In an OES environment, you can make all communications secure by implementing a verified secure digital certificate. These certificates should be issued and signed by a Certificate Authority (CA). The CA can be a trusted third-party vendor or your own organizational CA.
This section describes the procedures to implement digital certificates in an OES environment.
In an eDirectory environment, create a subordinate certificate authority that allows the organization CA to be subordinate to a trusted third-party CA or a CA in another eDirectory tree. For more information on why you should create a subordinate certificate authority, see Subordinate Certificate Authority in the Novell Certificate Server 3.3.8 Administration Guide.
To configure the digital certificate:
Create the Certificate Signing Request (CSR) file from your OES environment. For detailed instructions, see Step 1 in Creating a Subordinate Certificate Authority in the Novell Certificate Server 3.3.8 Administration Guide.
Get the CSR signed by a trusted third-party CA or another eDirectory tree. For detailed instructions, see Step 2 in Creating a Subordinate Certificate Authority in the Novell Certificate Server 3.3.8 Administration Guide.
Acquire the signed CA certificate from the third-party CA or another eDirectory tree. For detailed instructions, see Step 3 in Creating a Subordinate Certificate Authority in the Novell Certificate Server 3.3.8 Administration Guide.
Import the signed CA certificates into your OES environment. For detailed instructions, see Step 4 in Creating a Subordinate Certificate Authority in the Novell Certificate Server 3.3.8 Administration Guide.
Export the public or private keys to a PKCS#12 file in your OES environment. For detailed instructions, see Step 5 in Creating a Subordinate Certificate Authority in the Novell Certificate Server 3.3.8 Administration Guide.
For more information on creating and importing certificates using third-party vendors such as VeriSign or RapidSSL, see the TID on How to import a Production VeriSign External Certificate into eDirectory using iManager (3033173).
The following services must reconfigured so that these services use the latest verified certificate: LDAP, Apache, and LUM.
To point the LDAP server object to the verified certificate:
Log in to iManager with administrative privileges.
Click the LDAP > LDAP Options > View LDAP Groups tab and the LDAP group, then select the Require TLS for Simple Binds with Password check box.
Click Apply and OK.
Click the LDAP Options > View LDAP Servers tab, then click the LDAP server > Connections. In the Server Certificate text box, search for and select the certificate that you created.
Click Apply and OK.
Repeat Step 4 and Step 5 for all the LDAP servers in the LDAP group.
If you have used an eDirectory SSL certificate, see the TID on How to use eDirectory SSL certificates for Apache2 on SLES OES (7014029) to reconfigure Apache.
If you have used a third-party SSL certificate, see the TID on Using Apache SSL default certificates or third party certificates on SLES (7004384) to reconfigure Apache.
For LUM to use the latest signed certificate:
Import an SSL certificate to the local machine using the namconfig -k command.
Refresh the nam settings using the namconfig cache_refresh command.
For example, to view the certificate details, execute the openssl x509 -in /var/lib/novell-lum/.198.162.1.1.der -noout -inform der -text command.