[Fedora-directory-users]: SSL directory server gateway, one-button SSL Certs (slapd + Admin Server) generation script

Tay, Gary Gary_Tay at platts.com
Thu Apr 20 08:45:55 UTC 2006 

I couldn't find setupssl.sh anywhere on the HowTo SSL link.

Anyway, I have written cr_ssl_certs.sh which works for both FDS and
SUN-ONE DS, and this script will create also the Admin Server SSL Cert
(the same as slapd), once you have used Admin Console to enable SSL for
Admin Server at "Encryption" TAB, you would see a few .conf files
including console.conf get updated at $SERVER_ROOT/admin-serv/config,
the rest is history.

Note that it is not a MUST to create different CA Certs for different
FDS Servers, they are so for testing purposes only, for production
usage, you would most likely purchase signed SSL Server Certs for your
different FDS Servers

HTH.

Gary

Content of cr_ssl_certs.sh

#! /bin/sh
#
# cr_ssl_certs.sh - This script works for either Fedora or SUN-ONE DS
#
# Gary Tay
#
# 1) Make sure 'root' is used to run this script
# 2) Make sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory
Manager
#
#set -vx
IS_ROOT_UID=`id | grep "uid=0(root)"`
if [ ! -n "$IS_ROOT_UID" ]; then
   echo "Please run this script as root"
   exit 1
fi
chmod 700 $0
if [ ! -f /home/ldap/dirmgr.pwd ]; then
   echo "Please setup /home/ldap/dirmgr.pwd."
   exit 1
else
   chmod 600 /home/ldap/dirmgr.pwd
fi
# Pls customize the followings
HOST=`hostname`
DOMAIN="example.com"
BASEDN="dc=example,dc=com"
FQDN="$HOST.$DOMAIN"
ORG="Example Companies"
LOCALITY="NewYork City"
STATE="NewYork"
COUNTRY="US"
# Uncomment for Fedora/RedHat Directory Server
SERVER_ROOT="/opt/fedora-ds"
# Uncomment for SUN-ONE/Java System Directory Server
#SERVER_ROOT="/var/Sun/mps"
if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then
   LD_LIBRARY_PATH=$SERVER_ROOT/lib:$SERVER_ROOT/shared/lib
   SLAPD_OWNER="ldap"
   SLAPD_GROUP="ldap"
   TAR_CVF="tar -Pcvf"
   TAR_XVF="tar -Pxvf"
fi
if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then
   LD_LIBRARY_PATH=$SERVER_ROOT/lib
   SLAPD_OWNER="root"
   SLAPD_GROUP="root"
   TAR_CVF="tar -cvf"
   TAR_XVF="tar -xvf"
fi
export LD_LIBRARY_PATH
PATH=$SERVER_ROOT/shared/bin:$PATH; export PATH
echo "Please shutdown slapd and Admin Server and perform a tar backup"
echo "and db2ldif backup of currently working system, and restart them
again."
echo "Example of tar command: $TAR_CVF /var/tmp/ds_backup.tar
$SERVER_ROOT"
echo "When you are ready, answer Yes and press Enter to continue."
echo "Press Ctrl-C to cancel."
read READY
[ "$READY" != "Yes" ] && exit 1
echo "Enter an UNIQUE SERIAL NUMBER for CA Cert."
echo "Eg: 1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc..."
read UNIQUE_SN_CA
echo "Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert."
echo "Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3."
read UNIQUE_SN_LDAP
cd $SERVER_ROOT/alias
echo "Backing up existing *.db (if any) to backup_$$."
mkdir -p backup_$$ >/dev/null 2>/dev/null
cp -p *.db backup_$$ >/dev/null 2>/dev/null
/bin/rm -f *.db >/dev/null 2>/dev/null
echo "secretpwd" >pwdfile.txt
chmod 600 pwdfile.txt
echo "dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk"
>noise.txt
echo "Creating new security key3.db/cert8.db pair."
../shared/bin/certutil -N -d . -f pwdfile.txt
echo "Generating encryption key."
../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt
echo "Generating self-signed CA certificate."
../shared/bin/certutil -S -n "CA certificate" \
   -s "cn=CAcert $HOST" -x \
   -t "CT,," -m $UNIQUE_SN_CA -v 120 -d . -z noise.txt -f pwdfile.txt
echo "Generating self-signed Server certificate."
../shared/bin/certutil -S -n "Server-Cert" \
   -s "cn=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -c "CA
certificate" \
   -t "u,u,u" -m $UNIQUE_SN_LDAP -v 120 -d . -z noise.txt -f pwdfile.txt
echo "Renaming and linking modified security DBs."
mv -f key3.db slapd-$HOST-key3.db
mv -f cert8.db slapd-$HOST-cert8.db
ln -s slapd-$HOST-key3.db key3.db
ln -s slapd-$HOST-cert8.db cert8.db
echo "Setting the correct ownership of security DBs"
chown $SLAPD_OWNER:$SLAPD_GROUP *.db
echo "Self-signed CA and SSL Server certs generated."
echo ""
echo "The following commands are OPTIONAL."
echo "They are for backing up CA and Server Certs in PK12 format."
echo ""
echo "---Start of OPTIONAL commands---"
cat <<EOF >optional_cmds.txt
../shared/bin/pk12util -d . -P slapd-$HOST- -o cacert.pfx -n "CA
certificate"
../shared/bin/pk12util -d . -P slapd-$HOST- -o servercert.pfx -n
"Server-Cert"
EOF
cat optional_cmds.txt
echo "---End of OPTIONAL commands---"
echo ""
#
echo "Enabling SSL."
echo "NOTE: changes will be saved to config/dse.ldif when slapd is
shutdown"
cat <<EOF >/tmp/ssl_enable.ldif
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed

dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on

EOF
if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then
cat <<EOF >>/tmp/ssl_enable.ldif
dn: cn=config
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off

EOF
fi
../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat
/home/ldap/dirmgr.pwd` -f /tmp/ssl_enable.ldif
[ $? -eq 0 ] && \
   echo "Enabling SSL in cn=encryption,cn=config and cn=config done."
[ $? -ne 0 ] && \
   echo "Enabling SSL in cn=encryption,cn=config and cn=config failed."
#
cat <<EOF >/tmp/add_ssl_configs.ldif
dn: cn=encryption,cn=config
changetype: modify
add: nsSSL3Ciphers
nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
 
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezz
a,
 
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha
,
 +tls_rsa_export1024_with_des_cbc_sha
-
add: nsKeyfile
nsKeyfile: alias/slapd-$HOST-key3.db
-
add: nsCertfile
nsCertfile: alias/slapd-$HOST-cert8.db

EOF
../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat
/home/ldap/dirmgr.pwd` -f /tmp/add_ssl_configs.ldif
[ $? -eq 0 ] && echo "Adding SSL configs in cn=encryption,cn=config
done."
[ $? -ne 0 ] && echo "Adding SSL configs in cn=encryption,cn=config
failed."
#
cat <<EOF >/tmp/addRSA.ldif
dn: cn=RSA,cn=encryption,cn=config
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)
nsSSLActivation: on

EOF
../shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w `cat
/home/ldap/dirmgr.pwd` -f /tmp/addRSA.ldif
[ $? -eq 0 ] && echo "Adding cn=RSA,cn=encryption,cn=config done."
[ $? -ne 0 ] && echo "Adding cn=RSA,cn=encryption,cn=config failed."
#
echo "Creating a pin.txt for auto-starting of slapd."
echo "Internal (Software) Token:`cat pwdfile.txt`" >slapd-$HOST-pin.txt
chown $SLAPD_OWNER:$SLAPD_GROUP slapd-$HOST-pin.txt
chmod 400 slapd-$HOST-pin.txt
echo "Exporting the CA Cert in ASCII format or DER format"
../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \
   -a > cacert.asc
../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \
   -r > cacert.der
echo "Copying Server-Cert to Admin Server for Admin Server SSL
connection."
cp slapd-$HOST-key3.db admin-serv-$HOST-key3.db
cp slapd-$HOST-cert8.db admin-serv-$HOST-cert8.db
echo "Setting the correct ownership of Admin Server security DBs"
chown $SLAPD_OWNER:$SLAPD_GROUP admin-serv-$HOST-*.db
echo "Remember to enable SSL in Admin Server later."
echo "Remember to select 'Server-Cert' as the Certificate and click OK."
echo "Remember to restart Admin Server after that."
echo "Creating a pin.txt for auto-starting of Admin Server."
echo "`cat pwdfile.txt`" >admin-serv-$HOST-pin.txt
chown $SLAPD_OWNER:$SLAPD_GROUP admin-serv-$HOST-pin.txt
chmod 400 admin-serv-$HOST-pin.txt
echo "Patching start-admin and creating start-admin.auto."
if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then
 sed -e \
   '/^\$HTTPD/s/$/
\<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/' \
   $SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto
fi
if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then
 sed -e \
   '/uxwdog/s/$/
\<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/' \
   $SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto
fi
chmod 755 $SERVER_ROOT/start-admin.auto
echo "Please use $SERVER_ROOT/start-admin.auto in rc3.d as autostart
script."
echo ""
echo "IMPORTANT NOTES:"
echo ""
echo "1. How to check if SSL Configurations are done properly?"
echo "You may view config/dse.ldif after shutting down slapd"
echo "to verify all the required SSL configurations are there."
echo ""
echo "2. How to fix slapd startup issue due to mis-configuration of
SSL?"
echo "If for any reason slapd fails to start due to SSL issue,"
echo "you may edit config/dse.ldif after shutting down slapd"
echo "and revert back to non-SSL configs."
echo "i.e. set nsSSL3: off, nsSSLActivation: off and nsslapd-security:
off"
echo "and then try to restart slapd."
echo ""
echo "3. How to fix Admin Server login issue due to mis-configuration of
SSL?"
echo "If for any reason Admin Server login fails and you wish to give
up,"
echo "simply stop slapd and admin-serv and restore using the tar backup"
echo "i.e. rm -f $SERVER_ROOT/alias/*.db;$TAR_XVF
/var/tmp/ds_backup.tar"
echo ""

