Environment
Novell Identity Manager 3.5
Novell Identity Manager 3.5.1
Situation
Resolution
./keytool -genkey -alias userAppKey -keyalg RSA -keystore userapp.keystore -validity 3650
The command listed above should be enough to create a fairly default certificate keystore written to the userapp.keystore file in your path. When this command is run a few options are prompted for. For example:
Enter keystore password: password
What is your first and last name?
[Unknown]: UserApp User
What is the name of your organizational unit?
[Unknown]: idm
What is the name of your organization?
[Unknown]: Novell
What is the name of your City or Locality?
[Unknown]: Provo
What is the name of your State or Province?
[Unknown]: Utah
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=UserApp User, OU=idm, O=Novell, L=Provo, ST=Utah, C=US correct?
[no]: yes
Enter key password for < certificate >
(RETURN if same as keystore password):
Using the values above a keystore was created with the CN shown. Using the same password at the beginning and end is fine and worked well. If you use different passwords be sure you know which was used at the beginning and end for later in the configuration.
With the keystore file created copy it to the conf directory for this instance of JBoss. For the IDM instance of JBoss and my base path of /opt/novell/userapp10/idm the keystore file is copied to /opt/novell/userapp10/idm/jboss/server/IDM/conf. Be sure the user running the UserApp has rights to this file and it is safest to block rights to other users. With the UserApp run by 'userappuser'and in the default group of 'userappgroup' the following three commands would move the keystore file and then lock it down (this all assumes the keystore was created as root; if it was created as the user running the UserApp then ignore the middle command):
mv /opt/novell/userapp10/idm/jre/bin/userapp10.keystore /opt/novell/userapp10/idm/jboss/server/IDM/conf/userapp10.keystore
The next step is to configure JBoss to use the keystore we have created on a desired port for HTTPS connection. The configuration file for the IDM 3.0 instance is located, in this example, under /opt/novell/userapp10/idm/jboss/server/IDM/deploy/jbossweb-tomcat55.sar in the server.xml file. For IDM 3.5.1 the path changes slightly to ./IDM/deploy/jboss-web.deployer/server.xml. There is a section in there, commented out by default, to enable HTTPS over port 8443. If there are no other applications on the UserApp-hosting server this port could be changed to port 443 to prevent URLs to have the port appended to the server's IP address. This is not required but may be a convenience for some.
Copy and create a duplicate of the current "SSL/TLS Connector" section from the start of its comment (). This way if you ever want to revert to the default, or see the default configuration, there is still a commented-out copy to refer to. Create a new comment above the second section with today's date and some comments about what you are doing. Move the close-comment tag from the new copy of the configuration section to the end of the SSL/TLS Connector line. You should end up with something like the following:
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS" />
By default the name of the keystore file referenced is chap8.keystore. Because the one we created was userapp10.keystore we will change the configuration setting to reflect that name:
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/userapp10.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS" />
The last change to be made is to enter the keystore password used to create the keystore file. Use this instead of the default string "rmi+ssl". Be sure you leave the double-quotes around the password you enter. Save the server.xml file and restart the JBoss server. Your connection will not work (JBoss won't be refreshed with the new values) until you restart JBoss. Once that is completely loaded the web browser should be able to access the User Application via a URL similar to the following:
For IDM 3.5.1+ the version of JBoss has changed and the HTTPS block above should be changed slightly for that reason. Adding two parameters is all that changes with this newer version of JBoss:SSLEnabled="true" protocol="HTTP/1.1"
For the new versions of the UserApp add these to the block mentioned above so the new block resembles the following but with your own configuration parameters where appropriate:
emptySessionPath="true" SSLEnabled="true" protocol="HTTP/1.1"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/userapp10.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS" />
https://ipAddressOfServer:8443/IDM/
Additional Information
Formerly known as TID# 10100226
