20.1 Securing LDAP Synchronization

20.1.1 Understanding How Teaming Handles Public-Key Certificates

Java uses a keystore file to store public-key certificates. The default keystore that is installed along with Novell® Teaming is:

Linux:

 
/opt/novell/teaming/apache-tomcat-version/conf/.keystore

Windows:

 
c:\Program Files\Novell\Teaming\
                              apache-tomcat-version\conf\.keystore

The self-signed public-key certificate in the default keystore is sufficient for you to set up secure connections during initial installation. Soon after installation, you should obtain a signed certificate. You can store your signed certificate in the default keystore, or in a location of your own choosing. Teaming reads the location of its keystore from the following file:

Linux:

 
/opt/novell/teaming/apache-tomcat-version/conf/server.xml

Windows:

 
c:\Program Files\Novell\Teaming\
                             apache-tomcat-version\conf\server.xml

If you do not want to use the default keystore location, you must update the server.xml file to match the location you choose for your keystore.

20.1.2 Obtaining a Signed Public-Key Certificate

  1. Obtain a signed certificate is through a commercial Certificate Authority (CA).

    You can find a CA on the Internet by searching for “Certificate Authority”. The process of obtaining a signed certificate varies from company to company. Each company provides instructions to assist you.

    or

    Generate your own self-signed certificate by using the Keytool utility.

    Linux:

    /usr/java/jdk1.5.0_17/bin/keytool

    Windows:

    c:\Program Files\Java\jdk1.5.0_17\bin\keytool.exe

    The Apache Tomcat 6.0 SSL Configuration HOW-TO provides guidance if you want to use this approach.

  2. Place the signed certificate in a convenient location on the Teaming server (for example, in a certs directory).

    If you obtained the signed certificate from a CA, you also received a CA certificate that validates the public-key certificate.

20.1.3 Importing Certificates

After you have obtained a signed public-key certificate, you must import it into the keystore for your Novell Teaming system. If you also received a CA certificate, you must import it into the Java CA certificate store.

  1. To import the public-key certificate, use the following command:

    Linux:

    		 
    keytool -import -alias ldap_svr_alias -keystore /path/.keystore 
        -file /certs/certname.b64

    Windows:

    c:\Program Files\Java\jdk1.5.0_17\bin\keytool.exe

    For background information, see keytool - Key and Certificate Management Tool.

  2. Import the certificate into the following directory:

    java_jdk_installation/jre/lib/security/cacerts.