Edirectory Server Certificates; Server Certificate Changes In Oes 2 Linux - Novell OPEN ENTERPRISE SERVER - CONVERSION GUIDE 12-2010 Manual

eDirectory Server Certificates

8
Novell Certificate Server provides two categories of services: Certificate Authority (CA) and Server
Certificates. The Certificate Authority services include the Enterprise CA and CRL (Certificate
Revocation List). Only one server can host the CA, and normally that same server hosts the CRLs if
they are enabled (although if you move the CA to a different server, the CRLs usually stay on the old
server). The CA and CRL services are not cluster-enabled in either NetWare or OES 2 Linux, and
therefore, there are no cluster-specific tasks for them.
Novell Certificate Server provides a Server Certificates service for NetWare and Linux. The service
is not clustered. However, clustered applications that use the server certificates must be able to use
the same server certificates on whichever cluster node they happen to be running. Use the
instructions in the following sections to set up Server Certificate objects in a clustered environment
to ensure that your cryptography-enabled applications that use Server Certificate objects always
have access to them.
The eDirectory Server Certificate objects are created differently in OES 2 Linux and cannot be
directly reused from the NetWare server. The differences and alternatives for setting up certificates
on Linux are described in the following sections:

Section 8.1, "Server Certificate Changes in OES 2 Linux," on page 43

Section 8.2, "Using Internal Certificates in a Cluster," on page 44

Section 8.3, "Using External Certificates in a Cluster," on page 44

8.1 Server Certificate Changes in OES 2 Linux

When you install NetWare or OES 2 Linux in an eDirectory environment, the Server Certificate
service can create certificates for eDirectory services to use. In addition, custom certificates can be
created after the install by using iManager or command line commands.
For NetWare, all applications are integrated with eDirectory. This allows applications to
automatically use the server certificates created by Novell Certificate Server directly from
eDirectory. In a NetWare cluster, you might have copied the Server Certificate objects to all nodes in
the cluster using backup and restore functions as described in
Clustering" (http://www.novell.com/documentation/crt33/crtadmin/data/a2ebopb.html#acebe5n)
the Novell Certificate Server 3.3.2 Administration Guide (http://www.novell.com/documentation/
crt33/crtadmin/data/a2ebomw.html).
For OES 2 Linux, many applications (such as Apache and Tomcat) are not integrated with
eDirectory and therefore, cannot automatically use the certificates created by Novell Certificate
Server directly from eDirectory. By default, these services use self-signed certificates, which are not
in compliance with the X.509 requirements as specified in RFC 2459 and RFC 3280.
To address the difference, Novell Certificate Server offers an install option for OES 2 Linux called
Use eDirectory Certificates that automatically exports the default eDirectory certificate SSL
Certificate DNS and its key pair to the local file system in the following files:
/etc/ssl/servercerts/servercert.pem
/etc/ssl/servercerts/serverkey.pem
"Server Certificate Objects and
eDirectory Server Certificates
8
in
43