Environment
Access Manager 4.3
Access Manager 4.2
Access Manager 4.1
Situation
-
The CA has reached the end of its validity (the CA is expiring).
The CA has been compromised.
-
You want to replace the CA certificate for some other reason (a stronger key is desired, a new security policy has made it necessary, you want to have an externally signed CA, etc.).
Resolution
1) Export the new CA Certificate as der file. First cd /opt/novell/devman/bin then run following being sure to replace <password> with admin password.
| source /opt/novell/eDirectory/bin/ndspath && /opt/novell/java/bin/java -cp certtool.jar:/opt/novell/lib64/npki.jar com.novell.nids.certmgr.DirCertTool -edirIP 127.0.0.1 -edirUser cn=admin.o=novell -edirPwd <password> -exportCACert -file ca.der |
You an also export by going to Roles and Tasks in AC GUI -> NetIQ Certificate Server Role -> Configure Certificate Authority -> Certificates -> Export Self-Signed without private key as der
*If you can't get to iManager on Primary AC you can download and use iManager Workstation, which can be extracted on Linux or Windows. See iManager on Netiq Download Site
2) Add exported CA certificate to NAM keystores.
The CA der file needs to be added manually through keytool in following locations.
AC: /var/opt/novell/novlwww/devman.cacerts
IDP and AG: /opt/novell/devman/jcc/conf/jcc_devman.keystore
A) For AC devman.cacerts the keystore pass is devman.
Here is an example of importing the ca.der into devman.cacerts
| /opt/novell/java/bin/keytool -import -alias configca_2 -keystore devman.cacerts -trustcacerts -file ca.der -storepass devman |
* Do the same on any Secondary Acs.
B) For jcc_devman first you need to get the password for the keystore.
On each IDP and AG...
cd /opt/novell/devman/jcc and run: ./conf/ksinfo.sh dump
Example of importing cert to jcc_devman.keystore
| /opt/novell/java/bin/keytool -import -alias edir_2 -keystore jcc_devman.keystore -trustcacerts -file ca.der -storepass U01eXoV6iyPLVA7 |
C) For the remaining keystores the ca.der can be added via the Admin Console GUI.
First
go to Security -> Trusted roots and import it.
The original one will be called
configca. There really is no need to
remove that one. Can just import it as
configca_2 for example.
Next add it to:
- IDP cluster|'s truststore
- AG ESP truststore
- Proxy Trust store
3) Replace existing certificates already in use by NAM signed by original CA.
A) Recreate default certificates (Non NAM), however still used for config store ldap etc.
In
admin Console GUI-> Roles and Tasks -> Netiq Certificate Server ->
Create default Certificate.
- Step 1 -> Browse to Admin Console server name and select it. (If secondary Admin Consoles.
- Step 2 -> Click Radio button for "Yes" under Force the generation of new default certificates.
Ensure the IP Addresses are correct for "SSL CertificateIP and SSL CertificateDNS", if not specify in the available field.- Step 3 -> Click Finish and once done ensure the status of each completes properly.
Alternative command line option is to run:
| ndsconfig
upgrade Enter admin user with syntax like "admin.novell" and password when prompted. |
B) Recreate Admin-Console Certificate used by tomcat instance that runs iManager.
- Go to AC GUI -> Security -> Certificates -> New -> Create a new cert called admin-console_2.
Ensure the subject name matches the FQDN name of the Admin Console and I'd recommend setting months valid to something like 60.
- Once created click on the new certificate and add it to keystore.
This will add the new cert to the keystore on the Admin Console filesystem at /var/opt/novell/novlwww/.keystore.
- Click the browse button, then once all the keystores are presented, click on the Admin-Console keystore.
- Click the "Replace" button and browse to the newly created admin-console_2 cert. Ensure alias remains "tomcat"
C) Need to update/replace the Admin Console's devman.keystore.
The devman.keystore.his keystore is used with device manager and listens on port 8444. NAM devices communicate on this port when sending health info etc to the Admin Console.
- Export the admin-conssole_2 cert you just recreated.
Before we export we need to see what keystore pass the existing devman.keystore is using. To find this out check the server.xml on the Admin Console at:
/opt/novell/nam/adminconsole/conf/server.
Search for "devman.keystore". This should show up in devman connector section. Just take note of the value of keystorePass .e.- Go to AC GUI -> Security -> Certificates -> export public/private key with jks format using the password in the server.xml.
- Copy this file to Admin Console filesystem at: /var/opt/novell/novlwww/devman.keystore.
Probably want to rename the existing one first and ensure new file has same permissions and ownership as original.- After the default certificates are created, need to restart eDirectory and novell-ac on the Admin Console. Execute the following at the terminal to do this.
ndsmanage stopall && rcnovell-ac restart
Note: When novell-ac is run it will also start eDirectory
D) Test-* Certificates.
These certificates are meant to be replaced.
If they are currently in use we need to replace them with either externally signed certs or certificates minted with new Certificate Authority. So need to verify if they
are in use.
Check the Security ->
Certificates -> and note the test-* certificates that have a device associated with
them and replace them.
E)
Take note of any other Certificates that have issuer of original Certificate Authority and replace
them as well.