Demaximis Absent Member.
Absent Member.
867 views

Settings for user to download a User Certificate

OK, I've tried about all I can but now I'm totally confused!

I am running eDirectory 8.8, SP8, with iManager 2.7.7, on SLES 11 SP4 server.
This server has a Read/Write replica (only 3 servers in this tree, which are on the same LAN) and I am logged in with administrator (full) rights.

I can go through and create a User Certificate with out any problems.
I can configure iManager, under RBS Configuration, so when the user logs in to retrieve the certificate they ONLY get the NetIQ Certificate Access option under Roles and Tasks.

However, when they click on User Certificate, it is empty.
I've played around with RIGHTS and SOMETIMES, (just a couple times), I have gotten the User Certificate to show up for the User.
OK so what's the problem?
Documenting one that is working for a User, I applied them to the newest user's Certificate, but when I login as the user its not there and the confuser I've gotten!

I'm sure that I'm missing documentation or I'm making it harder for myself than it should be, but your assistance would be greatly appreciated!

Thanks,

Stan
Labels (1)
0 Likes
3 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Settings for user to download a User Certificate

On 2/12/2016 11:06 AM, Demaximis wrote:
>
> OK, I've tried about all I can but now I'm totally confused!
>
> I am running eDirectory 8.8, SP8, with iManager 2.7.7, on SLES 11 SP4
> server.
> This server has a Read/Write replica (only 3 servers in this tree, which
> are on the same LAN) and I am logged in with administrator (full)
> rights.
>
> I can go through and create a User Certificate with out any problems.
> I can configure iManager, under RBS Configuration, so when the user logs
> in to retrieve the certificate they ONLY get the NetIQ Certificate
> Access option under Roles and Tasks.
>
> However, when they click on User Certificate, it is empty.
> I've played around with RIGHTS and SOMETIMES, (just a couple times), I
> have gotten the User Certificate to show up for the User.
> OK so what's the problem?
> Documenting one that is working for a User, I applied them to the newest
> user's Certificate, but when I login as the user its not there and the
> confuser I've gotten!
>
> I'm sure that I'm missing documentation or I'm making it harder for
> myself than it should be, but your assistance would be greatly
> appreciated!
>
> Thanks,
>
> Stan
>
>

It sounds like you need the user to be able to export their private key. To do that the user needs to be logged in and they
need browse rights to themselves (would be really strange if they didn't have that). Other than that they should by default
have the needed permissions.

This is the doc on the process:
https://www.netiq.com/documentation/crt33/crtadmin/data/a2ebopg.html#acst9uv
Notably: The private keys in a user’s object belong to that user. Only someone logged in as that user can export the private
key. No other user, not even the network administrator, has rights to export another user’s private key.

It has a sublink to the rights needed here:
https://www.netiq.com/documentation/crt33/crtadmin/data/a2zibyo.html

Also, my assumption is you may be using this for encrypted emails. If so, there is an Outlook configuration to point to your
eDirectory as a source so that other users don't have to first have the users' public keys. If you need that I can dig it out.


--
-----------------------------------------------------------------------
Will Schneider
Knowledge Partner http://forums.netiq.com

If you find this post helpful, please click on the star below.
0 Likes
Demaximis Absent Member.
Absent Member.

Re: Settings for user to download a User Certificate

Hey Will,

Thanks for the reply.

I'm surely missing something, but I do appreciate the information.
As far as I can tell the users all have the Browse right to their own object, but I still have one user that doesn't see their key.
I'll key playing with it and when I get it working I'll let you know what I was doing wrong/incorrectly/backwards (what ever the case may be).

When you get a chance to dig out the Outlook configuration to point to the eDirectory... that would be GREAT!

Thanks!

Stan
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Settings for user to download a User Certificate

On 2/16/2016 2:36 PM, Demaximis wrote:
> When you get a chance to dig out the Outlook configuration to point to
> the eDirectory... that would be GREAT!

Here are a couple of guides:
https://uit.stanford.edu/service/emailcalendar/desktop/outlook/ldap
This one is pretty complete:
https://www.ejbca.org/sensornet/LDAPHowTo/SecureEmailO/SecureEmailUsingOutlook.html

Essentially you setup eDirectory as a LDAP address book. Then when you want to send an encrypted email to the user you
search for them in THAT address book as opposed to the GAL. That will retrieve their certificate from eDirectory. The
downside is that you don't get as easy of completion as the GAL but it does work well otherwise.

After you have sent a person one encrypted email (or if you reply to a message they have signed) the newer version of Outlook
will cache that user's public key reducing the future need to search for them.

--
-----------------------------------------------------------------------
Will Schneider
Knowledge Partner http://forums.netiq.com

If you find this post helpful, please click on the star below.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.