SSL cerificate installation eDir1 to eDir2

Hi 

I am using IDM 4.8 on SLES . I have created replica of eDir1 to eDir2 using option Existing server/tree.

Therefore all user information and drivers . I am able to see from iManager.

Now I have configured VIP and load balacing on port 636 for my eDirectory.

But now when I configure the VIP inside Userapplication or Secure Login .

It is showing unable to connect for that to work what do I need to do. Do I need to install SSL cert from master to slave edirectory using iManager. Or there any configuration.

 

Please guys help me out here.

  • In one tree, the various servers get certificates all signed by the same certificate authorty. The tree CA (Organizational CA in the Securtity container at root fo the tree).

    So both servers have different certificates (Private Keys) but signed by the same CA.

    Export the Tree CA and import into IDM Apps.  Now as it happens, if you use the configupdate.sh tool in GUI mode, and afer configuring the LDAP host (Your VIP) then click one of the object browsers to say, select the User container or Group, or Driver DN, or whatever, then the built in LDAP browser it uses to show you OU structuee to select will auto import the tree CA or at least the CA that signed the LDAP server cert.

    So two approaches.

    1) Get the VIP to use a Cert signed by the CA in the eDir tree.  (Then if you failed over to a single node, should still work with same CA for VIP and two nodes.

    2) Get the signer of the VIP's cert into the ID Apps trusttore.

  • Thanks geoffc,

    I will be needing one last help because I'm going somewhere wrong while exporting CA cert from iManager.

    Can you tell me steps export CA cert from iManager and import into userapp. And also CA cert which will be created using iManager will have VIP ip address inside it?

     

     

  • The easiest way to get the right cert out of iManager is slightly less obvious but makes sense once you do it.

    iManeger, Server Certificates, tick off any cert on any server (they are all signed by the same CA) and select export.  There is a drop down with the actual certs public key (and private if you tick the box, don't) but the second cert in that drop down is the CA cert. Export that one as base 64.

    Then you need to use keytool to import it.

    Now as I said, easiest way is to use configupdate.sh in GUI mode on Linux or Winders, and browse the tree to select an OU or Driver DN.  That auto imports the correct cert.

    Failing that:

    /opt/netiq/common/jre/bin/keytool -keystore /opt/netiq/idm/apps/tomcat/conf/idm.jks -storepass changeit -import -alias TreeCA -trustcacerts -file /path/to/base64.file

    I would also change the keystore path and password to include the /opt/netiq/idm/apps/osp/osp.jks as well.