Certificate Authority Update | CNE Update to NetWare 6 Study Guide

The Novell Certificate Server ensures secure data transmissions between servers and workstations over your network. This NetWare 6 service is required for web-related products such as Novell LDAP (Lightweight Directory Access Protocol), NetWare Web Server, and the NetWare Management Portal. It also allows you to mint, issue, and manage digital certificates by creating a Security container object and an Organizational Certificate Authority (CA) object.

If the network does not already have an Organizational CA object, the first NetWare 6 server automatically creates and physically stores the Security container object and Organizational CA object for the entire eDirectory tree. Both objects are created at, and must remain at, the [Root] of the eDirectory tree.

Novell delivered a base-level PKI (public key cryptography) with NetWare 5.0. As such, you must update your NetWare 5.0 PKI Services to a Novell Certificate Server CA object. Fortunately, this only applies to NetWare 5.0 servers. The NetWare 5.1 CA is updated during the NetWare 6 Upgrade process.

To update your network to use the new Novell Certificate Server, you must satisfy these minimum requirements:

You must install the most recent version of Novell Certificate Server.
To create the organizational CA and complete the NetWare Upgrade, you must have the Supervisor right at the [Root] of the eDirectory tree. You must also have the Supervisor right in the Security container, or at the [Root] of the tree if the Security container does not exist.
If you plan to use the Novell Certificate Server 2.20 ConsoleOne snap-in (available with NetWare 6) you need client NICI 1.5.4 (or later) installed on the workstation where you run ConsoleOne. Refer to the "Network preparation" section earlier in this chapter for more details.

Follow these steps to update your network for the new Novell Certificate Server:

First, determine which server in your network is acting as the Organizational CA. By default, the Organizational CA's object is stored in the Security container. Using ConsoleOne, double-click the Organizational CA object, and choose the General tab.
On the server acting as the CA, verify that it is running Novell Certificate Server 2.0 or later. From the server console, enter NWCONFIG, and select Product Options. Next, choose VIEW/Configure/Remove Installed Products. Look for the PKIS entry; if there is no entry, or if you do not see 2.0.0 or later, install Novell Certificate Server 2.0 (or later) before continuing. You can find it on Novell's website.
Check for the existence of security-related objects and establish the proper eDirectory rights for creating and operating the CA. If the KAP container or the W0 object do not exist (the KAP container is in the Security container, and the W0 object is in the KAP container), the installation of the first NetWare 6 (or NetWare 5.1) server will create them for you. Furthermore, the first NetWare 6 installation or upgrade will create the Organizational CA as well.

REAL WORLD

The server acting as the CA must remain operational during the installation or upgrade other NetWare 5.1 or NetWare 6 servers into this tree. Furthermore, if the CA object, KAP container, and the W0 object exist, you will need the following eDirectory rights to upgrade NetWare:

Read entry rights to the NDSPKI:Private Key attribute of the Organizational CA's object.
Supervisor right to the W0 object
Supervisor right to the server's container

Well, there you have it! We've satisfied the minimum system requirements, backed up our source and destination servers, prepared the network, and updated the Certification Authority (CA). Now can we get started?! Yes!

Now that you've satisfied all the NetWare 6 Upgrade and Migration requirements, it's time to begin building the NetWare 6 server. In the rest of this chapter, we explore the detailed steps of both of these advanced NetWare 6 installation options Upgrade and Migration.