For a production environment, use a signed certificate issued by a valid Certificate Authority. This section explains how to import a signed certificate into the default Tomcat application server for the identity applications. Many of the steps also apply to JBoss and WebSphere. However, NetIQ recommends reviewing the documentation for your application server to ensure that you correctly import the certificate.
This procedure assumes that you have a signed certificate from a valid Certificate Authority. For more information, see Section 48.5, Creating a Keystore and Certificate Signing Request.
To use a signed certificate and SSL:
Place a copy of the certificate in the configuration directory of your application server. For example, opt/netiq/idm/apps/tomcat/conf.
NOTE:
If you deploy the identity applications, Identity Reporting, OSP, and SSPR on multiple instances of your application server, ensure that each instance has a copy of the certificate.
You should also store a backup copy of this certificate in a safe location.
To convert the root certificate to DER format, complete the following steps:
Double-click on your certificate stored in the conf directory.
In the Certificate dialog, click Certificate Path.
Select the root certificate that you received from the signing authority.
Click View Certificate.
Click Details > copy to file.
In the Export Certificate Wizard, click next.
Select DER encoded binary for X.509 (.CER) and then click next.
Create a new file to store the newly formatted certificate and store it in the conf directory for your application server.
Click Finish.
To import the converted certificate, complete the following steps:
In a command prompt, navigate to the conf directory for your application server.
Enter the following command:
keytool -import -trustcacerts -alias root -keystore your.keystore -file yourRootCA.cer
For example:
keytool -import -trustcacerts -alias root -keystore IDMkey.keystore -file IDMTESTREE.cer
NOTE:You must specify root as your alias.
If the import is successful, the server displays Certificate was added to keystore.
To verify that the signed certificate is imported correctly, run the following command from the conf directory.
keytool -list -v -alias root -keystore your.keystore
For example:
keytool -list -v -alias root -keystore IDMkey.keystore
The server should list your self-signed and signed certificates.
Stop the application server.
(Conditional) To enable SSL for Tomcat, complete the following steps:
In a text editor, open server.xml, located by default in the netiq/idm/apps/tomcat/conf directory.
In the file, uncomment or add the following section:
<Connector port="8543" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="path_to_keystore_file"
keystorePass="keystore_password" />
where
Specifies the path to the userapp.keystore file, located by default in the /netiq/idm/apps/tomcat/conf/userapp.keystore directory.
Specifies the password for the userapp.keystore file.
Ensure that you specify the appropriate values for keystoreFile and keystorePass. For example, .
For more information about enabling SSL for Tomcat, see SSL Configuration HOW-TO.
(Conditional) To enable SSL for JBoss or WebSphere, see the appropriate documentation. For example:
JBoss: SSL Configuration HOW-TO
WebSphere: Setting up SSL for WebSphere
Update the SSL settings for the identity applications, reporting, and SSPR. For more information, see Section 48.2, Updating the SSL Settings in the Configuration Utility.
Restart the application server.