Tay, Gary
2006-Apr-20 08:45 UTC
RE: [Fedora-directory-users]: SSL directory server gateway, one-button SSL Certs (slapd + Admin Server) generation script
I couldn''t find setupssl.sh anywhere on the HowTo SSL link. Anyway, I have written cr_ssl_certs.sh which works for both FDS and SUN-ONE DS, and this script will create also the Admin Server SSL Cert (the same as slapd), once you have used Admin Console to enable SSL for Admin Server at "Encryption" TAB, you would see a few .conf files including console.conf get updated at $SERVER_ROOT/admin-serv/config, the rest is history. Note that it is not a MUST to create different CA Certs for different FDS Servers, they are so for testing purposes only, for production usage, you would most likely purchase signed SSL Server Certs for your different FDS Servers HTH. Gary Content of cr_ssl_certs.sh #! /bin/sh # # cr_ssl_certs.sh - This script works for either Fedora or SUN-ONE DS # # Gary Tay # # 1) Make sure ''root'' is used to run this script # 2) Make sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory Manager # #set -vx IS_ROOT_UID=`id | grep "uid=0(root)"` if [ ! -n "$IS_ROOT_UID" ]; then echo "Please run this script as root" exit 1 fi chmod 700 $0 if [ ! -f /home/ldap/dirmgr.pwd ]; then echo "Please setup /home/ldap/dirmgr.pwd." exit 1 else chmod 600 /home/ldap/dirmgr.pwd fi # Pls customize the followings HOST=`hostname` DOMAIN="example.com" BASEDN="dc=example,dc=com" FQDN="$HOST.$DOMAIN" ORG="Example Companies" LOCALITY="NewYork City" STATE="NewYork" COUNTRY="US" # Uncomment for Fedora/RedHat Directory Server SERVER_ROOT="/opt/fedora-ds" # Uncomment for SUN-ONE/Java System Directory Server #SERVER_ROOT="/var/Sun/mps" if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then LD_LIBRARY_PATH=$SERVER_ROOT/lib:$SERVER_ROOT/shared/lib SLAPD_OWNER="ldap" SLAPD_GROUP="ldap" TAR_CVF="tar -Pcvf" TAR_XVF="tar -Pxvf" fi if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then LD_LIBRARY_PATH=$SERVER_ROOT/lib SLAPD_OWNER="root" SLAPD_GROUP="root" TAR_CVF="tar -cvf" TAR_XVF="tar -xvf" fi export LD_LIBRARY_PATH PATH=$SERVER_ROOT/shared/bin:$PATH; export PATH echo "Please shutdown slapd and Admin Server and perform a tar backup" echo "and db2ldif backup of currently working system, and restart them again." echo "Example of tar command: $TAR_CVF /var/tmp/ds_backup.tar $SERVER_ROOT" echo "When you are ready, answer Yes and press Enter to continue." echo "Press Ctrl-C to cancel." read READY [ "$READY" != "Yes" ] && exit 1 echo "Enter an UNIQUE SERIAL NUMBER for CA Cert." echo "Eg: 1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc..." read UNIQUE_SN_CA echo "Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert." echo "Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3." read UNIQUE_SN_LDAP cd $SERVER_ROOT/alias echo "Backing up existing *.db (if any) to backup_$$." mkdir -p backup_$$ >/dev/null 2>/dev/null cp -p *.db backup_$$ >/dev/null 2>/dev/null /bin/rm -f *.db >/dev/null 2>/dev/null echo "secretpwd" >pwdfile.txt chmod 600 pwdfile.txt echo "dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk">noise.txtecho "Creating new security key3.db/cert8.db pair." ../shared/bin/certutil -N -d . -f pwdfile.txt echo "Generating encryption key." ../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt echo "Generating self-signed CA certificate." ../shared/bin/certutil -S -n "CA certificate" \ -s "cn=CAcert $HOST" -x \ -t "CT,," -m $UNIQUE_SN_CA -v 120 -d . -z noise.txt -f pwdfile.txt echo "Generating self-signed Server certificate." ../shared/bin/certutil -S -n "Server-Cert" \ -s "cn=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -c "CA certificate" \ -t "u,u,u" -m $UNIQUE_SN_LDAP -v 120 -d . -z noise.txt -f pwdfile.txt echo "Renaming and linking modified security DBs." mv -f key3.db slapd-$HOST-key3.db mv -f cert8.db slapd-$HOST-cert8.db ln -s slapd-$HOST-key3.db key3.db ln -s slapd-$HOST-cert8.db cert8.db echo "Setting the