Fedora directory users - Jan 2006 - FDS console on Windows with SSL and self-signed certificates

Hi Folks,

I have set up Fedora Management Console on one of my Windows boxes per 
the directions in the Howto:WindowsConsole Wiki, but have an issue 
connecting to the Directory Server using SSL. From the Windows box FMC, 
the Directory Server is listed in the Server Group, with Server status: 
Stopped. In the slapd logs I see the following:

[20/Jan/2006:11:09:36 -0800] conn=4768 fd=68 slot=68 SSL connection from 
192.168.128.65 to 192.168.128.4
[20/Jan/2006:11:09:36 -0800] conn=4768 op=-1 fd=68 closed - SSL peer 
cannot verify your certificate.

Since I am using a self-signed certificate on the directory server, 
which would require installation on the client, this all appears to make 
sense. Now for the question: How does one install certificates on the 
client when using JSS/NSPR/NSS as shown in the Wiki? It looks like you 
would need to create your own cert7.db and key3.db with certutil, and 
import the Server-Cert, but I''m a bit confused as to where the .db
files
should be located, and what they should be named.

Has anyone done this who wouldn''t mind sharing?

Hi Brian,
When running the console on Unix, these files are created under $HOME/.mcc.

ls -l ~/.mcc
total 178
-rw-r--r--   1 root     other        226 Jan 12 14:27 
Console.4.0.Login.preferences
-rw-------   1 root     other      65536 Aug 16 18:32 cert8.db
-rw-------   1 root     other      32768 Aug 16 18:32 key3.db
-rw-------   1 root     other      32768 Aug 16 18:32 secmod.db

I''m not sure where this stuff would be created on Windows, but might be
under C:\Documents and Settings\<username>\.mcc ?  Just a guess.

-- George


Brian Rudy wrote:
> Hi Folks,
>
> I have set up Fedora Management Console on one of my Windows boxes per 
> the directions in the Howto:WindowsConsole Wiki, but have an issue 
> connecting to the Directory Server using SSL. From the Windows box 
> FMC, the Directory Server is listed in the Server Group, with Server 
> status: Stopped. In the slapd logs I see the following:
>
> [20/Jan/2006:11:09:36 -0800] conn=4768 fd=68 slot=68 SSL connection 
> from 192.168.128.65 to 192.168.128.4
> [20/Jan/2006:11:09:36 -0800] conn=4768 op=-1 fd=68 closed - SSL peer 
> cannot verify your certificate.
>
> Since I am using a self-signed certificate on the directory server, 
> which would require installation on the client, this all appears to 
> make sense. Now for the question: How does one install certificates on 
> the client when using JSS/NSPR/NSS as shown in the Wiki? It looks like 
> you would need to create your own cert7.db and key3.db with certutil, 
> and import the Server-Cert, but I''m a bit confused as to where the
.db
> files should be located, and what they should be named.
>
> Has anyone done this who wouldn''t mind sharing?
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Thanks George,

This is indeed the location of cert7.db and key3.db. I was able to get 
it working by importing the self-signed certificate with pk12util. (ex. 
pk12util -i servercert.pfx -d C:\Documents and Settings\<username>\.mcc)

This might be sufficiently useful for inclusion in the Wiki.



George Holbert wrote:
> Hi Brian,
> When running the console on Unix, these files are created under 
> $HOME/.mcc.
>
> ls -l ~/.mcc
> total 178
> -rw-r--r--   1 root     other        226 Jan 12 14:27 
> Console.4.0.Login.preferences
> -rw-------   1 root     other      65536 Aug 16 18:32 cert8.db
> -rw-------   1 root     other      32768 Aug 16 18:32 key3.db
> -rw-------   1 root     other      32768 Aug 16 18:32 secmod.db
>
> I''m not sure where this stuff would be created on Windows, but
might
> be under C:\Documents and Settings\<username>\.mcc ?  Just a guess.
>
> -- George
>
>
> Brian Rudy wrote:
>> <snip>
>> Since I am using a self-signed certificate on the directory server, 
>> which would require installation on the client, this all appears to 
>> make sense. Now for the question: How does one install certificates 
>> on the client when using JSS/NSPR/NSS as shown in the Wiki? It looks 
>> like you would need to create your own cert7.db and key3.db with 
>> certutil, and import the Server-Cert, but I''m a bit confused
as to
>> where the .db files should be located, and what they should be named.
>>
>> Has anyone done this who wouldn''t mind sharing?

Brian Rudy wrote:
> Thanks George,
>
> This is indeed the location of cert7.db and key3.db. I was able to get 
> it working by importing the self-signed certificate with pk12util. 
> (ex. pk12util -i servercert.pfx -d C:\Documents and 
> Settings\<username>\.mcc)
>
> This might be sufficiently useful for inclusion in the Wiki.
Added to http://directory.fedora.redhat.com/wiki/Howto:WindowsConsole#SSL
>
>
>
> George Holbert wrote:
>
>> Hi Brian,
>> When running the console on Unix, these files are created under 
>> $HOME/.mcc.
>>
>> ls -l ~/.mcc
>> total 178
>> -rw-r--r--   1 root     other        226 Jan 12 14:27 
>> Console.4.0.Login.preferences
>> -rw-------   1 root     other      65536 Aug 16 18:32 cert8.db
>> -rw-------   1 root     other      32768 Aug 16 18:32 key3.db
>> -rw-------   1 root     other      32768 Aug 16 18:32 secmod.db
>>
>> I''m not sure where this stuff would be created on Windows, but
might
>> be under C:\Documents and Settings\<username>\.mcc ?  Just a
guess.
>>
>> -- George
>>
>>
>> Brian Rudy wrote:
>>
>>> <snip>
>>> Since I am using a self-signed certificate on the directory server,
>>> which would require installation on the client, this all appears to
>>> make sense. Now for the question: How does one install certificates
>>> on the client when using JSS/NSPR/NSS as shown in the Wiki? It
looks
>>> like you would need to create your own cert7.db and key3.db with 
>>> certutil, and import the Server-Cert, but I''m a bit
confused as to
>>> where the .db files should be located, and what they should be
named.
>>>
>>> Has anyone done this who wouldn''t mind sharing?
>>
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users