Configuring Your Liberty Identity Provider to Run in SSL Mode 29
Manual (99a) 3/17/03103Novell Confidential 04secure.fm last saved 4/14/03
4 Configuring Your Liberty Identity Provider to
Run in SSL Mode
This chapter contains information on the following topics:
Converting to Secure Mode
Customizing Your Liberty IDP User Interface
In order to become compliant with Liberty specifications, after you have successfully installed
your Liberty identity provider for Novell
®
eDirectory
TM
software, you must configure it to run in
a production environment. By default, your Liberty identity provider runs in test mode (HTTP).
You must change this protocol to HTTPS in order to run securely (in SSL mode). You do this by
configuring certificates. See the following links for more information:
Apache SSL/TLS Encryption (http://httpd.apache.org/docs-2.0/ssl)
Apache-SSL: Encryption, Certificates, and More (http://ist.uwaterloo.ca/security/lib-proxy/
howto/ssleay/apache.html)
Setting Up a Secure Server (http://apacheworld.org/ty24/site.chapter17.html)
Tomcat: SSL Configuration How-To (http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-
howto.html)
Converting to Secure Mode
Complete the following tasks to convert your Liberty IDP to SSL (secure) mode:
1 Create a signing request (based on the domain name of the server you will be running on). For
information on how to do this, see “Creating Certificates for Apache” on page 30.
We recommend that you have a trusted third party in place to sign the certificates. Having a
well-known trusted authority will make this process easier.
During the installation, a signing certificate was created. In addition to the signing certificate,
for each provider you use, you will need a certificate for communication and a certificate for
introductions. If you are not using introductions, then you only need one certificate.
2 Configure the Web server to use the certificates.
2a Modify your Apache configuration. For examples of how to do this, see “Modifying the
Apache Configuration Files” on page 39.
NOTE: If you are not signing certificates by a trusted root that is in the certificate authority’s file, you will
need to exchange trusted roots for the IDP and SP, then import them into their respective certificate files.
(See “Importing Trusted Roots” on page 42 for details.)
3 Change iManager from http to https:
3a In iManager, click the Liberty Management role.
