Thursday, 6 September 2012

NetIQ Access Manager Admin Console custom certificates

When you have any type of web service offered via https the first thing that should cross your mind should be "did I install verified certificates for this?". I will not go into the many reasons why you should do this... just do it!

NetIQ are continuing the work after Novell on Access Manager so even if they have awesome documentation for 99% of the product... they missed that (thank the gods they had some useful hints for this though in the support for iManager [link in the end])

So here it is:

  • cd /etc/opt/novell/tomcat7/ ; mkdir certs ; cd certs
  • /opt/novell/java/bin/keytool -genkey -keysize 2048 -alias <hostname.domain.com> -keyalg RSA -keystore <hostname>.keystore
  • /opt/novell/java/bin/keytool -certreq -keyalg RSA -alias <hostname.domain.com> -file certreq.csr -keystore <hostname>.keystore
  • Send the csr to your Certification Authority (in this case COMODO)
  • Make sure that everything is where it should
    /opt/novell/java/bin/keytool -list -keystore /etc/opt/novell/tomcat7/certs/<hostname>.keystore -v
  • Get whatever.zip from comodo
  • cd /etc/opt/novell/tomcat7/certs/ ; unzip /root/whatever.zip
  • chown novlwww.novlwww *
  • /opt/novell/java/bin/keytool -import -alias root -keystore <hostname>.keystore -trustcacerts -file TERENASSLCA.crt
  • /opt/novell/java/bin/keytool -import -alias caroot -keystore <hostname>.keystore -trustcacerts -file UTNAddTrustServer_CA.crt
  • /opt/novell/java/bin/keytool -import -alias <hostname.domain.com> -keystore <hostname>.keystore -trustcacerts -file whatever.crt
  • /opt/novell/java/bin/keytool -import -alias tomcat -keystore <hostname>.keystore -trustcacerts -file whatever.crt
  • Double check that all certs are in the keystore
    /opt/novell/java/bin/keytool -list -keystore /etc/opt/novell/tomcat7/certs/<hostname>.keystore -v 
 You would think at this point that following normal Tomcat process would be good enough and we could just add in our server.xml at the 8443 connector an option like keystoreFile="/etc/opt/novell/tomcat7/certs/<hostname>.keystore" and that would be it... but NO. I tried it and it did NOT work for some reason... so here is the fix

  • cp -p /var/opt/novell/novlwww/.keystore /var/opt/novell/novlwww/.keystore-default
  • mv /etc/opt/novell/tomcat7/certs/<hostname>.keystore /var/opt/novell/novlwww/.keystore
  • service novell-ac restart
  • And done!
more here: Replacing default certificates in iManager 2.7 (non-OES install)


No comments:

Post a Comment