Novell OPEN ENTERPRISE SERVER 2 SP 2 - CLUSTER SERVICES 1.8.7 FOR LINUX Manual page 73

For NetWare, all applications are integrated with eDirectory. This allows applications to
automatically use the server certificates created by Novell Certificate Server directly from
eDirectory. In a NetWare cluster, you might have copied the Server Certificate objects to all nodes in
the cluster using backup and restore functions as described in
Clustering" in the Novell Certificate Server 3.3.2 Administration
For OES 2 Linux, many applications (such as Apache and Tomcat) are not integrated with
eDirectory and therefore, cannot automatically use the certificates created by Novell Certificate
Server directly from eDirectory. By default, these services use self-signed certificates, which are not
in compliance with the X.509 requirements as specified in RFC 2459 and RFC 3280.
To address the difference, Novell Certificate Server offers an install option for OES 2 Linux called
Use eDirectory Certificates that automatically exports the default eDirectory certificate SSL
Certificate DNS and its key pair to the local file system in the following files:
/etc/ssl/servercerts/servercert.pem
/etc/ssl/servercerts/serverkey.pem
Using Internal Certificates in a Cluster
Recent versions of Novell Certificate Server create default certificates that allow you to specify an
alternative IP address or DNS address by adding it in the Subject Alternative Name extension. This
requires that your DNS service be configured to reflect the cluster IP/DNS address as the default (or
first) address. If the DNS service is set up correctly, the cluster applications can use the default
certificates without needing any administration.
IMPORTANT: If the DNS service is not set up correctly, then you must use the process described
for external certificates in
For OES 2 Linux clusters using the internal certificate method, make sure the DNS service is
configured to use the cluster IP/DNS address. During the OES 2 Linux install, select the Use
eDirectory Certificates option so that Novell Certificate Server automatically creates the SSL
Certificate DNS certificate with the correct IP/DNS address. By selecting the Use eDirectory
Certificates option during the install and using the cluster IP/DNS address, clustered applications
should be able to access the certficates without needing further configuration for the Server
Certificate object.
Using External Certificates in a Cluster
External (third-party) certificates create a Server Certificate object that includes the cluster's IP and/
or DNS address. Create a backup of this certificate. For each server in the cluster, create a Server
Certificate object with the same name by importing the previously created backup certificate and
key pair to a location on that server. This allows all of the servers in the cluster to use and share the
same certificate and key pair. After all cluster nodes have the certificate, configure the cluster
applications to use the server certificate.
IMPORTANT: This cluster task can also be used for sharing internal certificates on the cluster
nodes. In early versions of Novell Certificate Server, this was the only option available.
For information about exporting and using eDirectory Server Certificates for External Services, see
"Using eDirectory Certificates with External
Administration Guide.
"Using External Certificates in a Cluster" on page
Applications" in the
"Server Certificate Objects and
Guide.
73.
Novell Certificate Server 3.3.2
Converting NetWare 6.5 Clusters to OES 2 Linux 73