correct ownership of security DBs" chown $SLAPD_OWNER:$SLAPD_GROUP *.db echo "Self-signed CA and SSL Server certs generated." echo "" echo "The following commands are OPTIONAL." echo "They are for backing up CA and Server Certs in PK12 format." echo "" echo "---Start of OPTIONAL commands---" cat <<EOF >optional_cmds.txt ../shared/bin/pk12util -d . -P slapd-$HOST- -o cacert.pfx -n "CA certificate" ../shared/bin/pk12util -d . -P slapd-$HOST- -o servercert.pfx -n "Server-Cert" EOF cat optional_cmds.txt echo "---End of OPTIONAL commands---" echo "" # echo "Enabling SSL." echo "NOTE: changes will be saved to config/dse.ldif when slapd is shutdown" cat <<EOF >/tmp/ssl_enable.ldif dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: on - replace: nsSSLClientAuth nsSSLClientAuth: allowed dn: cn=config changetype: modify add: nsslapd-security nsslapd-security: on EOF if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then cat <<EOF >>/tmp/ssl_enable.ldif dn: cn=config replace: nsslapd-ssl-check-hostname nsslapd-ssl-check-hostname: off EOF fi ../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/ssl_enable.ldif [ $? -eq 0 ] && \ echo "Enabling SSL in cn=encryption,cn=config and cn=config done." [ $? -ne 0 ] && \ echo "Enabling SSL in cn=encryption,cn=config and cn=config failed." # cat <<EOF >/tmp/add_ssl_configs.ldif dn: cn=encryption,cn=config changetype: modify add: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezz a, +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha , +tls_rsa_export1024_with_des_cbc_sha - add: nsKeyfile nsKeyfile: alias/slapd-$HOST-key3.db - add: nsCertfile nsCertfile: alias/slapd-$HOST-cert8.db EOF ../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/add_ssl_configs.ldif [ $? -eq 0 ] && echo "Adding SSL configs in cn=encryption,cn=config done." [ $? -ne 0 ] && echo "Adding SSL configs in cn=encryption,cn=config failed." # cat <<EOF >/tmp/addRSA.ldif dn: cn=RSA,cn=encryption,cn=config objectclass: top objectclass: nsEncryptionModule cn: RSA nsSSLPersonalitySSL: Server-Cert nsSSLToken: internal (software) nsSSLActivation: on EOF ../shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/addRSA.ldif [ $? -eq 0 ] && echo "Adding cn=RSA,cn=encryption,cn=config done." [ $? -ne 0 ] && echo "Adding cn=RSA,cn=encryption,cn=config failed." # echo "Creating a pin.txt for auto-starting of slapd." echo "Internal (Software) Token:`cat pwdfile.txt`" >slapd-$HOST-pin.txt chown $SLAPD_OWNER:$SLAPD_GROUP slapd-$HOST-pin.txt chmod 400 slapd-$HOST-pin.txt echo "Exporting the CA Cert in ASCII format or DER format" ../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ -a > cacert.asc ../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ -r > cacert.der echo "Copying Server-Cert to Admin Server for Admin Server SSL connection." cp slapd-$HOST-key3.db admin-serv-$HOST-key3.db cp slapd-$HOST-cert8.db admin-serv-$HOST-cert8.db echo "Setting the correct ownership of Admin Server security DBs" chown $SLAPD_OWNER:$SLAPD_GROUP admin-serv-$HOST-*.db echo "Remember to enable SSL in Admin Server later." echo "Remember to select ''Server-Cert'' as the Certificate and click OK." echo "Remember to restart Admin Server after that." echo "Creating a pin.txt for auto-starting of Admin Server." echo "`cat pwdfile.txt`" >admin-serv-$HOST-pin.txt chown $SLAPD_OWNER:$SLAPD_GROUP admin-serv-$HOST-pin.txt chmod 400 admin-serv-$HOST-pin.txt echo "Patching start-admin and creating start-admin.auto." if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then sed -e \ ''/^\$HTTPD/s/$/ \<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/'' \ $SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto fi if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then sed -e \ ''/uxwdog/s/$/ \<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/'' \ $SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto fi chmod 755 $SERVER_ROOT/start-admin.auto echo "Please use $SERVER_ROOT/start-admin.auto