Symantec Access Management

Expand all | Collapse all

Where to find certutil inRedhat 6?

Jump to Best Answer
  • 1.  Where to find certutil inRedhat 6?

    Posted 08-06-2013 12:40 AM
    Siteminder R12 Documenations said.

    Considerations for Existing LDAP User Directory Connections Over SSL

    Configuring an LDAP user directory connection over SSL requires that you configure CA SiteMinder to use your certificate database files.

    The Policy Server requires that the certificate database files be in the Netscape cert8.db file format. Use the Mozilla Network Security Services (NSS) certutil application installed with the Policy Server to convert existing cert7.db certificate database files to cert8.db format.

    Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.

    Important! Before running a CA SiteMinder utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

    To convert the certificate database file

    From a command prompt, navigate to the Policy Server installation bin directory.

    Example: C:\Program Files\CA\SiteMinder\bin

    Note: Windows has a native certutil utility. Verify that you are working from the Policy Server bin directory, or you can inadvertently run the Windows certutil utility.
    Enter the following command:


    certutil -L -d certificate_database_directory [-p prefix_name] -X

    -d certificate_database_directory

    Specifies the directory that contains the certificate database files to convert.
    -p prefix_name

    (Optional) Specifies any prefix used when creating the existing cert7.db file (for example, my_cert7.db).

    Certutil converts the existing cert7.db file to cert8.db format.

    If I am using RedHat 6, anyone know how to get this certutil?


  • 2.  RE: Where to find certutil inRedhat 6?
    Best Answer

    Posted 08-06-2013 02:03 AM
    Found it.

    [smuser1251@rhel61 bin]$ which certutil
    ~/CA/siteminder/bin/certutil
    [smuser1251@rhel61 bin]$ ls certutil
    certutil
    [smuser1251@rhel61 bin]$ file certutil
    certutil: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
    [smuser1251@rhel61 bin]$

    Conclusion: This is not in the R12 version, new in R12.5.


  • 3.  RE: Where to find certutil inRedhat 6?

    Posted 08-06-2013 02:09 AM
    Another usefule concepts are: Certificate Data Store is different from certificate data file

    CDS is new in R12.5. Certificate Data Store (CDS)
    Releas note said: "The certificate data store is replacing the SiteMinder key database (smkeydatabase).
    SiteMinder federation features use the certificate data store. "

    When we use the policy store as the certificate database, this is used for federation and similar features
    but for policy server to contact the LDAPS via SSL, to policy store, and if the certificate is in the policy store.... whatwould happen?
    It is like you need a key to open the box, and the key is in the box.

    Fact is, when policy server is using LDAP SDK from SunOne, and this has its own certificate database
    that is the reason we need to satisfy the LDAP SDK's requirement = add CA certificate to its certificate database (it is a file called cert8.db)
    that allows policy server to use the LDAP SDK to contact the LDAP(Policy store) in SSL.

    This also applies to LDAP userstores using LDAP SDK


  • 4.  RE: Where to find certutil inRedhat 6?

    Posted 08-06-2013 02:57 PM
    Thanks for letting everyone know the answer and the additional useful information! :grin:

    cloudguru wrote:

    Another usefule concepts are: Certificate Data Store is different from certificate data file

    CDS is new in R12.5. Certificate Data Store (CDS)
    Releas note said: "The certificate data store is replacing the SiteMinder key database (smkeydatabase).
    SiteMinder federation features use the certificate data store. "

    When we use the policy store as the certificate database, this is used for federation and similar features
    but for policy server to contact the LDAPS via SSL, to policy store, and if the certificate is in the policy store.... whatwould happen?
    It is like you need a key to open the box, and the key is in the box.

    Fact is, when policy server is using LDAP SDK from SunOne, and this has its own certificate database
    that is the reason we need to satisfy the LDAP SDK's requirement = add CA certificate to its certificate database (it is a file called cert8.db)
    that allows policy server to use the LDAP SDK to contact the LDAP(Policy store) in SSL.

    This also applies to LDAP userstores using LDAP SDK