===Sample Run===

# ./cr_ssl_certs.sh
Please shutdown slapd and Admin Server and perform a tar backup
and db2ldif backup of currently working system, and restart them again.
Example of tar command: tar -cvf /var/tmp/ds_backup.tar /var/Sun/mps
When you are ready, answer Yes and press Enter to continue.
Press Ctrl-C to cancel.
Yes
Enter an UNIQUE SERIAL NUMBER for CA Cert.
Eg: 1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc...
1000
Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert.
Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3.
1001
Backing up existing *.db (if any) to backup_24872.
Creating new security key3.db/cert8.db pair.
Generating encryption key.


Generating key.  This may take a few moments...

Generating self-signed CA certificate.


Generating key.  This may take a few moments...

Generating self-signed Server certificate.


Generating key.  This may take a few moments...

Renaming and linking modified security DBs.
Setting the correct ownership of security DBs
Self-signed CA and SSL Server certs generated.

The following commands are OPTIONAL.
They are for backing up CA and Server Certs in PK12 format.

---Start of OPTIONAL commands---
../shared/bin/pk12util -d . -P slapd-ldap1- -o cacert.pfx -n "CA
certificate"
../shared/bin/pk12util -d . -P slapd-ldap1- -o servercert.pfx -n
"Server-Cert"
---End of OPTIONAL commands---

Enabling SSL.
NOTE: changes will be saved to config/dse.ldif when slapd is shutdown
modifying entry cn=encryption,cn=config

modifying entry cn=config

Enabling SSL in cn=encryption,cn=config and cn=config done.
modifying entry cn=encryption,cn=config

Adding SSL configs in cn=encryption,cn=config done.
adding new entry cn=RSA,cn=encryption,cn=config

Adding cn=RSA,cn=encryption,cn=config done.
Creating a pin.txt for auto-starting of slapd.
Exporting the CA Cert in ASCII format or DER format
Copying Server-Cert to Admin Server for Admin Server SSL connection.
Setting the correct ownership of Admin Server security DBs
Remember to enable SSL in Admin Server later.
Remember to select 'Server-Cert' as the Certificate and click OK.
Remember to restart Admin Server after that.
Creating a pin.txt for auto-starting of Admin Server.
Patching start-admin and creating start-admin.auto.
Please use /var/Sun/mps/start-admin.auto in rc3.d as autostart script.

IMPORTANT NOTES:

1. How to check if SSL Configurations are done properly?
You may view config/dse.ldif after shutting down slapd
to verify all the required SSL configurations are there.

2. How to fix slapd startup issue due to mis-configuration of SSL?
If for any reason slapd fails to start due to SSL issue,
you may edit config/dse.ldif after shutting down slapd
and revert back to non-SSL configs.
i.e. set nsSSL3: off, nsSSLActivation: off and nsslapd-security: off
and then try to restart slapd.

3. How to fix Admin Server login issue due to mis-configuration of SSL?
If for any reason Admin Server login fails and you wish to give up,
simply stop slapd and admin-serv and restore using the tar backup
i.e. rm -f /var/Sun/mps/alias/*.db;tar -xvf /var/tmp/ds_backup.tar


-----Original Message-----
From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Jason
Russler
Sent: Thursday, April 20, 2006 4:15 AM
To: General discussion list for the Fedora Directory server project.
Subject: [Fedora-directory-users] SSL directory server gateway


Hi all,
I'm pretty uncertain about the best way to go about configuring the 
admin server to use SSL (FDS1.0.2) .  All of the docs I'm finding are 
pretty shaky.  Ultimately, I want users to manage their passwords and 
info via the web-based Directory Server Gateway over SSL.  This would 
appear to be the same thing as enabling SSL for the admin server.  The 
setupssl.sh script provided by the SSL howto,  generates the keys/certs 
for the admin server and imports them into the appropriate cert db (I 
guess, I've performed  the process by hand as well, based on RedHat's 
docs and the script itself).  This would imply to me that the admin 
console would find the generated certs and present them in the admin 
server's console (under the Configuration -> Encryption tab) in much the

same way that it does in the directory server's console.  I can't tell 
if something that's suppose to work isn't or if I'm misunderstanding 
something.  I'd like to know before I try to generate new SSL 
certificates and import them.
Thanks much,
Jason

--
Fedora-directory-users mailing list Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

More information about the Fedora-directory-users mailing list