Fedora directory users - Jan 2006 - some questions on using ssl with fds

These are some basic questions that I''m sure you guys will know how to
answer straight away.  Please forgive my ignorance, as I''m still trying
to understand how ssl works and how to get it to work in fds both for my
directory servers and clients.  First some background information.  I
have 2 directory servers and several client servers.  My goal is to get
the directory servers to replicate using an encrypted link (they are
currently replicating great using standard ldap port.  My second goal is
to have the client servers authenticate to the directory servers using
ssl.  I currently do not have a CA in my organization, and would like to
use self signed keys to achieve goals listed above.  I''m trying to
understand how this is supposed to work; I took a look at the howto
www.redhat.com/docs/manuals/dir-sever/ag/7.1/ssl.html#1087158 and have
just a few questions.  

Correct me if I''m wrong, but the way this will work is that I will
first
create a CA cert on directory server A (step 6), generate server
certificate (step 7).  Next step will be to export the CA cert and
import into directory server B.   

1. When creating the server cert at step 6, what are the appropriate
values for the -n and -s switches, assuming that my company is named
company.org.  

2. When creating the server certificate at step 7, what are the
appropriate vaules with the -n, -s and -c switches?

3. What are the switches to use to export the CA certificate using the
certutil as well as the appropriate switches to import this certificate
on another server.  

4. Is it true that after importing the CA cert into directory server B
and generating a server certificate on this server, the 2 directory
servers will inherently trust each other as their server certificates
were generated from the same CA certificate?  If so, I believe that I
will then be able to create a replication link between the 2 directory
servers over a ssl link?

5. How do I configure the client servers to use ldaps?  Do I need to
generate server certificates for each box?  If so, where are these
certificates stored on the client servers.  Thanks very much for your
help with this.

Aaron 

www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
Power and Associates

Confidentiality Notice:
The information contained in this electronic message is intended for the
exclusive use of the individual or entity named above and may contain privileged
or confidential information.  If the reader of this message is not the intended
recipient or the employee or agent responsible to deliver it to the intended
recipient, you are hereby notified that dissemination, distribution or copying
of this information is prohibited.  If you have received this communication in
error, please notify the sender immediately by telephone and destroy the copies
you received.

I got this from the manual:

Note 
Replication configured over SSL with certificate-based authentication will fail
in the following
cases:

    * If the supplier''s certificate is a self-signed certificate.
_________

Is that still the case for FDS?  Is there any way to get it working using
self-signed certs?

If not, I''m thinking of using stunnel between both masters, then.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Susan wrote:
>I got this from the manual:
>
>Note 
>Replication configured over SSL with certificate-based authentication will
fail in the following
>cases:
>
>    * If the supplier''s certificate is a self-signed certificate.
>_________
>
>Is that still the case for FDS?  Is there any way to get it working using
self-signed certs?
>  
>
If the consumer can verify and validate the suppliers cert, as in 
certificate based auth, then it should work.  Otherwise, you can just 
use regular SSL replication with password auth.
>If not, I''m thinking of using stunnel between both masters, then.
>  
>
Will that allow you to do certificate based auth, or just SSL encryption 
of the channel with password based auth?  If so, then it''s the same as 
regular replication with SSL and passwords without certificate based auth.
>__________________________________________________
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection around 
>http://mail.yahoo.com 
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

--- Richard Megginson <rmeggins@redhat.com> wrote:
> If the consumer can verify and validate the suppliers cert, as in 
> certificate based auth, then it should work.  Otherwise, you can just 
> use regular SSL replication with password auth.
OK, I understand.  I don''t care about cert-based SSL, so I''ll
go with the simple auth then.

I''m  not sure who wrote the mmr.pl script
(http://directory.fedora.redhat.com/wiki/Howto:MultiMasterReplication) but I
must say thank you,
author, the script works trouble free, as advertised.  However, I don''t
see anything in there
about replication over SSL.  And it doesn''t look like I can convert it
to SSL, once the
replication is established using mmr.pl, is that correct?
> Will that allow you to do certificate based auth, or just SSL encryption 
> of the channel with password based auth?  If so, then it''s the
same as
> regular replication with SSL and passwords without certificate based au
no, you''re right, it''s the same thing, so no point in using
stunnel then.  Nevermind.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Susan wrote:
>--- Richard Megginson <rmeggins@redhat.com> wrote:
>  
>
>>If the consumer can verify and validate the suppliers cert, as in 
>>certificate based auth, then it should work.  Otherwise, you can just 
>>use regular SSL replication with password auth.
>>    
>>
>
>OK, I understand.  I don''t care about cert-based SSL, so
I''ll go with the simple auth then.
>
>I''m  not sure who wrote the mmr.pl script
>(http://directory.fedora.redhat.com/wiki/Howto:MultiMasterReplication) but I
must say thank you,
>author, the script works trouble free, as advertised.  However, I
don''t see anything in there
>about replication over SSL.  And it doesn''t look like I can convert
it to SSL, once the
>replication is established using mmr.pl, is that correct?
>  
>
No, I think you can.  You just need to edit the replication agreement to 
use ssl and connect to the ssl port. 
>  
>
>>Will that allow you to do certificate based auth, or just SSL encryption
>>of the channel with password based auth?  If so, then it''s the
same as
>>regular replication with SSL and passwords without certificate based au
>>    
>>
>
>no, you''re right, it''s the same thing, so no point in
using stunnel then.  Nevermind.
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection around 
>http://mail.yahoo.com 
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>