Secure Connection

If you plan to use the Remote Loader, the first step is to provide secure data transfer between the Remote Loader and the Metadirectory engine. This requires you to use the Secure Socket Layer (SSL) to setup a connection between the Remote Loader and the Metadirectory engine.

To accomplish this, complete the following tasks:

3.5.1 Creating a Server Certificate

If you are unfamiliar with certificates, it is easy to create a new one.

  1. In Novell iManager, click Novell Certificate Server > Create Server Certificate.

  2. Select the server to own the certificate, and give the certificate a nickname (for example, remotecert).

    IMPORTANT:We recommend that you don’t use spaces in the certificate nickname. For example, use remotecert instead of remote cert.

    Also, make a note of the certificate nickname. This nickname is used for the KMO name in the driver’s remote connection parameters.

    Creating a server certificate with a nickname
  3. Leave the Creation method set to Standard, then click Next.

  4. Review the Summary, click Finish, then click Close.

    You have created a server certificate. Continue with Section 3.5.2, Exporting a Self-Signed Certificate.

3.5.2 Exporting a Self-Signed Certificate

You can export a newly created certificate. Or, if an SSL server certificate already exists and you have experience with SSL certificates, you can use the existing certificate instead of creating and using a new one.

When a server joins a tree, eDirectory creates the following default certificates:

  • SSL CertificateIP

  • SSL CertificateDNS

  1. In iManager, click eDirectory Administration > Modify Object.

  2. Browse to and select the Certificate Authority in the Security container, then click OK.

    The Certificate Authority (CA) is named after the tree name (Treename-CA.Security).

  3. Click the Certificates tab, select the Self-Signed Certificate, then click Export.

    Exporting a self-signed certificate
  4. In the Export Certificate Wizard, deselect Export private key.

    Deselecting export private key option

    You don’t want to export the private key with the certificate.

  5. Set the export format to BASE64, then click Next.

    Export format of BASE64

    IMPORTANT:When the Remote Loader is running on a Windows 2003 R2 SP1 32-bit server, the certificate must be in Base64 format. If you use the DER format, the Remote Loader fails to connect to the Identity Manager engine.

  6. Click the link to Save the exported certificate, specify a location in the local file system, then click Save.

  7. Click Close.

3.5.3 Creating a Keystore

A keystore is a Java file that contains encryption keys and, optionally, certificates. If you want to use SSL between the Remote Loader and the Metadirectory engine, and you are using a Java shim, you need to create a keystore file.

Keystore on Windows

On Windows, run the Keytool utility, typically found in the c:\novell\remoteloader\jre\bin directory.

Keystore on Solaris, Linux, or AIX

On Solaris, Linux, or AIX environments, use the create_keystore file. Create_keystore is installed with rdxml. It is located in the install_directory/dirxml/bin directory. The create_keystore file is also included in the dirxml_jremote.tar.gz file, found in the \dirxml\java_remoteloader directory. The create_keystore file is a shell script that calls the Keytool utility.

On UNIX, when the self-signed certificate is used to create the keystore, the certificate can be exported in Base64 or binary DER format.

Enter the following at the command line:

create_keystore self-signed_certificate_name keystorename

For example, type one of the following

create_keystore tree-root.b64 mystore
create_keystore tree-root.der mystore

The create_keystore script specifies a hard-coded password of “dirxml” for the keystore password. This is not a security risk because only a public certificate and public key are stored in the keystore.

Keystore on All Platforms

To create a keystore on any platform, you can enter the following at the command line:

keytool -import -alias trustedroot -file self-signed_certificate_name -keystore filename -storepass keystorepass

The filename can be any name (for example, rdev_keystore).