Understanding the Novell Certificate Server

Novell Certificate ServerTM allows you to mint, issue, and manage digital certificates by creating a Security container object and an Organizational Certificate Authority (CA) object. The Organizational CA object enables secure data transmissions and is required for Web-related products such as NetWare Web Manager and NetWare Enterprise Web Server. The first eDirectory server will automatically create and physically store the Security container object and Organizational CA object for the entire eDirectory tree. Both objects are created and must remain at the top of the eDirectory tree.

Only one Organizational CA object can exist in an eDirectory tree. Once the Organizational CA object is created on a server, it cannot be moved to another server. Deleting and re-creating an Organizational CA object invalidates any certificates associated with the Organizational CA.

IMPORTANT:  Make sure that the first eDirectory server is the server that you intend to permanently host the Organizational CA object and that the server will be a reliable, accessible, and continuing part of your network.

If this is not the first eDirectory server on the network, the installation program finds and references the eDirectory server that holds the Organizational CA object. The installation program accesses the Security container and creates a Server Certificate object.

If an Organizational CA object is not available on the network, Web-related products will not function.

On Linux or Solaris, the administrator must manually create an Organizational CA object and the Server Certificate object.


Rights Required to Perform Tasks on Novell Certificate Server

To complete the tasks associated with setting up Novell Certificate Server, the administrator needs to have rights as described in the following table.


Table 19. Rights Required to Perform Tasks on Novell Certificate Server

Task Associated with Setting Up Novell Certificate Server Rights Required

Base security setup for installing the first server into a new tree, or upgrading the first server in a tree where there is no base security previously installed.

Create rights at the root of the eDirectory treeSupervisor rights at the root of the treeSupervisor rights on the Security container

Base security setup for installing subsequent servers.

Supervisor rights on the server's containerSupervisor rights on the W0 object (located inside the Security container)

Creating the Organizational CA

Supervisor rights on the Security container

Creating Server Certificate objects

Supervisor rights on the server's container

Read rights to the NDSPKI:Private Key attribute on the Organizational CA's object

The root administrator can also delegate the authority to use the Organizational CA by assigning the following rights to subcontainer administrators. Subcontainer administrators require the following rights to install Novell eDirectory with SSL security:

  1. Read rights to the NDSPKI:Private Key attribute on the Organizational CA's object, located in the Security container.
    2.
  2. Supervisor rights to the W0 object located in the Security container, inside the KAP object.
    3.

These rights are assigned to a group or a role.All the administrative users are defined in a Group or Role. For a complete list of required rights to perform specific tasks associated with Novell Certificate Server, refer to the online documentation for Novell Certificate Server.


Ensuring Secure eDirectory Operations on Linux and Solaris Systems

eDirectory includes Public Key Cryptography Services (PKCS), which contains the Novell Certificate ServerTM that provides Public Key Infrastructure (PKI) services, Novell International Cryptographic Infrastructure (NICI), and SAS*-SSL server.

The following sections provide information about performing secure eDirectory operations:

For information about using external certificate authority, refer to Novell Certificate Server Administration Guide.


Verifying Whether NICI Is Installed and Initialized on the Server

Verify the following conditions, which indicate that the NICI module has been properly installed and initialized:

If these conditions are not met, you must initialize the NICI module on the server as explained in Initializing the NICI Module on the Server.


Initializing the NICI Module on the Server

  1. Stop the eDirectory server.

    • On Linux systems type /etc/rc.d/init.d/ndsd stop
      •
    • On Solaris systems, type /etc/init.d/ndsd stop

  2. Verify whether the NICI package is installed.

    • On Linux systems type rpm -qa | grep nici
      •
    • On Solaris systems type pkginfo | grep NOVLniu0
      •

    If the NICI package is not installed, install it now.

    NOTE:  You will not be able to proceed if the NICI package is not installed.

    3.

  3. Copy the .nfk file provided with the package to the /var/novell/nici directory.

    Execute the program /var/novell/nici/primenici

    4.

  4. Start the eDirectory server.

    • On Linux systems, type /etc/rc.d/init.d/ndsd start
      •
    • On Solaris systems, type /etc/init.d/ndsd start
      •


Starting the Certificate Server (PKI Services)

To start PKI services, enter npki -1.


Stopping the Certificate Server (PKI Services)

To stop PKI services, enter npki -u.


Creating a Certificate Authority

  1. From ConsoleOne, right-click the security object at the Tree object level > click New > click Object.

    2.

  2. Select NDSPKI: Certificate Authority > click OK > follow the online instructions.

    3.

  3. Select the target server > enter an eDirectory object name.

    4.

  4. In Creation Method, select Custom > click Next.

    5.

  5. Select the key size > use the default values for other options > click Next.

    6.

  6. In the Select Certificate Basic Constraints option, use the default values > click Next.

    7.

  7. In Specify the Certificate Parameters, for Validity Period select Specify Dates.

    8.

  8. For Effective Date, select a few days (3-5) before the system date > use the default values for all other options.

    9.

NOTE:  The pkiconfig utility can also be utilized to create a Certificate Authority. For more information on using the pkiconfig utility, refer to the manpage pkiconfig.1m.


Creating a Key Material Object

  1. From ConsoleOne, right-click the container the LDAP Server object is in > click New > click Object.

    2.

  2. Select NDSPKI: Key Material > OK.

    3.

  3. Select the target server > enter a name > in Creation Method, select Custom > click Next.

    4.

  4. Use the default values for Specify the Certificate Authority option, which will sign the certificate > click Next.

    5.

  5. In Specify an RSA Key Size and How the Key Is to Be Used, select an appropriate key size > use the default values for all other options > click Next.

    6.

  6. In Specify the Certificate Parameters, for Validity Period select Specify Dates.

    7.

  7. For Effective Date, select a few days (3-5) before the system date > use the default values for all other options > click Next.

    8.

  8. In Specify the Trusted Root Certificate to Be Associated with Server Certificate, use the default values > click Next.

    9.

  9. Click Finish to create a key material.

    10.

  10. In the General Property page, select the SSL certificate (KMO) > click Refresh NLDAP Server Now > click Close.

    11.

NOTE:  The pkiconfig utility can also be used to create a Key Material Object. For more information on using the pkiconfig utility, refer to the manpage pkiconfig.1m.


Exporting a Self-Assigned CA Out of eDirectory in DER Format

  1. Double-click the KMO object > go to the Certificates Property page > select Trusted Root Certificate > click Export > select File in Binary DER format > click OK.

    2.

  2. Include this file in all command line operations that establish secure connections to eDirectory.

    3.


Previous | Next