Enable HTTPS connections in the Identity Manager User Application

  • 3359580
  • 31-Mar-2008
  • 26-Apr-2012

Environment

Novell Identity Manager 3
Novell Identity Manager 3.5
Novell Identity Manager 3.5.1

Situation

Enable HTTPS connections in the Identity Manager User Application

Resolution

To enable SSL for JBoss we must first create an SSL certificate. This is done easily with the `keytool` command available with the UserApp. In the IDM UserApp install directory should be a directory called 'jre' with a 'bin' directory in there. Under that directory is the keytool program. On Linux the following command would create a keystore file for JBoss to use:

./keytool -genkey -alias userAppKey -keyalg RSA -keystore userapp.keystore -validity 3650

The command listed above should be enough to create a fairly default certificate keystore written to the userapp.keystore file in your path. When this command is run a few options are prompted for. For example:

Enter keystore password: password
What is your first and last name?
[Unknown]: UserApp User
What is the name of your organizational unit?
[Unknown]: idm
What is the name of your organization?
[Unknown]: Novell
What is the name of your City or Locality?
[Unknown]: Provo
What is the name of your State or Province?
[Unknown]: Utah
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=UserApp User, OU=idm, O=Novell, L=Provo, ST=Utah, C=US correct?
[no]: yes
Enter key password for < certificate >
(RETURN if same as keystore password):

Using the values above a keystore was created with the CN shown. Using the same password at the beginning and end is fine and worked well. If you use different passwords be sure you know which was used at the beginning and end for later in the configuration.

With the keystore file created copy it to the conf directory for this instance of JBoss. For the IDM instance of JBoss and my base path of /opt/novell/userapp10/idm the keystore file is copied to /opt/novell/userapp10/idm/jboss/server/IDM/conf. Be sure the user running the UserApp has rights to this file and it is safest to block rights to other users. With the UserApp run by 'userappuser'and in the default group of 'userappgroup' the following three commands would move the keystore file and then lock it down (this all assumes the keystore was created as root; if it was created as the user running the UserApp then ignore the middle command):

mv /opt/novell/userapp10/idm/jre/bin/userapp10.keystore /opt/novell/userapp10/idm/jboss/server/IDM/conf/userapp10.keystore
chown userappuser:userappgroup /opt/novell/userapp10/idm/jboss/server/IDM/conf/userapp10.keystore
chmod 700 /opt/novell/userapp10/idm/jboss/server/IDM/conf/userapp10.keystore

The next step is to configure JBoss to use the keystore we have created on a desired port for HTTPS connection. The configuration file for the IDM 3.0 instance is located, in this example, under /opt/novell/userapp10/idm/jboss/server/IDM/deploy/jbossweb-tomcat55.sar in the server.xml file. For IDM 3.5.1 the path changes slightly to ./IDM/deploy/jboss-web.deployer/server.xml. There is a section in there, commented out by default, to enable HTTPS over port 8443. If there are no other applications on the UserApp-hosting server this port could be changed to port 443 to prevent URLs to have the port appended to the server's IP address. This is not required but may be a convenience for some.

Copy and create a duplicate of the current "SSL/TLS Connector" section from the start of its comment (). This way if you ever want to revert to the default, or see the default configuration, there is still a commented-out copy to refer to. Create a new comment above the second section with today's date and some comments about what you are doing. Move the close-comment tag from the new copy of the configuration section to the end of the SSL/TLS Connector line. You should end up with something like the following:



maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS" />

By default the name of the keystore file referenced is chap8.keystore. Because the one we created was userapp10.keystore we will change the configuration setting to reflect that name:



maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/userapp10.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS" />

The last change to be made is to enter the keystore password used to create the keystore file. Use this instead of the default string "rmi+ssl". Be sure you leave the double-quotes around the password you enter. Save the server.xml file and restart the JBoss server. Your connection will not work (JBoss won't be refreshed with the new values) until you restart JBoss. Once that is completely loaded the web browser should be able to access the User Application via a URL similar to the following:

For IDM 3.5.1+ the version of JBoss has changed and the HTTPS block above should be changed slightly for that reason. Adding two parameters is all that changes with this newer version of JBoss:

SSLEnabled="true" protocol="HTTP/1.1"

For the new versions of the UserApp add these to the block mentioned above so the new block resembles the following but with your own configuration parameters where appropriate:



maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true" SSLEnabled="true" protocol="HTTP/1.1"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/userapp10.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS" />

https://ipAddressOfServer:8443/IDM/


Additional Information

The Novell Identity Manager (IDM) User Application is built on JBoss and, by default, does not have HTTPS (SSL-encrypt web traffic) enabled. This is a concern because the UserApp handles password management, including passwords and challenge/response information, as well as potentially private information through the UserApp itself including workflows.

Formerly known as TID# 10100226