**Caution-External**: RE: [Fedora-directory-users]: SSL directory server gateway, one-button SSL Certs (slapd + Admin Server) generation script
Tay, Gary
Gary_Tay at platts.com
Thu Apr 20 08:55:07 UTC 2006
Sorry for being "blind", I found the script at the very first "This"
word. May be "This" should be changed to "This setupssl.sh", just to
help people like me.
Gary
-----Original Message-----
From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Tay,
Gary
Sent: Thursday, April 20, 2006 4:46 PM
To: General discussion list for the Fedora Directory server project.
Subject: **Caution-External**: RE: [Fedora-directory-users]: SSL
directory server gateway,one-button SSL Certs (slapd + Admin Server)
generation script
I couldn't find setupssl.sh anywhere on the HowTo SSL link.
Anyway, I have written cr_ssl_certs.sh which works for both FDS and
SUN-ONE DS, and this script will create also the Admin Server SSL Cert
(the same as slapd), once you have used Admin Console to enable SSL for
Admin Server at "Encryption" TAB, you would see a few .conf files
including console.conf get updated at $SERVER_ROOT/admin-serv/config,
the rest is history.
Note that it is not a MUST to create different CA Certs for different
FDS Servers, they are so for testing purposes only, for production
usage, you would most likely purchase signed SSL Server Certs for your
different FDS Servers
HTH.
Gary
Content of cr_ssl_certs.sh
#! /bin/sh
#
# cr_ssl_certs.sh - This script works for either Fedora or SUN-ONE DS #
# Gary Tay # # 1) Make sure 'root' is used to run this script # 2) Make
sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory Manager #
#set -vx IS_ROOT_UID=`id | grep "uid=0(root)"` if [ ! -n "$IS_ROOT_UID"
]; then
echo "Please run this script as root"
exit 1
fi
chmod 700 $0
if [ ! -f /home/ldap/dirmgr.pwd ]; then
echo "Please setup /home/ldap/dirmgr.pwd."
exit 1
else
chmod 600 /home/ldap/dirmgr.pwd
fi
# Pls customize the followings
HOST=`hostname`
DOMAIN="example.com"
BASEDN="dc=example,dc=com"
FQDN="$HOST.$DOMAIN"
ORG="Example Companies"
LOCALITY="NewYork City"
STATE="NewYork"
COUNTRY="US"
# Uncomment for Fedora/RedHat Directory Server
SERVER_ROOT="/opt/fedora-ds" # Uncomment for SUN-ONE/Java System
Directory Server #SERVER_ROOT="/var/Sun/mps" if [ "$SERVER_ROOT" =
"/opt/fedora-ds" ]; then
LD_LIBRARY_PATH=$SERVER_ROOT/lib:$SERVER_ROOT/shared/lib
SLAPD_OWNER="ldap"
SLAPD_GROUP="ldap"
TAR_CVF="tar -Pcvf"
TAR_XVF="tar -Pxvf"
fi
if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then
LD_LIBRARY_PATH=$SERVER_ROOT/lib
SLAPD_OWNER="root"
SLAPD_GROUP="root"
TAR_CVF="tar -cvf"
TAR_XVF="tar -xvf"
fi
export LD_LIBRARY_PATH
PATH=$SERVER_ROOT/shared/bin:$PATH; export PATH
echo "Please shutdown slapd and Admin Server and perform a tar backup"
echo "and db2ldif backup of currently working system, and restart them
again." echo "Example of tar command: $TAR_CVF /var/tmp/ds_backup.tar
$SERVER_ROOT" echo "When you are ready, answer Yes and press Enter to
continue." echo "Press Ctrl-C to cancel." read READY [ "$READY" != "Yes"
] && exit 1 echo "Enter an UNIQUE SERIAL NUMBER for CA Cert." echo "Eg:
1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc..." read
UNIQUE_SN_CA echo "Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert."
echo "Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3." read
UNIQUE_SN_LDAP cd $SERVER_ROOT/alias echo "Backing up existing *.db (if
any) to backup_$$." mkdir -p backup_$$ >/dev/null 2>/dev/null cp -p *.db
backup_$$ >/dev/null 2>/dev/null /bin/rm -f *.db >/dev/null 2>/dev/null
echo "secretpwd" >pwdfile.txt chmod 600 pwdfile.txt echo
"dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk"
>noise.txt
echo "Creating new security key3.db/cert8.db pair."
../shared/bin/certutil -N -d . -f pwdfile.txt echo "Generating
encryption key." ../shared/bin/certutil -G -d . -z noise.txt -f
pwdfile.txt echo "Generating self-signed CA certificate."
