Appendix A. Post Installation Requirements for LDAP

Go here for info on the current status of SCO Linux products
Table of Contents
A.1. Using NDS eDirectory 8.5
A.2. Using iPlanet
A.2.1. Setting up the Trusted Certificate Authority
A.2.2. Generating a Certificate Request
A.2.3. Signing the Certificate Request
A.2.4. Importing the Signed Certificate

Use the following information if you are using eDirectory or iPlanet as your LDAP server. Instructions specific to each directory are included. Make sure you complete the instructions before installing Caldera Volution Manager Clients.

A.1. Using NDS eDirectory 8.5

Use the following instructions to complete the eDirectory configuration for SSL communication.

  1. Install and configure eDirectory as documented.

  2. When you install Volution Manager, select eDirectory for the LDAP directory.

  3. Copy the Certificate Authority (CA) certificate from /etc/opt/volution /cacerts to the system you are installing eDirectory on. This file is named volution-authority.cert.

A.1.1. Setting Up eDirectory for SSL Communication

Before starting ConsoleOne, make sure that npki is enabled, by entering the following command as root:

/usr/sbin/npki -l

ConsoleOne is now ready to handle certificates.

A.1.1.1. Setting Up the eDirectory Certificate Authority

Important: Use the following directions to use eDirectory with its own Certificate Authority in addition to the Volution Certificate Authority.

  1. In ConsoleOne, locate and select the Security container at the root of the NDS tree.

  2. Create an NDSPKI: Certificate Authority object in the Security container.

  3. Set the NDS object name to the name for this Certificate Authority.

  4. Select Custom and Next to continue.

  5. Set the Key size to 512 bits.

  6. Leave the Type set to Certificate Authority.

  7. Select Next to continue.

  8. Set Path length to Unspecified and Next to continue.

  9. Leave the Subject Name as is.

  10. Select RSA encryption with MD5 hash for the Signature algorithm.

  11. Set the Validity period to the length you want.

  12. Select Next to continue.

  13. Review the information and select Finish.

  14. Select the newly created Certificate Authority and open the object.

  15. Select the Certificates tab.

  16. On the Certificates tab, select the Self Signed Certificate from the popdown menu.

  17. Click Export.

  18. Select "File in Base64 format."

  19. Enter a path to save the file and add the extension .cacert on the filename, /root/eDirectory.cacert.

    Important: The following step is critical for VM Clients to communicate with the VM Server.

  20. Copy the eDirectory.cacert to each client's /etc/opt/volution/cacert directory.

    Important: This step is necessary for the Volution Manager Server and Client components to authenticate to eDirectory using SSL.

A.1.1.2. Setting Up the eDirectory Server Certificate

Important: Use the following directions as well as the previous section, Section A.1.1.1 if you are using eDirectory with its own Certificate Authority in addition to the Volution Certificate Authority.

Use the following steps to create an NDSPKI: Key Material object in the organizational unit that contains the eDirectory server object.

  1. Select the organization or organizational unit that contains your server object.

  2. Right click on the name of this organization or organizational unit.

  3. Select New > Object > NDSPKI: Key Material Object.

  4. Choose the server from the list.

  5. Give the Key Material (certificate) object a name.

  6. Select Custom and Next to continue.

  7. Select Organizational certificate authority and Next to continue.

  8. Select 512 bits for the key size.

  9. Leave the Type set to SSL or TLS.

  10. Select Next to continue.

  11. Leave the Subject Name as is.

  12. Set the Signature algorithm to RSA encryption with MD5 hash.

  13. Set Validity period to the length you want.

  14. Select Next to continue.

  15. Select "Your organization's certificates: as the trusted root certificate and Next to continue.

  16. Review the information you entered and select Finish.

  17. Locate the LDAP Server object in NDS.

  18. Select the SSL Configuration tab and click the browse button at the end of the SSL Certificate field.

  19. Select the NDSPKI: Key object you created in the above steps.

  20. Select OK to save the changes and Done to finish.

    eDirectory is now configured to use SSL for LDAP.