in rc3.d as autostart script." echo "" echo "IMPORTANT NOTES:" echo "" echo "1. How to check if SSL Configurations are done properly?" echo "You may view config/dse.ldif after shutting down slapd" echo "to verify all the required SSL configurations are there." echo "" echo "2. How to fix slapd startup issue due to mis-configuration of SSL?" echo "If for any reason slapd fails to start due to SSL issue," echo "you may edit config/dse.ldif after shutting down slapd" echo "and revert back to non-SSL configs." echo "i.e. set nsSSL3: off, nsSSLActivation: off and nsslapd-security: off" echo "and then try to restart slapd." echo "" echo "3. How to fix Admin Server login issue due to mis-configuration of SSL?" echo "If for any reason Admin Server login fails and you wish to give up," echo "simply stop slapd and admin-serv and restore using the tar backup" echo "i.e. rm -f $SERVER_ROOT/alias/*.db;$TAR_XVF /var/tmp/ds_backup.tar" echo "" ===Sample Run== # ./cr_ssl_certs.sh Please shutdown slapd and Admin Server and perform a tar backup and db2ldif backup of currently working system, and restart them again. Example of tar command: tar -cvf /var/tmp/ds_backup.tar /var/Sun/mps When you are ready, answer Yes and press Enter to continue. Press Ctrl-C to cancel. Yes Enter an UNIQUE SERIAL NUMBER for CA Cert. Eg: 1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc... 1000 Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert. Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3. 1001 Backing up existing *.db (if any) to backup_24872. Creating new security key3.db/cert8.db pair. Generating encryption key. Generating key. This may take a few moments... Generating self-signed CA certificate. Generating key. This may take a few moments... Generating self-signed Server certificate. Generating key. This may take a few moments... Renaming and linking modified security DBs. Setting the correct ownership of security DBs Self-signed CA and SSL Server certs generated. The following commands are OPTIONAL. They are for backing up CA and Server Certs in PK12 format. ---Start of OPTIONAL commands--- ../shared/bin/pk12util -d . -P slapd-ldap1- -o cacert.pfx -n "CA certificate" ../shared/bin/pk12util -d . -P slapd-ldap1- -o servercert.pfx -n "Server-Cert" ---End of OPTIONAL commands--- Enabling SSL. NOTE: changes will be saved to config/dse.ldif when slapd is shutdown modifying entry cn=encryption,cn=config modifying entry cn=config Enabling SSL in cn=encryption,cn=config and cn=config done. modifying entry cn=encryption,cn=config Adding SSL configs in cn=encryption,cn=config done. adding new entry cn=RSA,cn=encryption,cn=config Adding cn=RSA,cn=encryption,cn=config done. Creating a pin.txt for auto-starting of slapd. Exporting the CA Cert in ASCII format or DER format Copying Server-Cert to Admin Server for Admin Server SSL connection. Setting the correct ownership of Admin Server security DBs Remember to enable SSL in Admin Server later. Remember to select ''Server-Cert'' as the Certificate and click OK. Remember to restart Admin Server after that. Creating a pin.txt for auto-starting of Admin Server. Patching start-admin and creating start-admin.auto. Please use /var/Sun/mps/start-admin.auto in rc3.d as autostart script. IMPORTANT NOTES: 1. How to check if SSL Configurations are done properly? You may view config/dse.ldif after shutting down slapd to verify all the required SSL configurations are there. 2. How to fix slapd startup issue due to mis-configuration of SSL? If for any reason slapd fails to start due to SSL issue, you may edit config/dse.ldif after shutting down slapd and revert back to non-SSL configs. i.e. set nsSSL3: off, nsSSLActivation: off and nsslapd-security: off and then try to restart slapd. 