Importing trusted roots – Novell eBook Reader User Manual

42

Liberty Identity Provider for Novell eDirectory

Novell Confidential

06appb.fm last saved 4/14/03

Manual

Version: 3/17/03

103

11

In this same file, make the following changes (bolded as shown) to the second virtual host
section for the common domain virtual host:

<VirtualHost nidp.commondomain.com:444>

# General setup for the virtual host

DocumentRoot C:/PROGRA~1/Novell/Apache/htdocs

ServerName nidp.commondomain.com:444

# Server Certificate:

# Point SSLCertificateFile at a PEM encoded certificate. If

# the certificate is encrypted, then you will be prompted for a

# pass phrase. Note that a kill -HUP will prompt again. Keep

# in mind that if you have both an RSA and a DSA certificate you

# can configure both in parallel (to also allow the use of DSA

# ciphers, etc.)

SSLCertificateFile conf/ssl/mycommonssl.crt

#SSLCertificateFile conf/ssl.crt/server-dsa.crt

# Server Private Key:

# If the key is not combined with the certificate, use this

# directive to point at the key file. Keep in mind that if

# you've both a RSA and a DSA private key you can configure

# both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile conf/ssl/mycommonssl.key

#SSLCertificateKeyFile conf/ssl.key/server-dsa.key

# Server Certificate Chain:

# Point SSLCertificateChainFile at a file containing the

# concatenation of PEM encoded CA certificates which form the

# certificate chain for the server certificate. Alternatively

# the referenced file can be the same as SSLCertificateFile

# when the CA certificates are directly appended to the server

# certificate for convinience.

SSLCertificateChainFile conf/ssl/trustedroot.crt

#SSLCertificateChainFile conf/ssl.crt/ca.crt

12

If you are using self-signed certificates, the last bolded line above is not needed.

NOTE:

If you are using a different port rather than a different IP address for the common domain, you need to

add the port to the Allow Introductions Common Domain in the site configuration using iManager.

Importing Trusted Roots

Your well-known trusted roots file is located at C:\Program Files\Novell\jre\lib\security\cacerts. If
any service provider uses SSL and the service provider's certificates are signed by a certificate
authority that is not in this keystore, you will need to import the trusted root from the service
provider's certificate to this keystore. Use the following command to import the service provider’s
trusted root from the keystore:

C:Program Files\Novell\jre\bin\keytool -import -v -file

<trustedroot.crt> -alias serviceprovidertrustedroot -keystore

C:\Program Files\Novell\jre\lib\security\cacerts -storepass

changeit

where <trustedroot.crt> is replaced with the path and file name of your service provider’s trusted
root file.