thr3ads.net - Fedora directory users - [Fedora-directory-users] Trying to follow the howto ssl from wiki [Jun 2008]

If this information is useful, please help other people find it:
Share via:

Edward Capriolo

2008-Jun-20 19:40 UTC

[Fedora-directory-users] Trying to follow the howto ssl from wiki

I was attempting to follow...http://directory.fedoraproject.org/wiki/Howto:SSL
I first ran the script
http://directory.fedoraproject.org/download/setupssl2.sh After
completing fds would not start. I rein
I eventually ended up reading the script and running every operation
stp by step. That was quite an ordeal. All the steps ran however no
errors.

[root@ldapslave1 slapd-ldapslave1]# /etc/init.d/dirsrv start
Starting dirsrv:
    ldapslave1...Warning: Incorrect PIN may result in disabling the token
Enter PIN for Internal (Software) Token:

I replaced the data inside pin.txt with :

Internal (Software) Token:dirserv_cert_password

But I am still getting the same message. Is this just a bogus message.
The problem could be elsewhere?


Thanks in advance.
(ps -ef ; w) | sha1sum > /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
chown fds:fds /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
 (w ; ps -ef ; date ) | sha1sum | awk ''{print $1}'' >
/etc/dirsrv/slapd-ldapslave1/noise.txt
chown fds:fds /etc/dirsrv/slapd-ldapslave1/noise.txt
 certutil -N -P new- -d /etc/dirsrv/slapd-ldapslave1 -f
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt
chown fds:fds /etc/dirsrv/slapd-ldapslave1/key3.db
chown fds:fds /etc/dirsrv/slapd-ldapslave1/cert8.db
chmod 600 /etc/dirsrv/slapd-ldapslave1/key3.db
chmod 600 /etc/dirsrv/slapd-ldapslave1/cert8.db
certutil -G -P new- -d /etc/dirsrv/slapd-ldapslave1 -z
/etc/dirsrv/slapd-ldapslave1/noise.txt -f
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt
certutil -S -P new- /etc/dirsrv/slapd-ldapslave1/ -n "CA certificate"
-s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d
/etc/dirsrv/slapd-ldapslave1 -z /etc/dirsrv/slapd-ldapslave1/noise.txt
-f /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
certutil -L -P new- -d /etc/dirsrv/slapd-ldapslave1 -n "CA
certificate" -a > /etc/dirsrv/slapd-ldapslave1/cacert.asc
pk12util -d /etc/dirsrv/slapd-ldapslave1 -P new- -o
/etc/dirsrv/slapd-ldapslave1/cacert.p12 -n "CA certificate" -w
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt
certutil -S -P new- -n "Server-Cert" -s
"cn=ldapslave1.ops.ec.com,ou=Fedora Directory Server" -c "CA
certificate" -t "u,u,u" -m 1001 -v 120 -d
/etc/dirsrv/slapd-ldapslave1/ -z
/etc/dirsrv/slapd-ldapslave1/noise.txt  -f
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt

certutil -S -P new- -n "server-cert" -s
"cn=ldapslave1.ops.ec.com,ou=Fedora Administration Server" -c "CA
certificate" -t "u,u,u" -m 1002 -v 120 -d
/etc/dirsrv/slapd-ldapslave1/ -z
/etc/dirsrv/slapd-ldapslave1/noise.txt -f
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt

pk12util -d /etc/dirsrv/slapd-ldapslave1 -P new- -o
/etc/dirsrv/slapd-ldapslave1/adminserver.p12 -n server-cert -w
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt

chown fds:fds /etc/dirsrv/slapd-ldapslave1/adminserver.p12
chmod 400 /etc/dirsrv/slapd-ldapslave1/adminserver.p12

cat /etc/dirsrv/slapd-ldapslave1/pwdfile.txt >
/etc/dirsrv/slapd-ldapslave1/pin.txt

chmod 400 /etc/dirsrv/slapd-ldapslave1/pin.txt

mv /etc/dirsrv/slapd-ldapslave1/cert8.db
/etc/dirsrv/slapd-ldapslave1/orig-cert8.db
mv /etc/dirsrv/slapd-ldapslave1/key3.db
/etc/dirsrv/slapd-ldapslave1/orig-key3.db


certutil -N -d /etc/dirsrv/slapd-ldapslave1 -P admin-serv- -f
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt

chown fds:fds /etc/dirsrv/slapd-ldapslave1/admin-serv-*.db
[root@ldapslave1 tmp]# chmod 600 /etc/dirsrv/slapd-ldapslave1/admin-serv-*.db

