Environment
Novell Identity Manager 3.5
Situation
Resolution
Enable HTTPS connections in the Identity Manager User Application
- Follow the steps detailed on KB 10100226 to enable HTTPS connections to the Identity Manager User Application.
Confirm that the previous step did actually added a certificate in the keystore file
- You can perform this by issuing the following command:
test@lab:~/IDM35/idm//jre/bin> /keytool -list -v -keystore userapp.keystore
Enter keystore password: [password entered during keystore generation]
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: userapp35
Creation date: Nov 27, 2007
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=lab.company.com, OU=Org, O=Comp, L=Locat, ST=State, C=Country
Issuer: CN=lab.company.com, OU=Org, O=Comp, L=Locat, ST=State, C=Country Serial number: 4931cng7
Valid from: Tue Nov 27 13:00:09 EST 2007 until: Mon Nov 27 13:00:00 EST 2017
Certificate fingerprints:
MD5: BC:75:9F:71:2E:7E:F8:6D:4E:05:08:98:B8:01:78:1A
SHA1: EB:A7:2A:AD:41:35:2A:D8:16:69:C0:F4:34:79:D0:CA:E7:5F:9B:F8
*******************************************
*******************************************
Import the certificate used by the Identity Manager User Application
1) Using Internet Explorer browser from a Windows machine, access the User Application on https.
2)When prompted about the certificate in the Security Alert pop-up window, click on the “View Certificate†button.
3) When presented with the Certificate details window, click on the “Install Certificate…†button.
4)Go through the following menus: Tools > Internet Options > Content > Certificates > Trusted Root Certificate Authorities
5)Select the certificate installed on step #2 and click on the “Export†button.
6) Select "DER encoded binary X.509 (.CER)" format and save it as userapp.cer
Installation of the certificate so that it can be used by eDirectory
1)Copy the userapp.cer file from the Windows machine into the server running the IDM UserApp driver. The file should be copied to the following path: /opt/novell/eDirectory/lib/nds-modules/jre/lib/security
2)Stop the eDirectory and iManager service were the IDM UserApp driver is running.
3) Stop the JBoss instance were Identity Manager User Application is running.
4) Logged into the server console of the server running the IDM UserApp driver, change to the following path: /opt/novell/eDirectory/lib/nds-modules/jre/bin
5) In order to confirm if we are running JRE 1.5, issue the command ./java –version.
6) To copy the certificate into the trused certificates file used by eDirectory, execute the following command:
./keytool -import -trustcacerts -alias userapp35 -file ../../jre/lib/security/userapp.cer -keystore ../../jre/lib/security/cacerts
Enter keystore password: [enter keystore password]**
Owner: CN=lab.company.com, OU=Org, O=Comp, L=Locat, ST=State, C=Country
Issuer: CN=lab.company.com, OU=Org, O=Comp, L=Locat, ST=State, C=Country Serial number: 4931cng7
Valid from: Tue Nov 27 13:00:09 EST 2007 until: Mon Nov 27 13:00:00 EST 2017
Certificate fingerprints:
MD5: BC:75:9F:71:2E:7E:F8:6D:4E:05:08:98:B8:01:78:1A
SHA1: EB:A7:2A:AD:41:35:2A:D8:16:69:C0:F4:34:79:D0:CA:E7:5F:9B:F8
Trust this certificate? [no]: yes
Certificate was added to keystore
** If you haven’t changed the default password of the keystore, the password is changeit
7) Confirm that the certificate was installed on the keystore by executing the following command:
./keytool -list -v -alias userapp35 -keystore ../lib/security/cacerts
Enter keystore password: [enter keystore password]**
Alias name: userapp35
Creation date: Nov 20, 2007
Entry type: trustedCertEntry
Owner: CN=lab.company.com, OU=Org, O=Comp, L=Locat, ST=State, C=Country
Issuer: CN=lab.company.com, OU=Org, O=Comp, L=Locat, ST=State, C=Country Serial number: 4931cng7
Valid from: Tue Nov 27 13:00:09 EST 2007 until: Mon Nov 27 13:00:00 EST 2017
Certificate fingerprints:
MD5: BC:75:9F:71:2E:7E:F8:6D:4E:05:08:98:B8:01:78:1A
SHA1: EB:A7:2A:AD:41:35:2A:D8:16:69:C0:F4:34:79:D0:CA:E7:5F:9B:F8
** If you haven’t changed the default password of the keystore, the password is changeit
8) Start eDirectory and iManager services
9) Log into iManager and stop the UserApp driver (if you have it configured to auto start).
10) Change the IDM UserApp driver authentication parameters so that it can communicate through HTTPS to the Identity Manager UserApplication
Composer Context: com.novell.prov.srvprv
Host: https://ipaddressOfJBoss
Port: SecurePor (8443)t
ApplicationContext: ApplicationContext (IDM)
11) Change the policies were you want to auto-start workflows through a secure connection (https) to reflect the new connection.
12) Start the JBoss instance were Identity Manager User Application is running.
13) Restart the IDM UserApp driver.
14) Test the workflow.