Configuring HTTP Server Object: unable to use custom certifi

By default imonitor uses the (default) SSL CertificateDNS certificate. I'd like
to use a custom certificate for HTTP instead. This should be configurable by
modifying the HTTP Server Object (with iManager or directly with ldap), by
putting the cn of the desired certificate into the httpKeyMaterialObject attribute.

see: edirectory administration guide:
https://www.netiq.com/documentation/edirectory-9/edir_admin/data/b1gkpdzf.html#b1h7wnjx

unfortunately it is ignored by edirectory.

if i delete 'cn=SSL CertificateDNS - <myserver>' altogether i can no longer connect
to the server, regardless that the http-object is specifying another certificate.

release notes of edirectory 9.0.4 speak of

'..
SSL CertificateDNS Is Not Always Used for httpkeymaterialobject Attribute of the HTTP Server Object#

Issue: SSL Certificate DNS is used as a default certificate for the httpkeymaterialobject attribute of the HTTP server object. However, this certificate is not always selected for the httpkeymaterialobject attribute of the HTTP server object during eDirectory installation.

Fix: This release resolves this issue. This certificate is automatically selected for the httpkeymaterialobject attribute during eDirectory installation.
..'


see: https://www.netiq.com/documentation/edirectory-9/edirectory90_releasenotes/data/edirectory90_releasenotes.html#b1jh5zfz

might be related ..?

anyone knows of such an issue pre 9.0.4 or how to get it working?


thanks in advance, florian

Tags:

Parents


  • On 05/16/2019 05:34 AM, florianz wrote:
    >
    > By default imonitor uses the (default) SSL CertificateDNS certificate.
    > I'd like
    > to use a custom certificate for HTTP instead. This should be
    > configurable by
    > modifying the HTTP Server Object (with iManager or directly with ldap),
    > by
    > putting the cn of the desired certificate into the httpKeyMaterialObject
    > attribute.
    >
    > see: edirectory administration guide:
    > https://www.netiq.com/documentation/edirectory-9/edir_admin/data/b1gkpdzf.html#b1h7wnjx
    >
    > unfortunately it is ignored by edirectory.
    >
    > if i delete 'cn=SSL CertificateDNS - <myserver>' altogether i can no
    > longer connect
    > to the server, regardless that the http-object is specifying another
    > certificate.


    Please include exact steps; e.g. did you restart eDirectory at any point
    in there? I know it should not matter, but a (likely unrelated) bug from
    a few years ago prevented changing the LDAPS certificate within eDirectory
    unless eDirectory was restarted. Also, it may be useful to see what the
    HTTP server logs/traces during its startup.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • - i did restart.
    - regarding traces - how would i do that? activating dstrace in the nds console (on the win2012 server itself, where i'm on via rdp) displays no trace.

    thanks. florian
Reply Children
No Data