Using Java SSL (JSSE) with the DirXML Remote Loader

  • 7000194
  • 23-Apr-2008
  • 26-Apr-2012

Environment

Identity Manager with Remote Loader SSL connection

Situation

This document describes how to use Java SSL as an alternative to the KMO method described in the Identity Manager documentation

Resolution

Using Java SSL (JSSE) with the DirXML Remote Loader

This document assumes you are already familiar with setting up SSL between the DirXML Engine and the DirXML Remote Loader using Key Material Objects (KMOs).

Setting up the Remote Loader side is the same as setting up SSL using KMOs. Simply export your tree’s self-signed certificate and use the Remote Loader wizard.

Setting up the DirXML Engine side to use JSSE consists of two steps:

  1. Create a server certificate in a Java keystore file.
  2. Set up the Remote Loader connection parameters string on the DirXML Engine side so that the keystore file is used rather than a KMO.

The tasks are presented in detail below.

The tools used to complete the tasks are the Java keytool program and Novell’s iManager. You can obtain keytool either by downloading the Java JRE or by using the JRE that comes with the DirXML Remote Loader (c:\novell\RemoteLoader\jre\bin\keytool.exe).

For more information on keytool see http://java.sun.com/products/jdk/1.2/docs/tooldocs/solaris/keytool.html

Tasks

1. Create a server certificate in a Java keystore file

a. If you have already exported your tree’s Certificate Authority self-signed certificate (and can remember where you saved it), skip to step c. Otherwise complete step b.

b. Export the self-signed certificate from your tree’s Certificate Authority in base-64 format.

i. In iManager, select the eDirectory Administration/Modify Object task.

ii. Browse to your tree’s Certificate Authority. Click OK.

iii. Click on the Certificates tab.

iv. Click on Self Signed Certificate

v. Click on the Export button.

vi. In response to the question Do you want to export the private key with the certificate? select No and click Next.

vii. Select File in Base64 format and click Next.

viii. Click on Save the exported certificate to a file.

c. Import your tree’s self signed certificate into a new keystore file:

i. keytool –import –file -trustcacerts –noprompt –keystore -storepass .

ii. example: keytool –import –file tree_ca_root.b64 –trustcacerts –noprompt –keystore dirxml.keystore –storepass novell

d. Generate a key pair in the keystore:

i. keytool –genkey –alias dirxml_key –keyalg RSA –keysize 2048 –dname “” –keypass -keystore -storepass

ii. example: keytool –genkey –alias dirxml_key –keyalg RSA –keysize 2048 –dname “cn=perin_nt1-tao.o=novell.t=perin-tao” –keypass novell –keystore dirxml.keystore –storepass novell

iii. Create a certificate signing request for the key pair just generated:

iv. keytool –certreq –alias dirxml_key –file -keypass -keystore -storepass

v. example: keytool –certreq –alias dirxml_key –file certreq.b64 –keypass novell –keystore dirxml.keystore –storepass novell

e. Issue a certificate using your tree’s Certificate Authority:

i. In iManager, select the Novell Certificate Server/Issue Certificate task.

ii. In the Filename field enter the name of the file output file specified in the previous step (certreq.b64 in the example). Click Next.

iii. Select the button labeled SSL or TLS and click Next.

iv. On the Certificate Parameters Page click Next.

v. On the Save Certificate page leave the File in binary DER format button checked and click Next.

vi. Click on Download the issued certificate.

vii. Save the certificate file.

f. Import the issued certificate into the keystore file:

i. keytool –import –file -alias dirxml_key –keypass -keystore -storepass

ii. example: keytool –import server_cert.der –alias dirxml_key –keypass novell –keystore dirxml.keystore –storepass novell

g. Copy the keystore file either into the dib directory on the server or to another convenient location on the server hosting the DirXML engine. The dib directory is located in the following locations on the various DirXML-supported platforms:

i. Win32 – c:\novell\nds\dibfiles

ii. NetWare – SYS:\_NETWARE

iii. Solaris/Linux - /var/nds/dib

2. Set up the remote loader connection parameter string

a. In iManager select the driver you wish to configure.

b. In the Remote loader connection parameters field enter the following.

c. hostname port keystore key=dirxml_key keypass= storepass=password

d. example: hostname=192.168. 0.1 port=8090 keystore=dirxml.keystore key=dirxml_key keypass=novell storepass=novell

e. Note: If you copied the keystore file to a location other than the dib directory then you must specify the complete path to the keystore file (e.g., keystore=SYS:\keystore\dirxml.keystore if you copied the keystore file to a directory named SYS:\keystore directory on NetWare).

Feedback service temporarily unavailable. For content questions or problems, please contact Support.