Hi Gokulnathb,
Take a look at this (page 6 of the PDF)
Enable SSL for IME's IMCD/IMPS with Siteminder
or the tech note: TEC538848
CA SSO Implementation Document Index - CA Technologies
See if this helps.
Cheers,
A.
#### Example Script below ####
#!/bin/bash
##################################################
#
# Add IMCD SSL CERT to SiteMinder to enable TLS
#
# Only need CA Public Cert
#
# No need to copy the Server Certs (personalities)
#
# SM will use userid/password for authentication
#
#
##################################################
IMCD_HOSTNAME=sandbox01
IMCD_PORT=41389
SMHOME=/opt/CA/siteminder
LDAP_TLS=$SMHOME/ldap_tls
DXHOME=/opt/CA/Directory/dxserver/config/ssld
PATH=$SMHOME/bin:$PATH
PASSWORD=Password01
USER=smuser
GROUP=smuser
echo ""
echo "Step00: Clean up Prior NSS DB files under $LDAP_TLS"
mkdir -p $LDAP_TLS
cd $LDAP_TLS
rm -rf *.db
rm -rf trusted-root-ca-public-for-imcd.*
# Note: pem format may includes cer (public format) + ascii + optional (private key)
echo ""
echo "# Step01: Check if the CA Public Cert exists AND that SSLv3 protocol is available"
echo "# Siteminder uses SSLv3 protocol for non-FIPS encryption & TLS for FIPS encryption"
echo ""
echo "The CA Public Cert should display as the 2nd cert in this list with -showcerts"
echo "openssl s_client -connect $IMCD_HOSTNAME:$IMCD_PORT -showcerts"
echo "The communication will report failure, if SSLv3 protoocl is not enabled."
echo "openssl s_client -connect $IMCD_HOSTNAME:$IMCD_PORT -ssl3"
echo "Run the above lines as a prestep, they are commented out to avoid impacting readablity of the other lines"
#openssl s_client -connect $IMCD_HOSTNAME:$IMCD_PORT -showcerts
#openssl s_client -connect $IMCD_HOSTNAME:$IMCD_PORT -ssl3
echo ""
echo ""
echo "# Step02: Copy IMCD CA Public Cert Only [Not DSA Server Certs (Personalities)]"
echo "# Ensure that the user of this script has access to the CA Directory SSLD folder"
cd $LDAP_TLS
echo "cp -r -p $DXHOME/trusted.pem $LDAP_TLS/trusted.pem"
cp -r -p $DXHOME/trusted.pem $LDAP_TLS/trusted.pem
echo "Strip any extra commentary from CA Directory PEM Format. Keep BEGIN CERTIFICATE / END CERTIFICATE markers"
echo ""
echo "openssl x509 -outform der -in trusted.pem -out trusted-root-ca-public-for-imcd.der"
openssl x509 -outform der -in trusted.pem -out trusted-root-ca-public-for-imcd.der
echo "Strip any extra commentary from CA Directory PEM Format. Keep BEING / END"
echo "openssl x509 -inform der -in trusted-root-ca-public-for-imcd.der -out trusted-root-ca-public-for-imcd.cer"
openssl x509 -inform der -in trusted-root-ca-public-for-imcd.der -out trusted-root-ca-public-for-imcd.cer
echo ""
echo "# Step03: Create a NSS keystore for Siteminder with CertUtil (cert8.db, key3.db, secmod.db)"
echo " NSS = Netscape Network Security Services & ensure SM version of certutil is being used in the path"
echo ""
echo "( echo $PASSWORD ) > $LDAP_TLS/pwdfile.txt"
( echo $PASSWORD ) > $LDAP_TLS/pwdfile.txt
echo "( echo "$PASSWORD"; echo "$PASSWORD" ) | $SMHOME/bin/certutil -N -d $LDAP_TLS -f $LDAP_TLS/pwdfile.txt"
( echo "$PASSWORD"; echo "$PASSWORD" ) | $SMHOME/bin/certutil -N -d $LDAP_TLS -f $LDAP_TLS/pwdfile.txt
echo ""
echo "# Step04: Store the IMCD ROOT CA Certificate from CA Directory 'clean version' of IMCD trusted-root-ca-public-for-imcd.pem"
echo "$SMHOME/bin/certutil -A -n "IMCD_TRUSTED_CA_PUBLIC_CERT" -t "C,," -i $LDAP_TLS/trusted-root-ca-public-for-imcd.cer -d $LDAP_TLS"
$SMHOME/bin/certutil -A -n "IMCD_TRUSTED_CA_PUBLIC_CERT" -t "C,," -i $LDAP_TLS/trusted-root-ca-public-for-imcd.cer -d $LDAP_TLS
echo ""
echo "# Step05: Store IMCD DSA Server Public Cert from IMCD personalities IMCD_DSA_HOSTNAME.pem"
echo "$SMHOME/bin/certutil -A -n "IMCD_DSA_HOSTNAME_PUBLIC_CERT" -t "P,," -i $LDAP_TLS/$IMCD_HOSTNAME-imcd-public.cer -d $LDAP_TLS"
echo "### Confirmed this step from bookshelf is NOT required for standard userid/password authentication over SSL/TLS"