3. How to fix Admin Server login issue due to mis-configuration of SSL? If for any reason Admin Server login fails and you wish to give up, simply stop slapd and admin-serv and restore using the tar backup i.e. rm -f /var/Sun/mps/alias/*.db;tar -xvf /var/tmp/ds_backup.tar -----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Jason Russler Sent: Thursday, April 20, 2006 4:15 AM To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] SSL directory server gateway Hi all, I''m pretty uncertain about the best way to go about configuring the admin server to use SSL (FDS1.0.2) . All of the docs I''m finding are pretty shaky. Ultimately, I want users to manage their passwords and info via the web-based Directory Server Gateway over SSL. This would appear to be the same thing as enabling SSL for the admin server. The setupssl.sh script provided by the SSL howto, generates the keys/certs for the admin server and imports them into the appropriate cert db (I guess, I''ve performed the process by hand as well, based on RedHat''s docs and the script itself). This would imply to me that the admin console would find the generated certs and present them in the admin server''s console (under the Configuration -> Encryption tab) in much the same way that it does in the directory server''s console. I can''t tell if something that''s suppose to work isn''t or if I''m misunderstanding something. I''d like to know before I try to generate new SSL certificates and import them. Thanks much, Jason -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Richard Megginson
2006-Apr-20 14:12 UTC
Re: [Fedora-directory-users]: SSL directory server gateway, one-button SSL Certs (slapd + Admin Server) generation script
Tay, Gary wrote:>I couldn''t find setupssl.sh anywhere on the HowTo SSL link. > >It''s http://directory.fedora.redhat.com/wiki/Howto:SSL#Script under http://directory.fedora.redhat.com/wiki/Howto:SSL When I get a chance, I''m going to merge some of the features from your script into that one.>Anyway, I have written cr_ssl_certs.sh which works for both FDS and >SUN-ONE DS, and this script will create also the Admin Server SSL Cert >(the same as slapd), once you have used Admin Console to enable SSL for >Admin Server at "Encryption" TAB, you would see a few .conf files >including console.conf get updated at $SERVER_ROOT/admin-serv/config, >the rest is history. > >Note that it is not a MUST to create different CA Certs for different >FDS Servers, they are so for testing purposes only, for production >usage, you would most likely purchase signed SSL Server Certs for your >different FDS Servers > >Or purchase a CA product and assign your own.>HTH. > >Gary > >Content of cr_ssl_certs.sh > >#! /bin/sh ># ># cr_ssl_certs.sh - This script works for either Fedora or SUN-ONE DS ># ># Gary Tay ># ># 1) Make sure ''root'' is used to run this script ># 2) Make sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory >Manager ># >#set -vx >IS_ROOT_UID=`id | grep "uid=0(root)"` >if [ ! -n "$IS_ROOT_UID" ]; then > echo "Please run this script as root" > exit 1 >fi >chmod 700 $0 >if [ ! -f /home/ldap/dirmgr.pwd ]; then > echo "Please setup /home/ldap/dirmgr.pwd." > exit 1 >else > chmod 600 /home/ldap/dirmgr.pwd >fi ># Pls customize the followings >HOST=`hostname` >DOMAIN="example.com" >BASEDN="dc=example,dc=com" >FQDN="$HOST.$DOMAIN" >ORG="Example Companies" >LOCALITY="NewYork City" >STATE="NewYork" >COUNTRY="US" ># Uncomment for Fedora/RedHat Directory Server >SERVER_ROOT="/opt/fedora-ds" ># Uncomment for SUN-ONE/Java System Directory Server >#SERVER_ROOT="/var/Sun/mps" >if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then > LD_LIBRARY_PATH=$SERVER_ROOT/lib:$SERVER_ROOT/shared/lib > SLAPD_OWNER="ldap" > SLAPD_GROUP="ldap" > TAR_CVF="tar -Pcvf" > TAR_XVF="tar -Pxvf" >fi >if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then > LD_LIBRARY_PATH=$SERVER_ROOT/lib > SLAPD_OWNER="root" > SLAPD_GROUP="root" > TAR_CVF="tar -cvf" > TAR_XVF="tar -xvf" >fi >export LD_LIBRARY_PATH >PATH=$SERVER_ROOT/shared/bin:$PATH; export PATH >echo "Please shutdown slapd and Admin Server and perform a tar backup" >echo "and db2ldif backup of currently working system, and restart them >again." >echo "Example of tar command: $TAR_CVF /var/tmp/ds_backup.tar >$SERVER_ROOT" >echo "When you are ready, answer Yes and press Enter to continue." >echo "Press Ctrl-C to cancel." >read READY >[ "$READY" != "Yes" ] && exit 1 >echo "Enter an UNIQUE SERIAL NUMBER for CA Cert." >echo "Eg: 1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc..." >read UNIQUE_SN_CA >echo "Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert." >echo "Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3." >read UNIQUE_SN_LDAP >cd $SERVER_ROOT/alias >echo "Backing up existing *.db (if any) to backup_$$." >mkdir -p backup_$$ >/dev/null 2>/dev/null >cp -p *.db backup_$$ >/dev/null 2>/dev/null >/bin/rm -f *.db >/dev/null 2>/dev/null >echo "secretpwd" >pwdfile.txt >chmod 600 pwdfile.txt >echo "dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk" > > >>noise.txt >> >> >echo "Creating new security key3.db/cert8.db pair." >../shared/bin/certutil -N -d . -f pwdfile.txt >echo "Generating encryption key." >../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt >echo "Generating self-signed CA certificate." >../shared/bin/certutil -S -n "CA certificate" \ > -s "cn=CAcert $HOST" -x \ > -t "CT,," -m $UNIQUE_SN_CA -v 120 -d . -z noise.txt -f pwdfile.txt >echo "Generating self-signed Server certificate." >../shared/bin/certutil -S -n "Server-Cert" \ > -s "cn=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -c "CA >certificate" \ > -t "u,u,u" -m $UNIQUE_SN_LDAP -v 120 -d . -z noise.txt -f pwdfile.txt >echo "Renaming and linking modified security DBs." >mv -f key3.db slapd-$HOST-key3.db >mv -f cert8.db slapd-$HOST-cert8.db >ln -s slapd-$HOST-key3.db key3.db >ln -s slapd-$HOST-cert8.db cert8.db >echo "Setting the correct ownership of security DBs" >chown $SLAPD_OWNER:$SLAPD_GROUP *.db >echo "Self-signed CA and SSL Server certs generated." >echo "" >echo "The following commands are OPTIONAL." >echo "They are for backing up CA and Server Certs in PK12 format." >echo "" >echo "---Start of OPTIONAL commands---" >cat <<EOF >optional_cmds.txt >../shared/bin/pk12util -d . -P slapd-$HOST- -o cacert.pfx -n "CA >certificate" >../shared/bin/pk12util -d . -P slapd-$HOST- -o servercert.pfx -n >"Server-Cert" >EOF >cat optional_cmds.txt >echo "---End of OPTIONAL commands---" >echo "" ># >echo "Enabling SSL." >echo "NOTE: changes will be saved to config/dse.ldif when slapd is >shutdown" >cat <<EOF >/tmp/ssl_enable.ldif >dn: cn=encryption,cn=config >changetype: modify >replace: nsSSL3 >nsSSL3: on >- >replace: nsSSLClientAuth >nsSSLClientAuth: allowed > >dn: cn=config >changetype: modify >add: nsslapd-security >nsslapd-security: on > >EOF >if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then >cat <<EOF >>/tmp/ssl_enable.ldif >dn: cn=config >replace: nsslapd-ssl-check-hostname >nsslapd-ssl-check-hostname: off > >EOF >fi >../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat >/home/ldap/dirmgr.pwd` -f /tmp/ssl_enable.ldif >[ $? -eq 0 ] && \ > echo "Enabling SSL in cn=encryption,cn=config and cn=config done." >[ $? -ne 0 ] && \ > echo "Enabling SSL in cn=encryption,cn=config and cn=config failed." ># >cat <<EOF >/tmp/add_ssl_configs.ldif >dn: cn=encryption,cn=config >changetype: modify >add: nsSSL3Ciphers >nsSSL3Ciphers: >-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, > >+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezz >a, > >+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha >, > +tls_rsa_export1024_with_des_cbc_sha >- >add: nsKeyfile >nsKeyfile: alias/slapd-$HOST-key3.db >- >add: nsCertfile >nsCertfile: alias/slapd-$HOST-cert8.db > >EOF >../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat >/home/ldap/dirmgr.pwd` -f /tmp/add_ssl_configs.ldif >[ $? -eq 0 ] && echo "Adding SSL configs in cn=encryption,cn=config >done." >[ $? -ne 0 ] && echo "Adding SSL configs in cn=encryption,cn=config >failed." ># >cat <<EOF >/tmp/addRSA.ldif >dn: cn=RSA,cn=encryption,cn=config >objectclass: top >objectclass: nsEncryptionModule >cn: RSA >nsSSLPersonalitySSL: Server-Cert >nsSSLToken: internal (software) >nsSSLActivation: on > >EOF >../shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w `cat >/home/ldap/dirmgr.pwd` -f /tmp/addRSA.ldif >[ $? -eq 0 ] && echo "Adding cn=RSA,cn=encryption,cn=config done." >[ $? -ne 0 ] && echo "Adding cn=RSA,cn=encryption,cn=config failed." ># >echo "Creating a pin.txt for auto-starting of slapd." >echo "Internal (Software) Token:`cat pwdfile.txt`" >slapd-$HOST-pin.txt >chown $SLAPD_OWNER:$SLAPD_GROUP slapd-$HOST-pin.txt >chmod 400 slapd-$HOST-pin.txt >echo "Exporting the CA Cert in ASCII format or DER format" >../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ > -a > cacert.asc >../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ > -r > cacert.der >echo "Copying Server-Cert to Admin Server for Admin Server SSL >connection." >cp slapd-$HOST-key3.db admin-serv-$HOST-key3.db >cp slapd-$HOST-cert8.db admin-serv-$HOST-cert8.db >echo "Setting the correct ownership of Admin Server security DBs" >chown $SLAPD_OWNER:$SLAPD_GROUP admin-serv-$HOST-*.db >echo "Remember to enable SSL in Admin Server later." >echo "Remember to select ''Server-Cert'' as the Certificate and click OK." >echo "Remember to restart Admin Server after that." >echo "Creating a pin.txt for auto-starting of Admin Server." >echo "`cat pwdfile.txt`" >admin-serv-$HOST-pin.txt >chown $SLAPD_OWNER:$SLAPD_GROUP admin-serv-$HOST-pin.txt >chmod 400 admin-serv-$HOST-pin.txt >echo "Patching start-admin and creating start-admin.auto." >if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then > sed -e \ > ''/^\$HTTPD/s/$/ >\<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/'' \ > $SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto >fi >if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then > sed -e \ > ''/uxwdog/s/$/ >\<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/'' \ > $SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto >fi >chmod 755 $SERVER_ROOT/start-admin.auto >echo "Please use $SERVER_ROOT/start-admin.auto in rc3.d as autostart >script." >echo "" >echo "IMPORTANT NOTES:" >echo "" >echo "1. How to check if SSL Configurations are done properly?" >echo "You may view config/dse.ldif after shutting down slapd" >echo "to verify all the required SSL configurations are there." >echo "" >echo "2. How to fix slapd startup issue due to mis-configuration of >SSL?" >echo "If for any reason slapd fails to start due to SSL issue," >echo "you may edit config/dse.ldif after shutting down slapd" >echo "and revert back to non-SSL configs." >echo "i.e. set nsSSL3: off, nsSSLActivation: off and nsslapd-security: >off" >echo "and then try to restart slapd." >echo "" >echo "3. How to fix Admin Server login issue due to mis-configuration of >SSL?" >echo "If for any reason Admin Server login fails and you wish to give >up," >echo "simply stop slapd and admin-serv and restore using the tar backup" >echo "i.e. rm -f $SERVER_ROOT/alias/*.db;$TAR_XVF >/var/tmp/ds_backup.tar" >echo "" > >===Sample Run==> ># ./cr_ssl_certs.sh >Please shutdown slapd and Admin Server and perform a tar backup >and db2ldif backup of currently working system, and restart them again. >Example of tar command: tar -cvf /var/tmp/ds_backup.tar /var/Sun/mps >When you are ready, answer Yes and press Enter to continue. >Press Ctrl-C to cancel. >Yes >Enter an UNIQUE SERIAL NUMBER for CA Cert. >Eg: 1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc... >1000 >Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert. >Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3. >1001 >Backing up existing *.db (if any) to backup_24872. >Creating new security key3.db/cert8.db pair. >Generating encryption key. > > >Generating key. This may take a few moments... > >Generating self-signed CA certificate. > > >Generating key. This