3.3 Using Externally Signed Certificates

When the Identity Server is configured to use an SSL certificate that is signed externally, the trusted store of the embedded service provider for each component must be configured to trust this new CA. The browsers that are used to authenticate to the Identity Server must be configured to trust the CA that created the certificate for the Identity Server. If you obtain a certificate from a well-known external CA, most browsers are already configured to trust certificates from well-known CAs.

The following procedures explain how to use certificates signed by an external Certificate Authority.

3.3.1 Obtaining Externally Signed Certificates

The following sections explain how to create certificate signing requests for the Identity Server and Access Gateway, how to use the requests to obtain a signed certificates, then how to import the signed certificates and the root certificate of the Certificate Authority into Access Manager.

Creating the Certificate Signing Request

You need to create two certificate signing requests: one for the Identity Server and one for the Access Gateway. The Certificate name and the Common name need to be different, but the other values can be the same.

What you need to know or create

Example

Your Value

Certificate name

ipda_test or lag_test

________________________ ________________________

Certificate Subject Fields:

 

 

 

Common name

ipda.test.novell.com or lag.test.novell.com

________________________ ________________________

 

Organizational unit

o=novell

________________________

 

Organization

test

_______________________

 

City or town

Provo

________________________

 

State or province

UT

_______________________

 

Country

US

 

To create a signing request for the Identity Server:

  1. In the Administration Console, click Access Manager > Certificates > New.

  2. Select the Use External certificate authority option.

  3. Fill the following fields:

    Certificate name: idpa_test

    Signature algorithm: Accept the default.

    Valid from: Accept the default.

    Months valid: Accept the default.

    Key size: Accept the default.

  4. Click the Edit icon on the Subject line.

  5. Fill in the following fields:

    Common name: idpa.test.novell.com

    Organizational unit: o=novell

    Organization: test

    City or town: Provo

    State or province: UT

    Country: US

  6. Click OK twice, then click the name of the certificate.

  7. Click Export CSR.

    The signing request is saved to a file.

  8. Repeat Step 1 through Step 7 to create a signing request for the Access Gateway. Use lag_test for the Certificate name and lag.test.novell.com for the Common name.

Getting a Signed Certificate

You can send the certificate signing request to a Certificate Authority and wait for the CA to return a signed certificate or you can use a trial certificate while you wait for the official certificate. Companies such as Thawte* and VeriSign* offer trial signed certificates.

Modify the following instructions for the CA you have selected to sign your certificates:

  1. Set up an account with a Certificate Authority and select the free trial option.

  2. Open your certificate signing request for the Identity Server in a text editor.

  3. Copy and paste the text of the certificate request into the appropriate box for a trial certificate.

  4. Click Next, then copy the signed certificate and paste it into a new text file or at the bottom of the signing request file.

  5. Click Back, and repeat Step 2 through Step 4 for the Access Gateway.

  6. Follow the instructions on the Web site to download the root certificate of the Certificate Authority.

Importing the Signed Certificates and Root Certificate

The following steps explain how to imported the signed certificates and the trust root into the Administration Console so that they are available to be assigned to key stores and trusted root stores.

  1. In the Administration Console, click Access Manager > Certificates > Trusted Roots.

  2. Click Import, then specify a name for the root certificate.

  3. Click Browse, and locate the root certificate file.

  4. Click OK.

    The trusted root is added and is now available to add to trusted root stores.

  5. In a text editor, open the signed certificate for the Identity Server.

  6. In the Administration Console, click Access Manager > Certificates, then click the name of certificate signing request for the Identity Server.

  7. Click Import Signed Certificate, then select Certificate data text (PEM/Based64).

  8. Paste the text for the signed certificate into the data text box. Copy everything from

    -----BEGIN CERTIFICATE-----

    through

    -----END CERTIFICATE-----

  9. Click Add trusted root, then click the Browse icon and locate the root certificate file.

  10. Click OK.

    The certificate is now available to be assigned to the keystore of a device.

    If the certificate fails to import and you receive an error, it is probably missing a trusted root certificate in a chain of trusted roots. To determine whether this is the problem, see Resolving a -1226 PKI Error and Importing an External Certificate Key Pair in the Novell Access Manager 3.0 SP4 Administration Guide.

  11. Repeat Step 5 through Step 10 for the Access Gateway certificate.

3.3.2 Configuring the Identity Server to Use an Externally Signed Certificate

This section explains how to enable SSL between the Identity Servers and the browsers.

  1. In the Administration Console, click Access Manager > Identity Servers > Edit.

  2. For the protocol in the Base URL option, select https.

  3. In the SSL Certificate line, click the Browse icon.

  4. In the Certificates section, click Replace, then click the Browse icon.

  5. Select the Identity Server certificate, then click OK twice.

  6. At the prompt to restart Tomcat, select to restart Tomcat now.

  7. Click Close > OK.

  8. Wait for the Identity Server health to turn green.

  9. Click Access Gateway > Edit > Service Provider Certificates > Trusted Roots.

  10. In the Trusted Roots section, click Add, then click the Browse icon.

  11. Select the trusted root certificate of the Certificate Authority that signed the Identity Server certificate.

  12. Click OK until you return the Service Provider Certificates page.

    IMPORTANT:If the external Certificate Authority writes the DN in reverse order (the cn element comes first rather than last), you receive an error message that the certificate names do not match. You can ignore this warning, if the order of the DN elements is the cause.

  13. Click Close, then click the Access Gateways task.

  14. Click Update.

  15. Test the SSL connection between the browser and the Identity Server:

    1. Enter the Base URL of the Identity Server in a browser. 

      https://idpa.test.novell.com:8443/nidp

    2. If the URL returns a login page, log in using the credentials of a user in the LDAP server.

      The user portal appears.

      If the URL returns an error rather than displaying a login page, verify the following:

      • The browser trusts the CA that created the certificate.

      • The browser can resolve the DNS name of the Identity Server

      • The browser can access port 8443.

  16. Verify that the trusted relationship between the Identity Server and the Access Gateway has been reestablished:

    1. Enter the URL to a protected resource on the Access Gateway.

    2. Complete one of the following:

3.3.3 Configuring the Access Gateway to Use an Externally Signed Certificate

This section explains how to enable SSL communication between the Access Gateway and the Identity Server (channel 3 in Figure 3-1) and between the Access Gateway and the browsers (channel 4 in Figure 3-1).

  1. In the Administration Console, click Access Manager > Access Gateways > Edit > [Name of Reverse Proxy].

  2. Select Enable SSL with Embedded Service Provider.

  3. Select Enable SSL between Browser and Access Gateway.

  4. In the Server Certificate line, click the Browse icon.

  5. Select the Access Gateway certificate, then click OK.

    IMPORTANT:If the external Certificate Authority writes the DN in reverse order (the cn element comes first rather than last), you receive an error message that the subject name does not contain the cn of the device. You can ignore this warning, if the order of the DN elements is the cause.

  6. Click Auto-Import Embedded Service Provider Trusted Root, then click OK.

    This adds the trusted root of the Access Gateway certificate to the trusted root store of the Identity Server.

  7. Specify an Alias for the certificate, then click OK > Close.

  8. On the Reverse Proxy page, click OK.

  9. On the Server Configuration page, click Reverse Proxy / Authentication.

  10. In the Embedded Service Provider section, click Auto-Import Identity Server Configuration Trusted Root, and follow the prompts.

    This imports the trusted root certificate of the Identity Server into the trusted root store of the embedded service provider.

  11. Click OK twice to return to the Access Gateways page.

  12. On the Access Gateways page, click Update.

  13. Click Identity Servers > Update.

  14. Verify that the trusted relationship between the Identity Server and the Access Gateway has been reestablished:

    1. Enter the URL to a protected resource on the Access Gateway.

    2. Complete one of the following: