Fedora directory users - Dec 2005 - Solaris 9 ssl/tls setup. (security library: bad database.)

I have successfully gotten solaris 9 (patched with recommended patches)
to work without using ssl/tls, but can''t seem to get ssl/tls working.
I''ve read the following:

http://directory.fedora.redhat.com/wiki/Howto:SolarisClient
and this
http://forum.sun.com/thread.jspa?threadID=12811&tstart=30

And multiple other links to getting this working, but can''t seem to get
it to initialize the database.  Everything in my ldap directory appears
to be setup, being that redhat and freebsd with ssl work without issues,
and solaris 9 works without tls/ssl, so the issue, I assume, is with the
*.db files in /var/ldap.

bash-3.00# pwd
/var/ldap
bash-3.00# ls -l *.db
-r--r--r--   1 root     other      65536 Dec 20 11:07 cert8.db
-r--r--r--   1 root     other      16384 Dec 20 11:07 key3.db
-r--r--r--   1 root     other      32768 Dec 20 10:26 secmod.db
bash-3.00# id mmontgomery
Dec 20 11:15:47 solarisldap nscd[1774]: libsldap: Status: 91  Mesg:
openConnection: failed to initialize TLS security (security library: bad
database.)
Dec 20 11:15:47 solarisldap last message repeated 1 time
Dec 20 11:15:47 solarisldap nscd[1774]: libsldap: Status: 7  Mesg: Session error
no available conn.
id: invalid user name: "mmontgomery"

bash-3.00# ldapclient -v manual -a authenticationMethod=tls:simple -a credentia
lLevel=proxy  -a defaultSearchBase="dc=*****,dc=*********,dc=***"  -a
domainNa
me=********** -a followReferrals=false  -a preferredServerList=10.5.1.18 -a
serviceAuthenticationMethod=pam_ldap:tls:simple  -a proxyPassword=******* -a
proxyDn=cn=proxyagent,ou=profile,dc=******,dc=*****,dc=****

Everything works fine up until this point:

start: /usr/lib/ldap/ldap_cachemgr... success
Dec 20 11:13:21 solarisldap automount[1770]: libsldap: Status: 91  Mesg:
openConnection: failed to initialize TLS security (security library: bad
database.)
Dec 20 11:13:21 solarisldap last message repeated 1 time
Dec 20 11:13:21 solarisldap automount[1770]: libsldap: Status: 7  Mesg: Session
error no available conn.
start: /etc/init.d/autofs start... success
start: /etc/init.d/nscd start... success
Dec 20 11:13:21 solarisldap sendmail[1777]: libsldap: Status: 91  Mesg:
openConnection: failed to initialize TLS security (security library: bad
database.)
Dec 20 11:13:21 solarisldap last message repeated 1 time
Dec 20 11:13:21 solarisldap sendmail[1777]: libsldap: Status: 7  Mesg: Session
error no available conn.
Dec 20 11:13:21 solarisldap sendmail[1777]: libsldap: Status: 91  Mesg:
openConnection: failed to initialize TLS security (security library: bad
database.)
Dec 20 11:13:21 solarisldap last message repeated 1 time
Dec 20 11:13:21 solarisldap sendmail[1777]: libsldap: Status: 7  Mesg: Session
error no available conn.
Dec 20 11:13:21 solarisldap sendmail[1777]: libsldap: Status: 91  Mesg:
openConnection: failed to initialize TLS security (security library: bad
database.)
Dec 20 11:13:21 solarisldap last message repeated 1 time
Dec 20 11:13:21 solarisldap sendmail[1777]: libsldap: Status: 7  Mesg: Session
error no available conn.
Dec 20 11:13:21 solarisldap sendmail[1777]: libsldap: Status: 91  Mesg:
openConnection: failed to initialize TLS security (security library: bad
database.)
Dec 20 11:13:21 solarisldap last message repeated 1 time
Dec 20 11:13:21 solarisldap sendmail[1777]: libsldap: Status: 7  Mesg: Session
error no available conn.
Dec 20 11:13:21 solarisldap sendmail[1778]: libsldap: Status: 91  Mesg:
openConnection: failed to initialize TLS security (security library: bad
database.)
Dec 20 11:13:21 solarisldap last message repeated 1 time
Dec 20 11:13:21 solarisldap sendmail[1778]: libsldap: Status: 7  Mesg: Session
error no available conn.
Dec 20 11:13:21 solarisldap sendmail[1778]: libsldap: Status: 91  Mesg:
openConnection: failed to initialize TLS security (security library: bad
database.)
Dec 20 11:13:21 solarisldap last message repeated 1 time
Dec 20 11:13:21 solarisldap sendmail[1778]: libsldap: Status: 7  Mesg: Session
error no available conn.
Dec 20 11:13:22 solarisldap sendmail[1777]: libsldap: Status: 91  Mesg:
openConnection: failed to initialize TLS security (security library: bad
database.)
Dec 20 11:13:22 solarisldap last message repeated 1 time
Dec 20 11:13:22 solarisldap sendmail[1777]: libsldap: Status: 7  Mesg: Session
error no available conn.
Dec 20 11:13:22 solarisldap sendmail[1778]: libsldap: Status: 91  Mesg:
openConnection: failed to initialize TLS security (security library: bad
database.)
Dec 20 11:13:22 solarisldap last message repeated 1 time
Dec 20 11:13:22 solarisldap sendmail[1778]: libsldap: Status: 7  Mesg: Session
error no available conn.
Dec 20 11:13:22 solarisldap sendmail[1778]: libsldap: Status: 91  Mesg:
openConnection: failed to initialize TLS security (security library: bad
database.)
Dec 20 11:13:22 solarisldap last message repeated 1 time
Dec 20 11:13:22 solarisldap sendmail[1778]: libsldap: Status: 7  Mesg: Session
error no available conn.
start: /etc/init.d/sendmail start... success
System successfully configured

I''ve used a netscape browser to get my Cert from the FDS, and
scp''d the
key3.db, and cert8.db files to the solaris client.  From what I can
tell, it can read these files:

bash-3.00# /usr/local/bin/certutil -L -d .
server-cert                                                  P,,
bash-3.00# /usr/local/bin/certutil -L -d . -n "server-cert"
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1001 (0x3e9)
        Signature Algorithm: PKCS #1 MD5 With RSA Encryption
        Issuer: CN=CAcert
        Validity:
            Not Before: Mon Dec 19 20:33:04 2005
            Not After: Sat Mar 19 20:33:04 2016
        Subject: CN=server-cert
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    b7:07:1a:32:33:38:c9:22:53:30:13:07:15:a6:2e:74:
                    b3:c8:26:bd:84:1f:97:57:b6:3d:56:13:5c:90:a2:56:
                    ff:52:ce:4c:d3:54:c5:7a:ab:94:2e:fc:17:7c:18:69:
                    d1:df:e4:88:68:c6:aa:c2:14:21:a7:27:c7:4b:45:19:
                    89:c3:9f:8f:2b:22:69:b6:9e:3b:0b:84:b4:78:66:d7:
                    84:f5:17:f0:12:bc:56:d4:20:34:86:49:02:2a:9f:22:
                    9c:c2:3b:c2:48:5c:c1:df:7d:22:19:8f:3d:9b:c2:83:
                    1b:0f:f1:92:be:70:d2:95:15:cf:f0:0c:3e:74:78:4b
                Exponent: 65537 (0x10001)
    Fingerprint (MD5):
        D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E
    Fingerprint (SHA1):
        DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09

    Signature Algorithm: PKCS #1 MD5 With RSA Encryption
    Signature:
        2c:5c:60:05:f0:97:30:9c:57:a3:87:69:75:26:71:b2:
        e7:7d:c8:eb:36:35:bd:e6:9f:db:4d:0f:23:75:e0:bc:
        76:4d:aa:ae:7f:9c:ac:e4:c0:35:7d:5f:22:4e:52:40:
        fb:3f:bf:a8:8d:50:b3:00:9b:73:bf:2b:54:84:14:8a:
        c1:00:52:95:e6:47:98:78:5d:cb:ff:76:50:cc:94:09:
        53:13:b9:11:4e:eb:c8:1a:88:dd:42:76:dd:6c:32:7d:
        1a:17:c1:a2:fd:03:e2:47:12:84:c3:72:da:b1:05:61:
        3b:d6:26:99:1d:e6:b9:48:7a:ca:96:98:22:ce:bc:70
    Certificate Trust Flags:
        SSL Flags:
            Valid Peer
            Trusted
        Email Flags:
        Object Signing Flags:

Anybody have any ideas what I may be missing here?

Thanks again.

On Tue, 2005-12-20 at 11:31 -0600, Michael Montgomery
wrote:
> I have successfully gotten solaris 9 (patched with recommended patches)
> to work without using ssl/tls, but can''t seem to get ssl/tls
working.
> I''ve read the following:
> 
> http://directory.fedora.redhat.com/wiki/Howto:SolarisClient
> and this
> http://forum.sun.com/thread.jspa?threadID=12811&tstart=30
> 
> And multiple other links to getting this working, but can''t seem
to get
> it to initialize the database.  Everything in my ldap directory appears
> to be setup, being that redhat and freebsd with ssl work without issues,
> and solaris 9 works without tls/ssl, so the issue, I assume, is with the
> *.db files in /var/ldap.
> 
> bash-3.00# pwd
> /var/ldap
> bash-3.00# ls -l *.db
> -r--r--r--   1 root     other      65536 Dec 20 11:07 cert8.db
> -r--r--r--   1 root     other      16384 Dec 20 11:07 key3.db
> -r--r--r--   1 root     other      32768 Dec 20 10:26 secmod.db
Solaris 8 and Solaris 9 look for cert7.db, not cert8.db.

http://docs.sun.com/app/docs/doc/817-4843/6mkbebdd2?
a=view#clientsetup-57

Jamie

>
> Solaris 8 and Solaris 9 look for cert7.db, not cert8.db.
Furthermore,
Some versions of certutil will generate a certificate DB called 
cert7.db, but Solaris still won''t like it.

I''ve found that certutil as bundled in the Sun DSRK works well for 
generating Solaris client cert DBs:
http://www.sun.com/download/products.xml?id=3f74a0db

NSS 3.3.2 should also work:
http://www.mozilla.org/projects/security/pki/nss/release_notes_332.html


Jamie McKnight wrote:
> On Tue, 2005-12-20 at 11:31 -0600, Michael Montgomery wrote:
>   
>> I have successfully gotten solaris 9 (patched with recommended patches)
>> to work without using ssl/tls, but can''t seem to get ssl/tls
working.
>> I''ve read the following:
>>
>> http://directory.fedora.redhat.com/wiki/Howto:SolarisClient
>> and this
>> http://forum.sun.com/thread.jspa?threadID=12811&tstart=30
>>
>> And multiple other links to getting this working, but can''t
seem to get
>> it to initialize the database.  Everything in my ldap directory appears
>> to be setup, being that redhat and freebsd with ssl work without
issues,
>> and solaris 9 works without tls/ssl, so the issue, I assume, is with
the
>> *.db files in /var/ldap.
>>
>> bash-3.00# pwd
>> /var/ldap
>> bash-3.00# ls -l *.db
>> -r--r--r--   1 root     other      65536 Dec 20 11:07 cert8.db
>> -r--r--r--   1 root     other      16384 Dec 20 11:07 key3.db
>> -r--r--r--   1 root     other      32768 Dec 20 10:26 secmod.db
>>     
>
> Solaris 8 and Solaris 9 look for cert7.db, not cert8.db.
>
> http://docs.sun.com/app/docs/doc/817-4843/6mkbebdd2?
> a=view#clientsetup-57
>
> Jamie
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

Thanks for the info... but

I don''t have netscape installed on this solaris server, so i
can''t use
it to create the db.  I found a certutil package that seems to create
old db files here:

http://www.gurulabs.com/goodies/downloads.php

I guess I could install a really old version of netscape on my desktop
machine, and use it, but is there an easier way to go about this, as
trying to import the server cert gives this:

bash-3.00# /usr/local/bin/certutil -A -n "CA certificate"
-i /root/cert.crt -t
"CTu,u,u"
certutil: could not obtain certificate from file: Failure to load
dynamic library.

Thanks again for any help you can offer.