pk12util -d /etc/dirsrv/slapd-ldapslave1/ -P admin-serv- -n
server-cert -i /etc/dirsrv/slapd-ldapslave1/adminserver.p12 -w
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt

certutil -A -d /etc/dirsrv/slapd-ldapslave1/ -P admin-serv- -n "CA
certificate" -t "CT,," -a -i
/etc/dirsrv/slapd-ldapslave1/cacert.asc

cat /etc/dirsrv/slapd-ldapslave1/pwdfile.txt >
/etc/dirsrv/slapd-ldapslave1/password.conf

chmod 400 /etc/dirsrv/slapd-ldapslave1/password.conf
chown fds:fds /etc/dirsrv/slapd-ldapslave1/password.conf

sed -e "s@^NSSPassPhrasDialog .*@NSSPassPhraseDialog
file:/etc/dirsrv/slapd-ldapslave1/password/conf

mv /etc/dirsrv/slapd-ldapslave1/new-key3.db
/etc/dirsrv/slapd-ldapslave1/key3.db
mv /etc/dirsrv/slapd-ldapslave1/new-cert8.db
/etc/dirsrv/slapd-ldapslave1/cert8.db


ldapmodify -x -h localhost -p 389 -D "cn=directory manager" -W
<<EOF
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
-
add: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
 +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
 +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
 +tls_rsa_export1024_with_des_cbc_sha

dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off

dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)
nsSSLActivation: on

EOF


[root@ldapslave1 slapd-ldapslave1]# /etc/init.d/dirsrv start
Starting dirsrv:
    ldapslave1...Warning: Incorrect PIN may result in disabling the token
Enter PIN for Internal (Software) Token:

Any hints thanks!

Edward Capriolo

2008-Jun-23 16:48 UTC

head link

[Fedora-directory-users] Re: Trying to follow the howto ssl from wiki

Can anyone else point me to any how to  on this? This process seems to
be destructive. If anything goes wrong fds will not start making it
very hard to roll back the changes to the database. I end up just
removing the entire installation and starting over.

My fall back plan is to use stunnel or some other proxy.

