Results 1 to 2 of 2

Thread: Where to make changes for using 3rd party cert with OES11.

Threaded View

  1. #1
    Join Date
    Mar 2008

    Where to make changes for using 3rd party cert with OES11.

    Just because it takes a while to track all these down individually, here's a list of what to change in order to use a 3rd party security cert to prevent your browsers from complaining with iManager, iMonitor NRM and the server's basic website.

    This assumes you already know how to get a 3rd party cert for your server using iManager and exporting that same cert as a PFX file to the server in question.

    Once that's done, open a terminal session in the directory where the PFX file is located and run two OpenSSL commands:

    openssl pkcs12 -in keyStore.pfx -out <whatever name you want>cert.pem -nodes -nokeys
    openssl pkcs12 -in keyStore.pfx -out <whatever name you want>key.pem -nodes -nocerts

    In both commands, you will be asked for the password you used in exporting the PFX file.

    Copy both files to the /etc/ssl/servercerts/ folder
    For the server itself (https://whatever_your_server_is), edit two lines in "/etc/apache2/vhosts.d/vhost-ssl-conf":

    SSLCertificateFile /etc/ssl/servercerts/<your servercert file name>.pem
    SSLCertificateKeyFile /etc/ssl/servercerts/<your serverkey file name>.pem

    With thanks to Peter Hine's response in the 02-Jul-2012 Novell forum thread, "OES11: Custom certificate for Apache"

    Edit the edir file in /etc/sysconfig/novell/
    The file name varies from version to version. In OES11SP1 it's "edir_oes11_sp1"
    In pre-SP1, it appears to be "edir2_oes11"

    Change value of the line 'CONFIG_EDIR_OVERWRITE_CERT_FILES="yes" to "no"

    Novell Remote Manager:
    Edit "/etc/opt/novell/httpstkd.conf".
    Look for the line addr keyfile=/etc/opt/novell/httpstkd/server.key certfile=/etc/opt/novell/httpstkd/server.pem
    Edit the line to reflect the new cert file locations:
    addr keyfile=/etc/ssl/servercerts/<your serverkey file name>.pem certfile=/etc/ssl/servercerts/<your servercert file name>.pem

    Use Console1 or iManager to locate the object in the server's context labeled "Http Server - <your server name> and examine the properties of that item.
    If using C1, select the "Other" tab, find the attribute in the left column labeled "httpKeyMaterialObject", expand the attribute to show its target and navigate to the certificate you imported.
    In iManager, you'll see the same attribute in the left-side column. Double-click on the attribute and navigate to your imported cert.

    Restart apache2 (apache2ctl restart) and tomcat6 (service novell-tomcat6 restart) to activate the changes for the main web page and iManager.
    You'll need to restart eDirectory (rcndsd restart) to activate the changes for iMonitor, so understand the disruption that could cause if you've only got one server running eDirectory.

    Restarting the server will, of course, take care of all 3.
    Last edited by gathagan; 18-May-2013 at 04:59 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts