Installing iManager
13
n
ov
do
cx (e
n)
22
Ju
n
e 20
09
The trusted roots are contained in the
/etc/opt/novell/java/security/cacerts
file.
The file for configuring Tomcat's use of certificates is
/etc/opt/novell/tomcat5/
server.xml
.
1. Create a new server certificate with iManager.
In iManager, select Novell Certificate Server > Create Server Certificate. Select the appropriate
server, specify a nickname and accept the rest of the certificate defaults.
2. Export the server certificate to the tomcat home directory (
/var/opt/novell/novlwww
).
In iManager, select Directory Administration > Modify Object. Browse to and select the KMO
object. In the Certificates tab, select Export. Specify a password and save the server certificate
as a pkcs12 file (
.pfx
).
3. Convert the
.pfx
file to a
.pem
file.
To do this, use a command similar to the following:
openssl pkcs12 -in newtomcert.pfx -out newtomcert.pem
Specify the certificate password specified in step 2, and specify a password for the new
.pem
file. You can use the same password, if desired.
4. Convert the
.pem
file to a
.p12
file.
To do this, use a command similar to the following:
openssl pkcs12 -export -in newtomcert.pem -out newtomcert.p12 -name "New
Tomcat"
Specify the certificate password specified in step 3, and specify a password for the new
.p12
file. You can use the same password, if desired.
5. Stop Tomcat.
/etc/init.d/novell-tomcat5 stop
6. Edit the Tomcat configuration file (
/etc/opt/novell/tomcat5/server.xml
) and add
keystoreType
,
keystoreFile
, and
keystorePass
variables to let Tomcat use the newly
created
.p12
certificate file. For example:
<Connector className="org.apache.coyote.tomcat5.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="75" enableLookups="true"
acceptCount="100" debug="0" scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true">
<Factory
className="org.apache.coyote.tomcat5.CoyoteServerSocketFactory"
clientAuth="false" protocol="TLS"
keystoreType="PKCS12"
keystoreFile="/var/opt/novell/novlwww/newtomcert.p12"
keystorePass="password"
/>
</Connector>
When setting the keystore type to PKCS12 you must specify the entire path to the certificate
file, as Tomcat will no longer default to using the Tomcat home path.
7. Change the .p12 file’s ownership to the appropriate Tomcat user/group (Normally novlwww),
and set the file permissions to user=rw, group=rw, and others=r. For example:
chown novlwww:novlwww newtomcert.p12
chmod 654 newtomcert.p12
8. Restart Tomcat. For example:
/etc/init.d/novell-tomcat5 start