On Fri, Jun 20, 2008 at 3:40 PM, Edward Capriolo <edlinuxguru@gmail.com>
wrote:> I was attempting to
follow...http://directory.fedoraproject.org/wiki/Howto:SSL
> I first ran the script
> http://directory.fedoraproject.org/download/setupssl2.sh After
> completing fds would not start. I rein
> I eventually ended up reading the script and running every operation
> stp by step. That was quite an ordeal. All the steps ran however no
> errors.
>
> [root@ldapslave1 slapd-ldapslave1]# /etc/init.d/dirsrv start
> Starting dirsrv:
>    ldapslave1...Warning: Incorrect PIN may result in disabling the token
> Enter PIN for Internal (Software) Token:
>
> I replaced the data inside pin.txt with :
>
> Internal (Software) Token:dirserv_cert_password
>
> But I am still getting the same message. Is this just a bogus message.
> The problem could be elsewhere?
>
>
> Thanks in advance.
> (ps -ef ; w) | sha1sum > /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>  (w ; ps -ef ; date ) | sha1sum | awk ''{print $1}'' >
> /etc/dirsrv/slapd-ldapslave1/noise.txt
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/noise.txt
>  certutil -N -P new- -d /etc/dirsrv/slapd-ldapslave1 -f
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/key3.db
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/cert8.db
> chmod 600 /etc/dirsrv/slapd-ldapslave1/key3.db
> chmod 600 /etc/dirsrv/slapd-ldapslave1/cert8.db
> certutil -G -P new- -d /etc/dirsrv/slapd-ldapslave1 -z
> /etc/dirsrv/slapd-ldapslave1/noise.txt -f
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> certutil -S -P new- /etc/dirsrv/slapd-ldapslave1/ -n "CA
certificate"
> -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d
> /etc/dirsrv/slapd-ldapslave1 -z /etc/dirsrv/slapd-ldapslave1/noise.txt
> -f /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> certutil -L -P new- -d /etc/dirsrv/slapd-ldapslave1 -n "CA
> certificate" -a > /etc/dirsrv/slapd-ldapslave1/cacert.asc
> pk12util -d /etc/dirsrv/slapd-ldapslave1 -P new- -o
> /etc/dirsrv/slapd-ldapslave1/cacert.p12 -n "CA certificate" -w
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> certutil -S -P new- -n "Server-Cert" -s
> "cn=ldapslave1.ops.ec.com,ou=Fedora Directory Server" -c "CA
> certificate" -t "u,u,u" -m 1001 -v 120 -d
> /etc/dirsrv/slapd-ldapslave1/ -z
> /etc/dirsrv/slapd-ldapslave1/noise.txt  -f
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>
> certutil -S -P new- -n "server-cert" -s
> "cn=ldapslave1.ops.ec.com,ou=Fedora Administration Server" -c
"CA
> certificate" -t "u,u,u" -m 1002 -v 120 -d
> /etc/dirsrv/slapd-ldapslave1/ -z
> /etc/dirsrv/slapd-ldapslave1/noise.txt -f
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>
> pk12util -d /etc/dirsrv/slapd-ldapslave1 -P new- -o
> /etc/dirsrv/slapd-ldapslave1/adminserver.p12 -n server-cert -w
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/adminserver.p12
> chmod 400 /etc/dirsrv/slapd-ldapslave1/adminserver.p12
>
> cat /etc/dirsrv/slapd-ldapslave1/pwdfile.txt >
> /etc/dirsrv/slapd-ldapslave1/pin.txt
>
> chmod 400 /etc/dirsrv/slapd-ldapslave1/pin.txt
>
> mv /etc/dirsrv/slapd-ldapslave1/cert8.db
> /etc/dirsrv/slapd-ldapslave1/orig-cert8.db
> mv /etc/dirsrv/slapd-ldapslave1/key3.db
> /etc/dirsrv/slapd-ldapslave1/orig-key3.db
>
>
> certutil -N -d /etc/dirsrv/slapd-ldapslave1 -P admin-serv- -f
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/admin-serv-*.db
> [root@ldapslave1 tmp]# chmod 600
/etc/dirsrv/slapd-ldapslave1/admin-serv-*.db
>
> pk12util -d /etc/dirsrv/slapd-ldapslave1/ -P admin-serv- -n
> server-cert -i /etc/dirsrv/slapd-ldapslave1/adminserver.p12 -w
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>
> certutil -A -d /etc/dirsrv/slapd-ldapslave1/ -P admin-serv- -n "CA
> certificate" -t "CT,," -a -i
/etc/dirsrv/slapd-ldapslave1/cacert.asc
>
> cat /etc/dirsrv/slapd-ldapslave1/pwdfile.txt >
> /etc/dirsrv/slapd-ldapslave1/password.conf
>
> chmod 400 /etc/dirsrv/slapd-ldapslave1/password.conf
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/password.conf
>
> sed -e "s@^NSSPassPhrasDialog .*@NSSPassPhraseDialog
> file:/etc/dirsrv/slapd-ldapslave1/password/conf
>
> mv /etc/dirsrv/slapd-ldapslave1/new-key3.db
> /etc/dirsrv/slapd-ldapslave1/key3.db
> mv /etc/dirsrv/slapd-ldapslave1/new-cert8.db
> /etc/dirsrv/slapd-ldapslave1/cert8.db
>
>
> ldapmodify -x -h localhost -p 389 -D "cn=directory manager" -W
<<EOF
> dn: cn=encryption,cn=config
> changetype: modify
> replace: nsSSL3
> nsSSL3: on
> -
> replace: nsSSLClientAuth
> nsSSLClientAuth: allowed
> -
> add: nsSSL3Ciphers
> nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>  +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
>  +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
>  +tls_rsa_export1024_with_des_cbc_sha
>
> dn: cn=config
> changetype: modify
> add: nsslapd-security
> nsslapd-security: on
> -
> replace: nsslapd-ssl-check-hostname
> nsslapd-ssl-check-hostname: off
>
> dn: cn=RSA,cn=encryption,cn=config
> changetype: add
> objectclass: top
> objectclass: nsEncryptionModule
> cn: RSA
> nsSSLPersonalitySSL: Server-Cert
> nsSSLToken: internal (software)
> nsSSLActivation: on
>
> EOF
>
>
> [root@ldapslave1 slapd-ldapslave1]# /etc/init.d/dirsrv start
> Starting dirsrv:
>    ldapslave1...Warning: Incorrect PIN may result in disabling the token
> Enter PIN for Internal (Software) Token:
>
> Any hints thanks!
>

Fedora directory users - Jun 2008 - Trying to follow the howto ssl from wiki

[Fedora-directory-users] Trying to follow the howto ssl from wiki

[Fedora-directory-users] Re: Trying to follow the howto ssl from wiki