Thursday, 6 September 2012

NetIQ Access Manager Admin Console custom certificates

When you have any type of web service offered via https the first thing that should cross your mind should be "did I install verified certificates for this?". I will not go into the many reasons why you should do this... just do it!

NetIQ are continuing the work after Novell on Access Manager so even if they have awesome documentation for 99% of the product... they missed that (thank the gods they had some useful hints for this though in the support for iManager [link in the end])

So here it is:

  • cd /etc/opt/novell/tomcat7/ ; mkdir certs ; cd certs
  • /opt/novell/java/bin/keytool -genkey -keysize 2048 -alias <> -keyalg RSA -keystore <hostname>.keystore
  • /opt/novell/java/bin/keytool -certreq -keyalg RSA -alias <> -file certreq.csr -keystore <hostname>.keystore
  • Send the csr to your Certification Authority (in this case COMODO)
  • Make sure that everything is where it should
    /opt/novell/java/bin/keytool -list -keystore /etc/opt/novell/tomcat7/certs/<hostname>.keystore -v
  • Get from comodo
  • cd /etc/opt/novell/tomcat7/certs/ ; unzip /root/
  • chown novlwww.novlwww *
  • /opt/novell/java/bin/keytool -import -alias root -keystore <hostname>.keystore -trustcacerts -file TERENASSLCA.crt
  • /opt/novell/java/bin/keytool -import -alias caroot -keystore <hostname>.keystore -trustcacerts -file UTNAddTrustServer_CA.crt
  • /opt/novell/java/bin/keytool -import -alias <> -keystore <hostname>.keystore -trustcacerts -file whatever.crt
  • /opt/novell/java/bin/keytool -import -alias tomcat -keystore <hostname>.keystore -trustcacerts -file whatever.crt
  • Double check that all certs are in the keystore
    /opt/novell/java/bin/keytool -list -keystore /etc/opt/novell/tomcat7/certs/<hostname>.keystore -v 
 You would think at this point that following normal Tomcat process would be good enough and we could just add in our server.xml at the 8443 connector an option like keystoreFile="/etc/opt/novell/tomcat7/certs/<hostname>.keystore" and that would be it... but NO. I tried it and it did NOT work for some reason... so here is the fix

  • cp -p /var/opt/novell/novlwww/.keystore /var/opt/novell/novlwww/.keystore-default
  • mv /etc/opt/novell/tomcat7/certs/<hostname>.keystore /var/opt/novell/novlwww/.keystore
  • service novell-ac restart
  • And done!
more here: Replacing default certificates in iManager 2.7 (non-OES install)

Wednesday, 5 September 2012

CISSP Training

CISSP Training was completed a bit over a week ago and revision is continuing still...

The course was delivered by Geraint Williams of IT Governance through the University's  KnowledgeHub program (enough with the ads though!!).

Awesome course to say the least, plus GeraintW was kind enough to add some very nice posts to his blog detailing some of the material covered in the course (brilliant for revision)

And here we go:

Domain 1 - Access Control
Domain 2 - Telecommunications and Network Security
Domain 3 - Information Governance & Risk Management
Domain 4 - Software Development Security
Domain 5 - Cryptography
Domain 6 - System Architecture and Design
Domain 7 - Operation Security
Domain 8 - Business Continuity & Disaster Recovery
Domain 9 - Legal, Regulations & Investigations

One more to come I will add them when they are done I guess :)

Many thanks need to go to GeraintW for providing us with a great course :)


F5 BigIP - NetIQ Access Manager monitors

Vacations have ended and its back to work...

Lets create some monitors for the master proxies of the Access Manager we have setup so we don't leave it to the default icmp_gateway health check.


  • You have configured your Admin consoles, Identity servers, Access Gateways 
  • You have added one http and one https reverse proxy in the Gateways (so the parent proxies exist at least..)
  • You have created two vIPs on the F5s pointing to each Pool of the IPs of each proxy


  • Go to your F5 Admin GUI login and go to Local Traffic -> Monitors -> Create
  • Name: Access_Gateway_HTTPS_Monitor 
  • Select type: HTTPS
  • Leave defaults for all fields except 
  • Send String should be:   GET /nesp/app/heartbeat HTTP/1.1\r\nHost: <hostname-of-your-https-proxy-parent>\r\nConnection: Keepalive\r\n\r\n
  • Receive String should be:  Success
  • Click Finished
  • Go to the http pool and add it as a Monitor
  • Follow same steps for http only changing the type and the hostname of the parent proxy

Done :)