echo "### Confirmed this step from bookshelf is NOT required for standard userid/password authentication over SSL/TLS"
echo "### Confirmed this step from bookshelf is NOT required for standard userid/password authentication over SSL/TLS"
echo ""
echo ""
echo "# Step06: List all CA and Server Public Certs in NLS Keystore"
echo "$SMHOME/bin/certutil -L -d $LDAP_TLS"
$SMHOME/bin/certutil -L -d $LDAP_TLS
echo ""
echo "# Step06b: Update ownership of the DB files of $LDAP_TLS/cert8.db"
chown -R $USER:$GROUP $LDAP_TLS
chmod -R 640 $LDAP_TLS/*.db
echo ""
echo "# Step07: Use XPSConfig to update the SM:LdapObjCertDbPath to $LDAP_TLS/cert8.db"
echo "# su - smuser ; XPSConfig ; Select SM ; Select # for LdapObjCertDbPath Likely #83"
echo ""
echo "# Alternatives: Use SMCONSOLE on the Data Tab for Netscape certificate file or"
echo "# edit the SMHOME/registry/smregistry.xml file & update CertDbPath under "
echo "# HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LdapPolicyStore"
echo ""
echo ""
echo "# Step08: Start / Stop SM Policy Server"
echo "# Shown below for manual step AFTER the above update is done"
echo "$SMHOME/stop-ps"
echo "$SMHOME/start-ps"
echo ""
echo "#################################################"
echo ""
echo "Validate NON-SSL/TLS to directory"
echo " if running this script as root, it will have access to run dxsearch as dsa"
echo " if running this script as smuser, you will need to type the password for dsa account"
echo ""
echo "dxsearch -L -H ldap://sandbox01:41389 -c -D 'cn=diradmin,ou=serviceaccount,ou=cam,o=ca' -w Password01 -b 'ou=cam,o=ca' 'uid=diradmin' sn uid"
echo ""
su - dsa -c "dxsearch -L -H ldap://sandbox01:41389 -c -D 'cn=diradmin,ou=serviceaccount,ou=cam,o=ca' -w $PASSWORD -b 'ou=cam,o=ca' 'uid=diradmin' sn uid"
echo ""
echo "Validate SSL/TLS to directory"
echo "Update /etc/hosts to have alias where DSA_NAME = HOSTNAME"
echo "Example: 192.168.92.129 sandbox01 sandbox01.im.dom sandbox01-imcd"
echo "Note: CA Directory CLI commands use DXHOME\config\ssld\dxldap.conf file"
echo ""
echo " if running this script as root, it will have access to run dxsearch as dsa"
echo " if running this script as smuser, you will need to type the password for dsa account"
echo ""
echo "dxsearch -Z -L -H ldaps://sandbox01-imcd:41389 -c -D 'cn=diradmin,ou=serviceaccount,ou=cam,o=ca' -w Password01 -b 'ou=cam,o=ca' 'uid=diradmin' sn uid"
echo ""
#su - dsa -c "dxsearch -d 1 -Z -L -H ldaps://sandbox01-imcd:41389 -c -D 'cn=diradmin,ou=serviceaccount,ou=cam,o=ca' -w Password01 -b 'ou=cam,o=ca' 'uid=diradmin' sn uid"
su - dsa -c "dxsearch -Z -L -H ldaps://sandbox01-imcd:41389 -c -D 'cn=diradmin,ou=serviceaccount,ou=cam,o=ca' -w $PASSWORD -b 'ou=cam,o=ca' 'uid=diradmin' sn uid"
# Ignore ERROR MESSAGE: ldap_start_tls: Operations error (1)
# This message occurs when using both the -Z switch & -H ldaps://hostname:port URI
# This script uses both to confirm that SSL/TLS is being used; and can be seen visually without the need of debug switches.
# Note: If error returned is:
#dxsearch -Z -H ldaps://sandbox01:41389 -c -x -D 'cn=diradmin,ou=serviceaccount,ou=cam,o=ca' -w Password01 -b 'ou=cam,o=ca'
#ldap_start_tls: Can't contact LDAP server (-1)
# additional info: TLS: hostname does not match CN in peer certificate
# Add the DSA_HOSTNAME as an alias to the local host file to ensure the CN matches the HOSTNAME=DSA_NAME
#dxsearch -Z -H ldaps://sandbox01-imcd:41389 -c -x -D 'cn=diradmin,ou=serviceaccount,ou=cam,o=ca' -w Password01 -b 'ou=cam,o=ca'
echo ""
echo "# View certs in cert8.db file for CA PUBLIC CERT"
echo ""
echo "$SMHOME/bin/certutil -L -a -n IMCD_TRUSTED_CA_PUBLIC_CERT -d $LDAP_TLS"
echo ""
$SMHOME/bin/certutil -L -a -n IMCD_TRUSTED_CA_PUBLIC_CERT -d $LDAP_TLS
echo ""
# As a test to ensure the CA cert was added correctly
#$SMHOME/bin/certutil -L -a -n IMCD_TRUSTED_CA_PUBLIC_CERT -d $LDAP_TLS > test_ca.cer
echo ""
# diff test_ca.cer trusted-root-ca-public-for-imcd.cer
###### Script above ####