To Manually Configure NSS on OpenSSO

By default, the OpenSSO configurator supports only the JCE/JSSE provider for SSL. However, you can use the OpenSSO administration console to manually enable JSS/NSS. If OpenSSO is deployed on Sun Web Server 7.0 or on GlassFish Enterprise Edition 2.1.0, then complete the following steps. For GlassFish Enterprise Edition 2.1.1 and later versions, see CR 6967026: Configurator cannot connect to LDAPS-enabled directory server.

Before You Begin

• If you want OpenSSO to connect to an LDAPS-enabled directory server, then the CA certificate for the LDAPS-enabled directory server must be already imported into the JVM trust store (by default JAVA_HOME/jre/lib/security/cacert).

1. Log in to the OpenSSO Administration Console as amadmin.

2. Click Configuration > Servers and Sites > Server Name instance.

3. Click Security.

4. Click Inheritance Settings.

5. Uncheck the Encryption class and Secure Random Factory Class properties.

6. Click Save, and then click Back to Server Profile.

7. Change Encryption class to com.iplanet.services.util.JSSEncryption.

8. Change Secure Random Factory Class to com.iplanet.am.util.JSSSecureRandomFactoryImpl.

9. Click Save, and then click the Advanced tab.

10. Change the com.iplanet.security.SSLSocketFactoryImpl property to com.iplanet.services.ldap.JSSSocketFactory.

11. Edit the following property and value:

    • Property Name: opensso.protocol.handler.pkgs

    • Property Value: com.iplanet.services.comm

12. Click Add, and add following property and value:

    • Property Name: com.iplanet.am.admin.cli.certdb.dir

    • Property Value: path-to-NSS-database

13. Click Save.

14. Restart the OpenSSO Enterprise 8.0 server instance.