Environment
Situation
Resolution
Step 1: Exporting Certificates from eDirectory
There is one certificate that needs to be exported from eDirectory. That is the Self Signed Certificate for your Tree's Certificate Authority.
There are two tools for exporting certificates out of eDirectory. The older method is with ConsoleOne and the newer method is with iManager. ConsoleOne has the advantage of being familiar but has older snap-ins for certificate management. The new iManager has newer certificate management plug-ins but is less familiar.
Method 1: ConsoleOne
Launch ConsoleOne and authenticate to your eDirectory Tree .
Click on the Security container in your eDirectory Tree
Right click on the object labeled “<your Tree name>CA” and select Properties
Click on the Certificates tab | Self Signed Certificate
If you have the option to validate the certificate, do so just to verify that it is good
Click Export
Select either "File in binary DER format" or “File in Base64 format” (either should work)
Change the filename to something that will identify the file later (example: SelfSignCert.der)
Click Export
Click Cancel to exit out of the Properties of the Certificate Authority object
Now close ConsoleOne if desired as we are now done exporting the certificate that we need to add SSL to the LDAP communication of Teaming. Transport/move the certificate file to a location the Teaming server. Now move onto Step Two.
Method 2: iManager
For iManager to work it must have the latest plug-in for the Novell Certificate Server and Access. If not then update the plug-ins.
Launch and log into iManager for your Tree
Select Directory Administration
Select Modify object
- Click on the magnifying glass to browse to the “<Tree Name> CA” object in the Security container of the eDirectory Tree and click on it
Click on OK
Click on the Certificates tab
Check the box for the Self Signed Certificate and click on Validate
Check the box for the Self Signed Certificate and click on Export
Uncheck “Export private key”
Click on Next
Click on “Save the exported certificate”. Select either "File in binary DER format" or “File in Base64 format” (either should work).
Save the file somewhere it can be accessed later and with a filename that will be remembered to know what it is (example: SelfSignCert.der)
Click on Close
Click on OK
Now close iManager if desired to as we are now done exporting the certificate that is needed to add SSL to the LDAP communication of Teaming. Transport/move the certificate file from where it was saved to a location the Teaming server. Now ready to move onto Step Two.
Step Two: Importing the certificate into Teaming
This section will be on the Linux server where the Teaming server software is running. The certificate file that was just exported needs to be visible on this server. This can be done by drive mapping/mounting or by copying the files locally. Last, open a terminal prompt and switch to the root user (hint: su command).
At the terminal prompt typekeytooland press enter
This should just display a list of commands and options. This is to test if the keytool application is in the path. If not then it should be added or change to the java bin directory to launch the keytool application.
- Import the SelfSignedCert.der into the Java CA keystore.
The Java CA Keystore file will be found in the <java sdk/jdk>/jre/lib/security directory and is usually named cacerts. Note: it is possible that during an update of the java code this file (cacerts) can get backed up and replaced with a new version that no longer has certificate manually imported into it. This will cause the LDAP Authentication/Synchronization of Teaming to stop functioning. The command is:
keytool -import -alias < ldap server dns name> -keystore <path to Java CA keystore> -file <certificate file>
Example:
keytool -import -alias ldap.allnet.com -keystore /etc/alternatives/java_sdk/jre/lib/security/cacerts -file /home/admin/SelfSignedCert.b64
- When prompted for a password, enterchangeitfor the password
- Accept the certificate import by answering yes.
Close the terminal window
The certificate has now been imported into the keystore so that Teaming can use SSL for it's LDAP communication. The keytool application with the -list command can be used to see if the certificate was imported.
Example: keytool -list -keystore <keystore filename>
When prompted for the password, enter changeit.
Step Three: Modify the Teaming LDAP Configuration
First, modify the LDAP configuration under the Enterprise Administration portlet. This LDAP configuration handles the LDAP authentication portion of Teaming.
Click on the Users tab
Click on the Settings tab
Under the Settings tab click on the Authentication tab
Under the Authentication tab click on the LDAP tab
Change the url from ldap to ldaps and the port from 389 to 636
Example:
From – ldap://ldap.allnet.com:389
Click on Save
After a moment a green bar across the top telling you the configuration was successful should appear.
Click on the word Portal in the top right corner to close the portlet
Click on Configure LDAP in the Teaming Administration portlet
Expand the Connection option
Change the url from ldap to ldaps and the port from 389 to 636
Example:
From – ldap://ldap.allnet.com:389/o=allnet
To – ldaps://ldap.allnet.com:636/o=allnet
Do not change the search base DN at the end of the line.
Check Run Immediately, this will cause Teaming to do a synchronization and test the new configuration
Click on Apply
There will be a pause before the page start responding again. If it comes back without any errors then the synchronization worked.
- Click on the word Portal in the top right corner to close the portlet
Modify the LDAP configuration under the "Manage" menu option under the "Site Administration" section.
- Click on Configure LDAP
- Change the LDAP Server URL from ldap to ldaps and the port from 389 to 636
Example:
From – ldap://ldap.allnet.com:389
To – ldaps://ldap.allnet.com:636 Do not change any other fields.
Check Run Immediately, this will cause Teaming to do a synchronization and test the new configuration
Click on Apply
There will be a LDAP dialog come up showing that it is working or not.
Click on close to close the ldap configuration menu.
Additional Information
The Teaming server has now been configured to use SSL/TLS for the LDAP communication for synchronization and authentication against eDirectory. DSTRACE can be used to verify that it is using TLS during a Teaming login.