On Tue, 2005-12-20 at 12:40 -0500, Jamie McKnight wrote:
> On Tue, 2005-12-20 at 11:31 -0600, Michael Montgomery wrote:
> > I have successfully gotten solaris 9 (patched with recommended
patches)
> > to work without using ssl/tls, but can''t seem to get ssl/tls
working.
> > I''ve read the following:
> > 
> > http://directory.fedora.redhat.com/wiki/Howto:SolarisClient
> > and this
> > http://forum.sun.com/thread.jspa?threadID=12811&tstart=30
> > 
> > And multiple other links to getting this working, but can''t
seem to get
> > it to initialize the database.  Everything in my ldap directory
appears
> > to be setup, being that redhat and freebsd with ssl work without
issues,
> > and solaris 9 works without tls/ssl, so the issue, I assume, is with
the
> > *.db files in /var/ldap.
> > 
> > bash-3.00# pwd
> > /var/ldap
> > bash-3.00# ls -l *.db
> > -r--r--r--   1 root     other      65536 Dec 20 11:07 cert8.db
> > -r--r--r--   1 root     other      16384 Dec 20 11:07 key3.db
> > -r--r--r--   1 root     other      32768 Dec 20 10:26 secmod.db
> 
> Solaris 8 and Solaris 9 look for cert7.db, not cert8.db.
> 
> http://docs.sun.com/app/docs/doc/817-4843/6mkbebdd2?
> a=view#clientsetup-57
> 
> Jamie
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- 
Michael Montgomery
Systems Administrator
http://theplanet.com

Thanks, I''ll give these a shot...

On Tue, 2005-12-20 at 10:03 -0800, George Holbert wrote:
> >
> > Solaris 8 and Solaris 9 look for cert7.db, not cert8.db.
> 
> Furthermore,
> Some versions of certutil will generate a certificate DB called 
> cert7.db, but Solaris still won''t like it.
> 
> I''ve found that certutil as bundled in the Sun DSRK works well for
> generating Solaris client cert DBs:
> http://www.sun.com/download/products.xml?id=3f74a0db
> 
> NSS 3.3.2 should also work:
> http://www.mozilla.org/projects/security/pki/nss/release_notes_332.html
> 
> 
-- 
Michael Montgomery
Systems Administrator
http://theplanet.com

I was installing old netscape-communicator when I posted last, and the
db''s it created got me further:

Dec 20 12:07:02 solarisldap nscd[2100]: libldap: CERT_VerifyCertName: cert
server name ''server-cert'' does not match
''ldapserver'': SSL connection denied
Dec 20 12:07:02 solarisldap nscd[2100]: libsldap: Status: 85  Mesg:
openConnection: simple bind failed - Timed out
Dec 20 12:07:02 solarisldap nscd[2100]: libsldap: Status: 7  Mesg: Session error
no available conn.

So at least I got here... I''ll look around some more to try and disable
this verifycertname crap, or re-create the cert correctly.

Thanks again.

On Tue, 2005-12-20 at 12:09 -0600, Michael Montgomery
wrote:
> Thanks, I''ll give these a shot...
> 
> On Tue, 2005-12-20 at 10:03 -0800, George Holbert wrote:
> > >
> > > Solaris 8 and Solaris 9 look for cert7.db, not cert8.db.
> > 
> > Furthermore,
> > Some versions of certutil will generate a certificate DB called 
> > cert7.db, but Solaris still won''t like it.
> > 
> > I''ve found that certutil as bundled in the Sun DSRK works
well for
> > generating Solaris client cert DBs:
> > http://www.sun.com/download/products.xml?id=3f74a0db
> > 
> > NSS 3.3.2 should also work:
> >
http://www.mozilla.org/projects/security/pki/nss/release_notes_332.html
> > 
> > 
>

On Tue, 2005-12-20 at 12:06 -0600, Michael Montgomery
wrote:
> Thanks for the info... but
> 
> I don''t have netscape installed on this solaris server, so i
can''t use
> it to create the db.  I found a certutil package that seems to create
> old db files here:
> 
> http://www.gurulabs.com/goodies/downloads.php
> 
> I guess I could install a really old version of netscape on my desktop
> machine, and use it, but is there an easier way to go about this, as
> trying to import the server cert gives this:
> 
> bash-3.00# /usr/local/bin/certutil -A -n "CA certificate"
> -i /root/cert.crt -t
> "CTu,u,u"
> certutil: could not obtain certificate from file: Failure to load
> dynamic library.
George Holbert''s reply has some links you might try.  I think that if
you use the "Install Everything + OEM" aka SUNWCXall installation
option
for Solaris 9, you should also have the sunone directory server software
installed.  It might (can''t remember for sure at the moment) have a
certutil you can use.  grep certutil /var/sadm/install/contents would
tell you for sure.

I have also noticed that certutil is picky about where it runs, and
needs a library in cwd when you run it in some instances (seen this with
SunOne Directory Server 5.2 running under linux, look at the
~dsroot/alias dir as it has a .so lib there for certutil IIRC).

Good luck.  If you have any issues once getting it in cert7.db format
with your SSL connections just shout.  At my day job, I currently have
300+ Solaris 8/Solaris 9 servers running in tls:simple mode.

> 
> Thanks again for any help you can offer.
No problem.  Sorry for being short on the first email (and thanks George
for covering my lack of additional info), was short on time, and wanted
to get the info about cert7.db out.

Jamie

Thanks everyone for all of your help.  I just got it working, and the :

Dec 20 12:22:17 solarisldap nscd[2377]: libldap: CERT_VerifyCertName: cert
server name ''server-cert'' does not match
''ldapserver'': SSL connection denied

Issue was simply an /etc/hosts problem.  Once I looked closely at the
CA, and server cert, and didn''t notice "ldapserver", I though
it must be
nsswitch/hosts issues.  I found the problem in /etc/hosts, corrected it,
re-ran ldapclient, and hallelujah, it works:

# id mmontgomery
uid=1000(mmontgomery) gid=10000(UnixIS)

Thanks, once again, for all of your help in getting this working.

Have a good day.

On Tue, 2005-12-20 at 13:27 -0500, Jamie McKnight wrote:
> On Tue, 2005-12-20 at 12:06 -0600, Michael Montgomery wrote:
> > Thanks for the info... but
> > 
> > I don''t have netscape installed on this solaris server, so i
can''t use
> > it to create the db.  I found a certutil package that seems to create
> > old db files here:
> > 
> > http://www.gurulabs.com/goodies/downloads.php
> > 
> > I guess I could install a really old version of netscape on my desktop
> > machine, and use it, but is there an easier way to go about this, as
> > trying to import the server cert gives this:
> > 
> > bash-3.00# /usr/local/bin/certutil -A -n "CA certificate"
> > -i /root/cert.crt -t
> > "CTu,u,u"
> > certutil: could not obtain certificate from file: Failure to load
> > dynamic library.
> 
> George Holbert''s reply has some links you might try.  I think that
if
> you use the "Install Everything + OEM" aka SUNWCXall installation
option
> for Solaris 9, you should also have the sunone directory server software
> installed.  It might (can''t remember for sure at the moment) have
a
> certutil you can use.  grep certutil /var/sadm/install/contents would
> tell you for sure.
> 
> I have also noticed that certutil is picky about where it runs, and
> needs a library in cwd when you run it in some instances (seen this with
> SunOne Directory Server 5.2 running under linux, look at the
> ~dsroot/alias dir as it has a .so lib there for certutil IIRC).
> 
> Good luck.  If you have any issues once getting it in cert7.db format
> with your SSL connections just shout.  At my day job, I currently have
> 300+ Solaris 8/Solaris 9 servers running in tls:simple mode.
> 
> 
> > 
> > Thanks again for any help you can offer.
> 
> No problem.  Sorry for being short on the first email (and thanks George
> for covering my lack of additional info), was short on time, and wanted
> to get the info about cert7.db out.
> 
> Jamie
> 
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- 
Michael Montgomery
Systems Administrator
http://theplanet.com

On Tue, 2005-12-20 at 12:14 -0600, Michael Montgomery
wrote:
> I was installing old netscape-communicator when I posted last, and the
db''s it created got me further:
> 
> Dec 20 12:07:02 solarisldap nscd[2100]: libldap: CERT_VerifyCertName: cert
server name ''server-cert'' does not match
''ldapserver'': SSL connection denied
> Dec 20 12:07:02 solarisldap nscd[2100]: libsldap: Status: 85  Mesg:
openConnection: simple bind failed - Timed out
> Dec 20 12:07:02 solarisldap nscd[2100]: libsldap: Status: 7  Mesg: Session
error no available conn.
> 
> So at least I got here... I''ll look around some more to try and
disable this verifycertname crap, or re-create the cert correctly.
> 
> Thanks again.
I almost mentioned this in my last reply 8-)

I have not seen a way to turn off the cert name verification.

I fix this with a local entry on each Solaris client in /etc/hosts that
lists the fqdn of the ldap server first (matches the cert name).  If
your internal dns has the correct name, make sure the hosts line
in /etc/nsswitch.conf points to files and then dns (or which ever order
you prefer).  The key is to make sure the first name returned while
looking up the ip addr of your ldap server matches the name on the cert.


Jamie