A Imanager Security Issues; Secure Ldap Certificates - Novell IMANAGER 2.7.3 - ADMINISTRATION Administration Manual

iManager Security Issues
A
This section provides information about potential security issues related to iManager, and includes
information about the following topics:
Section A.1, "Secure LDAP Certificates," on page 109
Section A.2, "Self-Signed Certificates," on page 110
Section A.3, "iManager Authorized Users and Groups," on page 110
Section A.4, "Preventing Username Discovery," on page 111
Section A.5, "Tomcat Settings," on page 111
Section A.6, "Encrypted Attributes," on page 112
Section A.7, "Secure Connections," on page 112
A.1 Secure LDAP Certificates
iManager can create secure LDAP connections behind the scenes without any user intervention. If
the LDAP server's SSL certificate is updated for any reason (for example, new Organizational CA),
iManager should automatically retrieve the new certificate using the authenticated connection and
import it into its own keystore database.
If this does not happen correctly, you must delete the private key store that iManager uses, in order
to force iManager and Tomcat to re-create the database and reacquire the certificate:
1 Shut down Tomcat.
2 Delete the
TOMCAT_HOME\webapps\nps\WEB-INF\iMKS
3 Restart Tomcat.
For information about restarting Tomcat, see
4 Open iManager in a browser and log back in to the tree, to automatically reacquire the new
certificate and re-create the database store.
Alternately, you can also manually import the required certificate into Tomcat's JVM default
keystore using the keytool certificate management utility available in the JDK*. When creating
secure SSL connections, iManager first tries the JVM default keystore, then uses the iManager
specific keystore database.
After you have an eDirectory
certificate into the iManager keystore. To do this, you need a JDK to use keytool. If a JRE was
installed with iManager, you must download a JDK to use the keytool.
NOTE: For information about creating a
Public Key Certificate (http://www.novell.com/documentation/crt32/crtadmin/data/a2ebopb.html)
in the Novell Certificate Server Admin Guide. You will want to export the trusted root certificate.
1 Open a command window.
2 Change to the
\bin
For example, on a Windows system, you would enter the following command:
certificate saved in DER format, you must import the trusted root
TM
certificate file, see
.der
directory where you have installed the JDK.
file.
"Starting and Stopping Tomcat" on page
Exporting a Trusted Root or
A
94.
iManager Security Issues 109