Tuesday, June 11, 2013

Create cert7.db and key3.db for enabling LDAP over SSL in JD Edwards EnterpriseOne 9.1

Last week, my colleague asked me to help him generating cert7.db and key3.db files as documented in step (2) of section 11.5.2 of the JD Edwards EnterpriseOne Tools Security Administration Guide 9.1.x to enable LDAP authentication over SSL with Active Directory.



So the AD directory server in this case is Active Directory 2008 R2.  Below is the implementation network diagram:






Before you go about creating cert7.db and key3 files, you need to enable LDAP over SSL (LDAPS) on your Active Directory server.  You can follow this TechNet article to do so.  The easiest way (not the most security way) is to install Certificate Authority (CA) role on your Domain Controller server.

Next, export the CA certificate in base-64 encoded format to a file (ie: certnew.cer) and copy this file to a Windows XP 32bit system.  I didn't have a physical Windows XP around so I used the Windows XP mode on my Windows 7 desktop.  The reason for this is because the tool we are about to run to create cert7.db , which is an out of date and non-open certificate database, will not run on my desktop.  It may work if you try to run on Windows 7 32bit.

Download these two files nss-3.3.2.zip and nspr-4.2.zip and move them to your XP machine:
http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_3_2_RTM/WINNT4.0_OPT.OBJ/
http://ftp.mozilla.org/pub/mozilla.org/mozilla.org/nspr/releases/v4.2/WINNT4.0_OPT.OBJ/nspr-4.2.zip

Unpack both packages and copy nspr-4.2/lib/*.dll and nss-3.3.2/lib/*.dll to nss-3.3.2/bin.  This is because the NSS depend on the NSPR DLLs to run.  You also need to copy the certificate certnew.cer in the bin directory of the extracted NSS package.

Run the command below to initialize the database.  This command will generate cert7.db and key3.db files:


Next, run the command below to add the "certnew.cer" certificate into the cert7.db

C:\nss-3.3.2\nss-3.3.2\bin>certutil.exe -A -n "CACertDWOrg" -t "C,," -a -i .\certnew.cer -d C:\

You should get the files below in the root of C:\





That is it.  Now you can use those files and configure your EnterpriseOne to enable LDAPS.

Thanks


Posted by at

2 comments:

  1. AshokDecember 2, 2017 at 8:18 AM

    Found it useful and Thank You Tung.!!!

    ReplyDelete
  2. pavelotottiJuly 5, 2019 at 11:15 PM

    DEar, thank you for this document...I did step one successfully but when I do step 2 (C:\nss-3.3.2\nss-3.3.2\bin>certutil.exe -A -n "CACertDWOrg" -t "C,," -a -i .\c=km.cer -d ), I am getting the following error: NSS_Initialize failed: security library: bad database

    any advise ?

    ReplyDelete

Subscribe to: Post Comments (Atom)