If your LDAP directory service requires a secure LDAP connection (LDAPS), you must configure Teaming with a root certificate. The root certificate identifies the root certificate authority (CA) for your Teaming site, which enables you to generate a self-signed root certificate based on your eDirectory™ tree.
You can generate a root certificate for your eDirectory tree using either ConsoleOne® or iManager, then you import the root certificate into the Java keystore file (cacerts) on the Teaming server to make it accessible to Teaming. The default location for the Java keystore file is:
|
Linux: |
/usr/java/jdkversion/jre/lib/security |
|
Windows: |
c:\Program Files\Java\jdkversion\jre/lib/security |
NOTE:For iManager instructions, see TID 3176104: How to Enable SSL for Teaming LDAP Synchronization and Authentication
in the Novell Support Knowledgebase. If you are using Active Directory* rather than eDirectory, consult your Active Directory documentation for a procedure comparable to the one provided in Generating a Root Certificate in ConsoleOne.
On Linux or Windows, start ConsoleOne and authenticate to your eDirectory tree.
Expand the Security container, right-click the Tree_Name CA object, then click .
Click .
Click to update the certificate status, then click to close the Certificate Validation dialog box.
Click to export your eDirectory root certificate into a file that can be imported into the Java keystore file.
Click to accept the default of No for exporting a private key file along with the root certificate.
Select the output format for the root certificate file.
Either DER or Base64 format can be imported into the Java keystore file.
In the field, specify the location where you want to create the root certificate file and the filename to use, such as SelfSignedRootCert.der.
IMPORTANT:You need to be able to access this file from the Teaming server. Specify an accessible location or copy it to the Teaming server after you create it.
Click to display a summary of the options you have selected, then click to generate the root certificate file.
Click to close the Self Signed Certificate properties page of the Tree_Name CA object.
Exit ConsoleOne.
(Conditional) If necessary, copy the root certificate file to a convenient location on the Teaming server.
On the Teaming server, make sure that you have access to the root certificate file.
Make sure that you can access the keytool tool:
For convenient use, you might need to add its location to the PATH environment variable.
Use the following command to import the root certificate into the Java keystore:
keytool -import -alias ldap_server_dns_name -keystore path_to_java_keystore_file -file root_certificate_file
For example:
keytool -import -alias ldapserver.yourcompanyname.com
-keystore /usr/java/jdkversion/jre/lib/security/cacerts
-file /certs/SelfSignedRootCert.der
When prompted, specify a password for the root certificate, then confirm the password.
IMPORTANT:The default password used by Tomcat is changeit. If you want to specify a password other than this, then you must also specify this password in the server.xml Tomcat configuration file, as described in Changing Your Password for the Keystore File.
Do not forget the password you specify.
Enter yes to accept the certificate import.
Use the following command to verify that the root certificate has been imported into the Java keystore:
keytool -list -keystore path_to_java_keystore_file
Enter the root certificate password to list the root certificate information.
Restart Teaming so that Tomcat rereads the updated Java keystore file.
You are now ready to configure your Teaming site for secure LDAP synchronization, as described in Adding Teaming Users from Your LDAP Directory
in Basic Installation
in the Novell Teaming 2.1 Installation Guide.