iManager can create secure LDAP connections behind the scenes without any user intervention. If the LDAP server’s SSL certificate is updated for any reason (for example, new Organizational CA), iManager should automatically retrieve the new certificate using the authenticated connection and import it into its own keystore database.
If this does not happen correctly, you must delete the private key store that iManager uses, in order to force iManager and Tomcat to re-create the database and reacquire the certificate:
Shut down Tomcat.
Delete the TOMCAT_HOME\webapps\nps\WEB-INF\iMKS file.
Restart Tomcat.
For information about restarting Tomcat, see Starting and Stopping Tomcat.
Open iManager in a browser and log back in to the tree, to automatically reacquire the new certificate and re-create the database store.
Alternately, you can also manually import the required certificate into Tomcat’s JVM default keystore using the keytool certificate management utility available in the JDK. When creating secure SSL connections, iManager first tries the JVM default keystore, then uses the iManager specific keystore database.
After you have an eDirectory certificate saved in DER format, you must import the trusted root certificate into the iManager keystore. To do this, you need a JDK to use keytool. If a JRE was installed with iManager, you must download a JDK to use the keytool.
NOTE:For information about creating a .der certificate file, see “Exporting a Trusted Root or Public Key Certificate” in the NetIQ Certificate Server Administration Guide. You will want to export the trusted root certificate.
Open a command window.
Change to the \bin directory where you have installed the JDK.
For example, on a Windows system, you would enter the following command:
cd j2sdk1.5.0_11\bin
Import the certificate into the keystore with the keytool, executing the following keytool commands (platform specific):
Linux
keytool -import -alias [alias_name] -file [full_path]/trustedrootcert.der -keystore [full_path]/jre/lib/security/cacerts
Windows
keytool -import -alias [alias_name] -file [full_path]\trustedrootcert.der -keystore [full_path]\jre\lib\security\cacerts
Replace alias_name with a unique name for this certificate and make sure you include the full path to trustedrootcert.der and cacerts.
The last path in the command specifies the keystore location. This varies from system to system because it is based on where iManager is installed. The following are the examples of default locations for iManager on Windows and Linux:
Enter changeit for the keystore password.
Click Yes to trust this certificate.
NOTE:This process must be repeated for each eDirectory tree you will be accessing with iManager. If LDAP has been configured to use a certificate not signed by the tree’s Organizational CA, you must import that certificate’s Trusted Root. This is necessary, for example, if LDAP is configured to use a VeriSign*-signed certificate.