Using Internal Certificates In A Cluster; Using External Certificates In A Cluster - Novell OPEN ENTERPRISE SERVER - CONVERSION GUIDE 12-2010 Manual

8.2 Using Internal Certificates in a Cluster

Recent versions of Novell Certificate Server create default certificates that allow you to specify an
alternative IP address or DNS address by adding it in the Subject Alternative Name extension. This
requires that your DNS service be configured to reflect the cluster IP/DNS address as the default (or
first) address. If the DNS service is set up correctly, the cluster applications can use the default
certificates without needing any administration.
IMPORTANT: If the DNS service is not set up correctly, then you must use the process described
for external certificates in "Using External Certificates in a Cluster" on page 44.
For OES 2 Linux clusters using the internal certificate method, make sure the DNS service is
configured to use the cluster IP/DNS address. During the OES 2 Linux install, select the Use
eDirectory Certificates option so that Novell Certificate Server automatically creates the SSL
Certificate DNS certificate with the correct IP/DNS address. By selecting the Use eDirectory
Certificates option during the install and using the cluster IP/DNS address, clustered applications
should be able to access the certificates without needing further configuration for the Server
Certificate object.

8.3 Using External Certificates in a Cluster

External (third-party) certificates create a Server Certificate object that includes the cluster's IP and/
or DNS address. Create a backup of this certificate. For each server in the cluster, create a Server
Certificate object with the same name by importing the previously created backup certificate and
key pair to a location on that server. This allows all of the servers in the cluster to use and share the
same certificate and key pair. After all cluster nodes have the certificate, configure the cluster
applications to use the server certificate.
IMPORTANT: This cluster task can also be used for sharing internal certificates on the cluster
nodes. In early versions of Novell Certificate Server, this was the only option available.
For information about exporting and using eDirectory Server Certificates for External Services, see
"Using eDirectory Certificates with External Applications" (http://www.novell.com/documentation/
crt33/crtadmin/data/bh9x78f.html) in the Novell Certificate Server 3.3.2 Administration Guide
(http://www.novell.com/documentation/crt33/crtadmin/data/a2ebomw.html).
For OES 2 Linux clusters using the external certificate method, the solution is more complicated
than for internal certificates. You must create the certificate for each server in the cluster just as you
did for NetWare. You must also create a configuration on the SAS:Service object for each server so
that the common certificate is automatically exported to the file system where the non-eDirectory
enabled applications can use it.
44 OES 2 SP3: Novell Cluster Services Conversion Guide