Environment
iManager 3.0.3
eDirectory 9.0.3
eDirectory 9.0.3
Situation
By default, a new eDirectory and iManager standalone installation on Linux will use a RSA 2K certificate to secure HTTPS traffic. Further, the one used by iManager is a temporary certificate.
Some users of iManager would like to secure its traffic with a certificate containing a 4K key. It is recommended that, if something more secure than a 2K RSA certificate is required, then an EC certificate be used instead. It is as secure but with much better performance. However, the steps below will go over the steps required for replacing the temporary trust-store with a 4K certificate.
Some users of iManager would like to secure its traffic with a certificate containing a 4K key. It is recommended that, if something more secure than a 2K RSA certificate is required, then an EC certificate be used instead. It is as secure but with much better performance. However, the steps below will go over the steps required for replacing the temporary trust-store with a 4K certificate.
Resolution
Since the default certificate size for the RootCA is 2K it must be upgraded as well.
Below are the steps involved:
1. Backup current RootCA's certificates
2. Create Trusted Roots container and objects
3. Delete and recreate the Organizational CA as 4K
4. Create new 4K server certificate (turn off self-provisioning if on)
5. Export certificate to the file system for novlwww user and convert the pfx to a p12 file.
6. Stop Tomcat and make the following changes to Tomcat's server.xml file
- change from using its own keystore to that of a PKCS12 file.
- specify path and file name
- specify file used to wrap it
7. Change p12 file ownership and file permissions so it is accessable to the group and user of novlwww.
The following script and command will parse out the size of the certificates being used to secure a port.
bits.awk
#!/usr/bin/awk -f
# Match all certificates
/^-----BEGIN CERTIFICATE-----$/ { in_cert=1; }
in_cert { cert = cert $0 "\n"; }
/^-----END CERTIFICATE-----$/ { in_cert = 0; }
!in_cert && cert {
infocmd="openssl x509 -text -noout | grep -E 'Public-Key:|Subject:'";
print cert | infocmd;
close(infocmd);
cert="";
}
# Print the verification result
/Verify return code/
echo | openssl s_client -CApath /etc/ssl/certs -connect 192.168.211.35:8030 -showcerts 2>/dev/null | ./bits.awk
Original Certificate:
Subject: C=US, O=Novell, OU=iManager, CN=Temporary Certificate
Public-Key: (2084 bit)
Verify return code: 18 (self signed certificate)
New Certificate:
Subject: O=HVTREE9B, CN=hvsles12sp2
Public-Key: (4096 bit)
Subject: O=HVTREE9B, OU=Organizational CA
Public-Key: (4096 bit)
Verify return code: 19 (self signed certificate in certificate chain)
Below are the steps involved:
1. Backup current RootCA's certificates
2. Create Trusted Roots container and objects
3. Delete and recreate the Organizational CA as 4K
4. Create new 4K server certificate (turn off self-provisioning if on)
5. Export certificate to the file system for novlwww user and convert the pfx to a p12 file.
6. Stop Tomcat and make the following changes to Tomcat's server.xml file
- change from using its own keystore to that of a PKCS12 file.
- specify path and file name
- specify file used to wrap it
7. Change p12 file ownership and file permissions so it is accessable to the group and user of novlwww.
The following script and command will parse out the size of the certificates being used to secure a port.
bits.awk
#!/usr/bin/awk -f
# Match all certificates
/^-----BEGIN CERTIFICATE-----$/ { in_cert=1; }
in_cert { cert = cert $0 "\n"; }
/^-----END CERTIFICATE-----$/ { in_cert = 0; }
!in_cert && cert {
infocmd="openssl x509 -text -noout | grep -E 'Public-Key:|Subject:'";
print cert | infocmd;
close(infocmd);
cert="";
}
# Print the verification result
/Verify return code/
echo | openssl s_client -CApath /etc/ssl/certs -connect 192.168.211.35:8030 -showcerts 2>/dev/null | ./bits.awk
Original Certificate:
Subject: C=US, O=Novell, OU=iManager, CN=Temporary Certificate
Public-Key: (2084 bit)
Verify return code: 18 (self signed certificate)
New Certificate:
Subject: O=HVTREE9B, CN=hvsles12sp2
Public-Key: (4096 bit)
Subject: O=HVTREE9B, OU=Organizational CA
Public-Key: (4096 bit)
Verify return code: 19 (self signed certificate in certificate chain)
Additional Information
1. Backup current RootCA's certificates
Using iManager navigate to NetIQ Certificate Server - Configure Certificate Authority - Certificates
a. Export the Organizational CA selecting to export private key and include all certificates. Enter a password to protect it.
b. export the RSA public key as a der file
c. export the EC public key as a der file
2. Create Trusted Roots container and objects
To ensure user certificates will continue to work after deleting the RootCA the public keys above need to be imported into a Trusted Roots container.
