You can change the internal Identity Audit CA and embedded product certificates to certificates signed by your enterprise CA so you can integrate Identity Audit with your enterprise security infrastructure.
WARNING:Although the process of using certificates signed by external CAs is relatively simple, the consequences of failing to change all required components are serious. Logging applications might fail to communicate with your Secure Logging Server, so events are not recorded.
To update your Identity Audit certificate infrastructure with a custom certificate:
Identify all Secure Logging Servers and Identity Manager servers where certificates are located.
Use AudCGen to generate a CSR for the Secure Logging Server.
For information on generating a CSR with AudCGen, see Creating Logging Application Certificates.
Have the CSR signed by your enterprise CA.
If necessary, convert the returned certificate to a Base64-encoded .pem file.
Shut down all Secure Logging Servers and Identity Manager servers.
Delete and purge all application cache (lcache) files.
In iManager, update the
and properties in the Secure Logging Server configuration to point to the new, signed root certificate key pair:In iManager select
The
has , and options.Select the
option.Update the path in the
field.Update the path in the
field, then click to save the changes.For more information on the Secure Logging Server configuration, see Logging Server Object Attributes in the Novell Audit 2.0 Administration Guide.
Use AudCGen to generate a new public certificate for Identity Manager.
IMPORTANT:The certificate signed by your enterprise CA must be used as the authoritative root certificate.
For information on generating a certificate for Identity Manager, see Creating Logging Application Certificates.
Update the Identity Manager Instrumentation so it uses the public certificate signed by the Secure Logging Server’s root certificate key pair. For more information, see Enabling the Identity Manager Instrumentation to Use a Custom Certificate.
Restart eDirectory™ or the Remote Loader.
After you update your Identity Audit certificate infrastructure with a custom certificate, the only required maintenance is to update the certificate when it expires.