Novell iManager 2.7.5 Administration Guide - NetIQ
Novell iManager 2.7.5 Administration Guide - NetIQ
Novell iManager 2.7.5 Administration Guide - NetIQ
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
A<br />
A<strong>iManager</strong> Security Issues<br />
This section provides information about potential security issues related to <strong>iManager</strong>, and includes<br />
information about the following topics:<br />
• Section A.1, “Secure LDAP Certificates,” on page 111<br />
• Section A.2, “Self‐Signed Certificates,” on page 112<br />
• Section A.3, “<strong>iManager</strong> Authorized Users and Groups,” on page 113<br />
• Section A.4, “Preventing User Name Discovery,” on page 113<br />
• Section A.5, “Tomcat Settings,” on page 113<br />
• Section A.6, “Encrypted Attributes,” on page 114<br />
• Section A.7, “Secure Connections,” on page 114<br />
A.1 Secure LDAP Certificates<br />
<strong>iManager</strong> can create secure LDAP connections behind the scenes without any user intervention. If the<br />
LDAP server’s SSL certificate is updated for any reason (for example, new Organizational CA),<br />
<strong>iManager</strong> should automatically retrieve the new certificate using the authenticated connection and<br />
import it into its own keystore database.<br />
If this does not happen correctly, you must delete the private key store that <strong>iManager</strong> uses, in order to<br />
force <strong>iManager</strong> and Tomcat to re‐create the database and reacquire the certificate:<br />
1 Shut down Tomcat.<br />
2 Delete the TOMCAT_HOME\webapps\nps\WEB-INF\iMKS file.<br />
3 Restart Tomcat.<br />
For information about restarting Tomcat, see “Starting and Stopping Tomcat” on page 94.<br />
4 Open <strong>iManager</strong> in a browser and log back in to the tree, to automatically reacquire the new<br />
certificate and re‐create the database store.<br />
Alternately, you can also manually import the required certificate into Tomcat’s JVM default keystore<br />
using the keytool certificate management utility available in the JDK. When creating secure SSL<br />
connections, <strong>iManager</strong> first tries the JVM default keystore, then uses the <strong>iManager</strong> specific keystore<br />
database.<br />
After you have an eDirectory certificate saved in DER format, you must import the trusted root<br />
certificate into the <strong>iManager</strong> keystore. To do this, you need a JDK to use keytool. If a JRE was installed<br />
with <strong>iManager</strong>, you must download a JDK to use the keytool.<br />
<strong>iManager</strong> Security Issues 111