may take a few moments... > >Generating self-signed Server certificate. > > >Generating key. This may take a few moments... > >Renaming and linking modified security DBs. >Setting the correct ownership of security DBs >Self-signed CA and SSL Server certs generated. > >The following commands are OPTIONAL. >They are for backing up CA and Server Certs in PK12 format. > >---Start of OPTIONAL commands--- >../shared/bin/pk12util -d . -P slapd-ldap1- -o cacert.pfx -n "CA >certificate" >../shared/bin/pk12util -d . -P slapd-ldap1- -o servercert.pfx -n >"Server-Cert" >---End of OPTIONAL commands--- > >Enabling SSL. >NOTE: changes will be saved to config/dse.ldif when slapd is shutdown >modifying entry cn=encryption,cn=config > >modifying entry cn=config > >Enabling SSL in cn=encryption,cn=config and cn=config done. >modifying entry cn=encryption,cn=config > >Adding SSL configs in cn=encryption,cn=config done. >adding new entry cn=RSA,cn=encryption,cn=config > >Adding cn=RSA,cn=encryption,cn=config done. >Creating a pin.txt for auto-starting of slapd. >Exporting the CA Cert in ASCII format or DER format >Copying Server-Cert to Admin Server for Admin Server SSL connection. >Setting the correct ownership of Admin Server security DBs >Remember to enable SSL in Admin Server later. >Remember to select ''Server-Cert'' as the Certificate and click OK. >Remember to restart Admin Server after that. >Creating a pin.txt for auto-starting of Admin Server. >Patching start-admin and creating start-admin.auto. >Please use /var/Sun/mps/start-admin.auto in rc3.d as autostart script. > >IMPORTANT NOTES: > >1. How to check if SSL Configurations are done properly? >You may view config/dse.ldif after shutting down slapd >to verify all the required SSL configurations are there. > >2. How to fix slapd startup issue due to mis-configuration of SSL? >If for any reason slapd fails to start due to SSL issue, >you may edit config/dse.ldif after shutting down slapd >and revert back to non-SSL configs. >i.e. set nsSSL3: off, nsSSLActivation: off and nsslapd-security: off >and then try to restart slapd. > >3. How to fix Admin Server login issue due to mis-configuration of SSL? >If for any reason Admin Server login fails and you wish to give up, >simply stop slapd and admin-serv and restore using the tar backup >i.e. rm -f /var/Sun/mps/alias/*.db;tar -xvf /var/tmp/ds_backup.tar > > >-----Original Message----- >From: fedora-directory-users-bounces@redhat.com >[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Jason >Russler >Sent: Thursday, April 20, 2006 4:15 AM >To: General discussion list for the Fedora Directory server project. >Subject: [Fedora-directory-users] SSL directory server gateway > > >Hi all, >I''m pretty uncertain about the best way to go about configuring the >admin server to use SSL (FDS1.0.2) . All of the docs I''m finding are >pretty shaky. Ultimately, I want users to manage their passwords and >info via the web-based Directory Server Gateway over SSL. This would >appear to be the same thing as enabling SSL for the admin server. The >setupssl.sh script provided by the SSL howto, generates the keys/certs >for the admin server and imports them into the appropriate cert db (I >guess, I''ve performed the process by hand as well, based on RedHat''s >docs and the script itself). This would imply to me that the admin >console would find the generated certs and present them in the admin >server''s console (under the Configuration -> Encryption tab) in much the > >same way that it does in the directory server''s console. I can''t tell >if something that''s suppose to work isn''t or if I''m misunderstanding >something. I''d like to know before I try to generate new SSL >certificates and import them. >Thanks much, >Jason > >-- >Fedora-directory-users mailing list Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >-- >Fedora-directory-users mailing list >Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >