Policy Server Guides › Policy Server Configuration Guide › Troubleshooting SSL Authentication Schemes › Certificate-based Authentication Tests › Install the Oracle iPlanet Web Server Certificate

Install the Oracle iPlanet Web Server Certificate

If you have not already done so, generate a key for your web server using a command line utility. See the iPlanet documentation for the details.

Follow these steps:

1. Once you create a key, request a certificate. This request is made under Keys & Certificates: Request Certificate in Netscape Server Administration.
2. Go to the Certificate Authority and load the request. The Certificate Authority then creates a Server Certificate for you.
3. Load the Server Certificate into the Web Server. This operation is performed under Keys & Certificates: Install Certificate. When filling out this information be sure to select This Server under the Certificate For section.
4. Once the certificate is loaded, verify that it is there and trusted by going to Manage Certificates. Look for the ServerCert certificate. Select the Certificate and verify that it is trusted.
5. Click OK and restart the Web Server.

Configure the Netscape Web Server to use SSL

After installing the Netscape Web Server Certificate, you must configure the Netscape Web Server to use SLL by requiring certificates.

To require certificates for your SSL Web Server

1. In Netscape Server Administration, click Admin Preferences.
2. Click Encryption On/Off and ensure that Encryption is on.
3. If you are running the Certificate or Certificate with Basic Authentication Scheme, you must require certificates. This is done under Encryption Preferences setting where Require Certificates must be set to On. From a browser that has a Certificate installed, verify that you can get to https://servername:port.

Note: Do not turn on Required Certificates for the Certificate or Basic Authentication Scheme.

Enable the Web Server to Trust Client Certificates in Netscape

If a certificate authority is already installed in the Web Server, go on to the next section. Otherwise, install a certificate for the Certificate Authority on the SSL Web Server.

To enable the Web Server to Trust Client Certificates in Netscape

1. Obtain the Certificate Authority’s certificate and either keep it on your screen or save it to a file.
2. In Netscape Server Administration, select Keys & Certificates.
3. Click Install Certificate.
4. In the Certificate For field, fill out the Server Security Chain.
5. In the Certificate Name field, enter a description.
6. If you saved your Certificate Authority’s certificate to a file, enter the file name in the Message is in this file field; otherwise, select the Message text (with headers) radio button and paste the certificate in the Message text (with headers) field.
7. Click OK and restart the Web Server.

Establish Trust for the Netscape Certificate Authority

If a certificate authority is installed in the Web Server, you can establish trust between the two.

To establish trust for the Netscape Certificate Authority

1. In Netscape Server Administration, select Keys & Certificates.
2. Select Manage Certificates.
3. Select the Certificate Authority. The system displays a dialog detailing the certificate.
4. Select Trust.
5. Click OK and restart the Web Server.

Enable the Web Server to Trust Client Certificates in Windows

You must trust your client certificates by installing the appropriate Certificate Authority Certificates.

SSL Web Servers must have certificates for each Certificate Authority. Major certificate authorities may already be installed. You can configure certificates in Windows operating systems by using the Certificates snap-in. For information, see your Windows documentation.

Configure the IIS Web Server to use SSL

Be sure that a secure port has been enabled on the Web Server. Generally this is port 443. You can verify this through the Management Console by right-clicking on the Web Server and in the Web site tab you will see an SSL Port. Be sure a port number has been installed.

The advanced authentication schemes will create virtual directories in the Web Server. These directories will automatically be configured to require SSL and certificates as required by the specific authentication scheme. However, for testing purpose, you may want to create a test virtual directory. You can configure this virtual directory to require certificates through the Directory Security tab, Secure Communications.

https://servername:port/virtual directory - Ensure that the browser is asked for a certificate.

Install the IIS Web Server Certificate

If you have not already done so, you will need to generate a key for your Web server. This is done through the Management Console, Key Manager. Access the Key Manager by doing the following:

Note: Note this process may be slightly different for IIS 3 and IIS 4.

To install the IIS Web Server Certificate

1. In the Management Console, right-click the Web Server and select Properties.
2. Click the Directory Security tab.
3. In the Secure Communications panel, click Key Manager.
4. Under Key, select Create New Key and a Wizard will guide you through the process.

   Once you create a key, you can request a certificate using the file created in the steps mentioned earlier. Go to the Certificate Authority and request a certificate for this server. You will need to paste the certificate request information generated in Step 1 in order to receive a certificate. Once you received a certificate, go back to Management Console, Directory Security and click Key Manager to install the certificate for the key described in the next step.

5. Right-click the key name and select Install Certificate.
6. Restart the Web Server.

Enable the Web Server to Trust Client Certificates in Apache

If a certificate authority is already installed on your web server, go on to the next section. Otherwise, install a certificate for the CA on the SSL Web Server as follows.

To enable the Web Server to trust client certificates in Apache

1. Download and build the following Apache components:
   • Apache
   • OpenSSL
   • Mod_SSL
   • Mod_so - This module is included as part of Apache, but it must be enabled during the build of the Web server.
   • RSAref-2.0

     See the Policy Server Installation Guide for details about installing the web server.

2. Copy the CA certificate into the apache/conf/ssl.crt directory in x509 b64 format.
3. Run make in the apache/conf/ssl.crt directory.
4. Restart the Web Server.

Installing the Apache Web Server Certificate

The process for installing a certificate on an Apache Web Server varies with individual configurations. Consult the documentation for Mod_SSL and OpenSSL for details about how to configure these components.

SSL Troubleshooting

The following sections detail the most common problems encountered when dealing with SSL authentication schemes.

There Was No Prompt for a Certificate

If you were not prompted for a certificate, verify that SSL is configured appropriately. If the Web Agent is installed, disable the Web Agent. The first step is to verify a simple SSL connection.

To determine whether you are able to establish an SSL connection

1. Disable the SiteMinder Web Agent protecting the realm for which you want to use an authentication scheme over SSL.

   Note: For information about disabling a Web Agent, see the Web Agent Configuration Guide.

2. Using your browser, go to one of the following URLs (using a browser with a certificate):
   • https://web_server_name:port (Netscape Web Servers)
   • https://web_server_name:port/<SSL Virtual Directory> (IIS Web Servers)
   • https://web_server_name:port (Apache Web Servers)

   If this SSL connection is configured to require certificates, you will be prompted to select a certificate.