A.2. Using iPlanet

Use the following instructions to complete the iPlanet configuration for SSL communication.

  1. Install iPlanet 4.13 on OpenLinux 2.4 and create a symbolic link between /usr/lib/libtermcap.so.2 to /lib/libncursses.so.5.2 by entering the following:

    ln -s /lib/libncurses.so.4.2 /usr/lib/libtermcap.so.2

  2. During the Volution Manager Server installation, select iPlanet as the LDAP directory.

  3. Copy the Certificate Authority certificate from /etc/opt/volution/cacerts to the system you are installing iPlanet on. The filename is volution-authority.cert.

  4. Start the iPlanet console. See Section 1.1.1.5.3.

  5. In the iPlanet Console, expand the container, yourserver.yourcompany.com and then expand the container, Server Group.

  6. Click on Directory Server and then click the Open button.

  7. Select the Configuration tab and then Encryption tab.

  8. Click the Enable SSL checkbox.

  9. Select the RSA checkbox under Cipher Family.

A.2.1. Setting up the Trusted Certificate Authority

  1. Select the Certificate Setup Wizard

  2. Read the instructions > Next.

  3. Under Option 1 select internal (software).

  4. Under Option 2 select Yes and click Next.

  5. Read the instructions and click Next.

  6. Select Next if asked to setup a Trust database.

  7. Enter a password for the Netscape Trust Database and click Next.

  8. Select Trusted Certificate Authority > Next.

  9. Select "The certificate is located in this file:" and type in the full path to the Volution Manager CA certificate you copied from /etc/opt/volution /cacerts to the system you are installing iPlanet on. The filename is volution-authority.cacert.

  10. Verify that the information form the certificate is correct and select Add to add this certificate.

  11. Select Done to finish.

A.2.2. Generating a Certificate Request

  1. Select the Certificate Setup Wizard.

  2. Read the instructions > Next.

  3. Under Option 1 select internal (software).

  4. Under Option 2 select No > Next.

  5. Fill out information for generating the Certificate Request > Next.

  6. Enter your Trust Database password (it should already be filled in) > Next.

    An email should arrive containing the certificate request. Save the request to a file.

A.2.3. Signing the Certificate Request

  1. Sign the certificate request on the system you installed the VM Server on by running the following command:

    /opt/volution/bin/volutionkeytool cert request

  2. Enter the path to the X509 request file generated in the previous section.

  3. Enter the path to the directory where you stored the Volution Manager Authority Key during installation. The default for this location is a floppy.

  4. Enter the alias for the certificate authority or accept the default.

  5. Enter the CA Key password you specified during installation.

  6. Save the signed certificate to a file and copy it back to the system you have iPlanet installed on.

A.2.4. Importing the Signed Certificate

  1. Select the Certificate Setup Wizard

  2. Read the instructions > Next.

  3. Under Option 1 select internal (software).

  4. Under Option 2 select Yes > Next.

  5. Read the instructions > Next.

  6. Select to install a certificate for this server and enter the password for the Netscape Trust Database > Next.

  7. Select "The certificate is located in this file:" and type in the full path to the file containing the signed certificate > Next.

  8. Verify that the information from the certificate is correct and select Add to add this certificate.

  9. Read the message > Done to finish.

  10. Select Save to save the changes in the Encryption setup.

  11. Stop iPlanet, by doing the following:

    1. Change to the directory where iPlanet is installed.

      The default location is /usr/netscape/server4

    2. Type the following:

      slapd-servername/stop-slapd
  12. Start iPlanet, by doing the following:

    1. Change to the directory where iPlanet is installed.

      The default location is /usr/netscape/server4

    2. Type the following:

      slapd-servername/start-slapd 
    3. Enter the PIN for the internal software token. This is the Netscape Trust Database password.

    Note: If you want to manage the Volution Manager Server as a client, you must restart volutiond on the Server. The computer object for the Server will now appear in the computers organizational unit in the Management Console.

    iPlanet is now configured to use SSL.