Using iManager navigate to NetIQ Certificate Server - Create Trusted Root Container. Give it a name of Trusted Roots and put the container under o=Security.
Using iManager navigate to NetIQ Certificate Server - Create Trusted Root. Give it a name that indicates a RSA certificate (IE., oldrsarootca), select the Trusted Roots container then point the plugin to the previously saved RSA public key certificate der file. Do the same for the EC public certificate.
3. Delete and recreate the Organizational CA with a 4K certificate.
a. Delete the TREENAME CA.Security object using the Directory Administration task.
b. Navigate to NetIQ Certificate Server - Configure Certificate Authority which will kick off the create Organizational CA task. Select Custom and accept all defaults except to specify a key size of 4K.
4. Create new 4K server certificate.
Navigate to NetIQ Certificate Access - Server Certificates. Create a new custom RSA certificate specifying a key size of 4K.
(Turn off Certificate Server's self-provisioning if it is on. Self-provisioning can only mint 2K certificates for now.)
5. Export certificate to the file system for novlwww user and convert the pfx to a p12 file.
a. Navigate to NetIQ Certificate Access - Server Certificates - select the new certificate and export it to the file system along with its private key. Secure with a password and save on the file system.
b. Convert the pfx to a pem file: pkcs12 -in cert.pfx -out newcert.pem
c. Convert the pem to a p12 file: pkcs12 -export -in newcert.pem -out newcert.p12 -name "new cert"
6. Stop Tomcat and make the following changes to Tomcat's server.xml file
- change from using its own keystore to that of a PKCS12 file.
- specify path and file name. (NOTE: make sure the group and user, novlwww, have access.)
- specify password used to wrap it
Example:
<!-- Define a SSL HTTP/1.1 Connector on port -->
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLS" keystoreFile="/var/opt/novell/novlwww/newcert.p12" keystorePass="novell" keystoreType="PKCS12"/>
7. Change p12 file ownership and file permissions so it is accessible to the group and user of novlwww.
chown novlwww:novlwww newcert.p12
chmod 654 newcert.p12
8. Restart Tomcat
Using iManager navigate to NetIQ Certificate Server - Configure Certificate Authority - Certificates
a. Export the Organizational CA selecting to export private key and include all certificates. Enter a password to protect it.
b. export the RSA public key as a der file
c. export the EC public key as a der file
2. Create Trusted Roots container and objects
To ensure user certificates will continue to work after deleting the RootCA the public keys above need to be imported into a Trusted Roots container.
Using iManager navigate to NetIQ Certificate Server - Create Trusted Root Container. Give it a name of Trusted Roots and put the container under o=Security.
Using iManager navigate to NetIQ Certificate Server - Create Trusted Root. Give it a name that indicates a RSA certificate (IE., oldrsarootca), select the Trusted Roots container then point the plugin to the previously saved RSA public key certificate der file. Do the same for the EC public certificate.
3. Delete and recreate the Organizational CA with a 4K certificate.
a. Delete the TREENAME CA.Security object using the Directory Administration task.
b. Navigate to NetIQ Certificate Server - Configure Certificate Authority which will kick off the create Organizational CA task. Select Custom and accept all defaults except to specify a key size of 4K.
4. Create new 4K server certificate.
Navigate to NetIQ Certificate Access - Server Certificates. Create a new custom RSA certificate specifying a key size of 4K.
(Turn off Certificate Server's self-provisioning if it is on. Self-provisioning can only mint 2K certificates for now.)
5. Export certificate to the file system for novlwww user and convert the pfx to a p12 file.
a. Navigate to NetIQ Certificate Access - Server Certificates - select the new certificate and export it to the file system along with its private key. Secure with a password and save on the file system.
b. Convert the pfx to a pem file: pkcs12 -in cert.pfx -out newcert.pem
c. Convert the pem to a p12 file: pkcs12 -export -in newcert.pem -out newcert.p12 -name "new cert"
6. Stop Tomcat and make the following changes to Tomcat's server.xml file
- change from using its own keystore to that of a PKCS12 file.
- specify path and file name. (NOTE: make sure the group and user, novlwww, have access.)
- specify password used to wrap it
Example:
<!-- Define a SSL HTTP/1.1 Connector on port -->
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLS" keystoreFile="/var/opt/novell/novlwww/newcert.p12" keystorePass="novell" keystoreType="PKCS12"/>
7. Change p12 file ownership and file permissions so it is accessible to the group and user of novlwww.
chown novlwww:novlwww newcert.p12
chmod 654 newcert.p12
8. Restart Tomcat