florianz1 Absent Member.
Absent Member.
222 views

Configuring HTTP Server Object: unable to use custom certifi

By default imonitor uses the (default) SSL CertificateDNS certificate. I'd like
to use a custom certificate for HTTP instead. This should be configurable by
modifying the HTTP Server Object (with iManager or directly with ldap), by
putting the cn of the desired certificate into the httpKeyMaterialObject attribute.

see: edirectory administration guide:
https://www.netiq.com/documentation/edirectory-9/edir_admin/data/b1gkpdzf.html#b1h7wnjx

unfortunately it is ignored by edirectory.

if i delete 'cn=SSL CertificateDNS - <myserver>' altogether i can no longer connect
to the server, regardless that the http-object is specifying another certificate.

release notes of edirectory 9.0.4 speak of

'..
SSL CertificateDNS Is Not Always Used for httpkeymaterialobject Attribute of the HTTP Server Object#

Issue: SSL Certificate DNS is used as a default certificate for the httpkeymaterialobject attribute of the HTTP server object. However, this certificate is not always selected for the httpkeymaterialobject attribute of the HTTP server object during eDirectory installation.

Fix: This release resolves this issue. This certificate is automatically selected for the httpkeymaterialobject attribute during eDirectory installation.
..'


see: https://www.netiq.com/documentation/edirectory-9/edirectory90_releasenotes/data/edirectory90_releasenotes.html#b1jh5zfz

might be related ..?

anyone knows of such an issue pre 9.0.4 or how to get it working?


thanks in advance, florian

Labels (1)
0 Likes
3 Replies
Knowledge Partner
Knowledge Partner

Re: Configuring HTTP Server Object: unable to use custom certifi



On 05/16/2019 05:34 AM, florianz wrote:
>
> By default imonitor uses the (default) SSL CertificateDNS certificate.
> I'd like
> to use a custom certificate for HTTP instead. This should be
> configurable by
> modifying the HTTP Server Object (with iManager or directly with ldap),
> by
> putting the cn of the desired certificate into the httpKeyMaterialObject
> attribute.
>
> see: edirectory administration guide:
> https://www.netiq.com/documentation/edirectory-9/edir_admin/data/b1gkpdzf.html#b1h7wnjx
>
> unfortunately it is ignored by edirectory.
>
> if i delete 'cn=SSL CertificateDNS - <myserver>' altogether i can no
> longer connect
> to the server, regardless that the http-object is specifying another
> certificate.


Please include exact steps; e.g. did you restart eDirectory at any point
in there? I know it should not matter, but a (likely unrelated) bug from
a few years ago prevented changing the LDAPS certificate within eDirectory
unless eDirectory was restarted. Also, it may be useful to see what the
HTTP server logs/traces during its startup.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
florianz1 Absent Member.
Absent Member.

Re: Configuring HTTP Server Object: unable to use custom cer

- i did restart.
- regarding traces - how would i do that? activating dstrace in the nds console (on the win2012 server itself, where i'm on via rdp) displays no trace.

thanks. florian

0 Likes
florianz1 Absent Member.
Absent Member.

Re: Configuring HTTP Server Object: unable to use custom cer

got it: uncheck 'Enable extended key usage'.

what a diva.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.