../shared/bin/certutil -S -n "CA certificate" \
-s "cn=CAcert $HOST" -x \
-t "CT,," -m $UNIQUE_SN_CA -v 120 -d . -z noise.txt -f pwdfile.txt
echo "Generating self-signed Server certificate." ../shared/bin/certutil
-S -n "Server-Cert" \
-s "cn=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -c "CA
certificate" \
-t "u,u,u" -m $UNIQUE_SN_LDAP -v 120 -d . -z noise.txt -f pwdfile.txt
echo "Renaming and linking modified security DBs." mv -f key3.db
slapd-$HOST-key3.db mv -f cert8.db slapd-$HOST-cert8.db ln -s
slapd-$HOST-key3.db key3.db ln -s slapd-$HOST-cert8.db cert8.db echo
"Setting the correct ownership of security DBs" chown
$SLAPD_OWNER:$SLAPD_GROUP *.db echo "Self-signed CA and SSL Server certs
generated." echo "" echo "The following commands are OPTIONAL." echo
"They are for backing up CA and Server Certs in PK12 format." echo ""
echo "---Start of OPTIONAL commands---" cat <<EOF >optional_cmds.txt
../shared/bin/pk12util -d . -P slapd-$HOST- -o cacert.pfx -n "CA
certificate" ../shared/bin/pk12util -d . -P slapd-$HOST- -o
servercert.pfx -n "Server-Cert" EOF cat optional_cmds.txt echo "---End
of OPTIONAL commands---" echo "" # echo "Enabling SSL." echo "NOTE:
changes will be saved to config/dse.ldif when slapd is shutdown" cat
<<EOF >/tmp/ssl_enable.ldif
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
EOF
if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then
cat <<EOF >>/tmp/ssl_enable.ldif
dn: cn=config
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off
EOF
fi
../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat
/home/ldap/dirmgr.pwd` -f /tmp/ssl_enable.ldif [ $? -eq 0 ] && \
echo "Enabling SSL in cn=encryption,cn=config and cn=config done." [
$? -ne 0 ] && \
echo "Enabling SSL in cn=encryption,cn=config and cn=config failed."
# cat <<EOF >/tmp/add_ssl_configs.ldif
dn: cn=encryption,cn=config
changetype: modify
add: nsSSL3Ciphers
nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezz
a,
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha
,
+tls_rsa_export1024_with_des_cbc_sha
-
add: nsKeyfile
nsKeyfile: alias/slapd-$HOST-key3.db
-
add: nsCertfile
nsCertfile: alias/slapd-$HOST-cert8.db
EOF
../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat
/home/ldap/dirmgr.pwd` -f /tmp/add_ssl_configs.ldif [ $? -eq 0 ] && echo
"Adding SSL configs in cn=encryption,cn=config done." [ $? -ne 0 ] &&
echo "Adding SSL configs in cn=encryption,cn=config failed." # cat <<EOF
>/tmp/addRSA.ldif
dn: cn=RSA,cn=encryption,cn=config
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)
nsSSLActivation: on
EOF
../shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w `cat
/home/ldap/dirmgr.pwd` -f /tmp/addRSA.ldif [ $? -eq 0 ] && echo "Adding
cn=RSA,cn=encryption,cn=config done." [ $? -ne 0 ] && echo "Adding
cn=RSA,cn=encryption,cn=config failed." # echo "Creating a pin.txt for
auto-starting of slapd." echo "Internal (Software) Token:`cat
pwdfile.txt`" >slapd-$HOST-pin.txt chown $SLAPD_OWNER:$SLAPD_GROUP
slapd-$HOST-pin.txt chmod 400 slapd-$HOST-pin.txt echo "Exporting the CA
Cert in ASCII format or DER format" ../shared/bin/certutil -L -d . -P
slapd-$HOST- -n "CA certificate" \
-a > cacert.asc
../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \
-r > cacert.der
echo "Copying Server-Cert to Admin Server for Admin Server SSL
connection." cp slapd-$HOST-key3.db admin-serv-$HOST-key3.db cp
slapd-$HOST-cert8.db admin-serv-$HOST-cert8.db echo "Setting the correct
ownership of Admin Server security DBs" chown $SLAPD_OWNER:$SLAPD_GROUP
admin-serv-$HOST-*.db echo "Remember to enable SSL in Admin Server
later." echo "Remember to select 'Server-Cert' as the Certificate and
click OK." echo "Remember to restart Admin Server after that." echo
"Creating a pin.txt for auto-starting of Admin Server." echo "`cat
pwdfile.txt`" >admin-serv-$HOST-pin.txt chown $SLAPD_OWNER:$SLAPD_GROUP
admin-serv-$HOST-pin.txt chmod 400 admin-serv-$HOST-pin.txt echo
"Patching start-admin and creating start-admin.auto." if [
"$SERVER_ROOT" = "/opt/fedora-ds" ]; then sed -e \
'/^\$HTTPD/s/$/
\<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/' \
$SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto
fi
if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then
sed -e \
'/uxwdog/s/$/
\<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/' \
$SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto
fi
chmod 755 $SERVER_ROOT/start-admin.auto
echo "Please use $SERVER_ROOT/start-admin.auto in rc3.d as autostart
script." echo "" echo "IMPORTANT NOTES:" echo "" echo "1. How to check
if SSL Configurations are done properly?" echo "You may view
config/dse.ldif after shutting down slapd" echo "to verify all the
required SSL configurations are there." echo "" echo "2. How to fix
slapd startup issue due to mis-configuration of SSL?" echo "If for any
reason slapd fails to start due to SSL issue," echo "you may edit
config/dse.ldif after shutting down slapd" echo "and revert back to
non-SSL configs." echo "i.e. set nsSSL3: off, nsSSLActivation: off and
nsslapd-security: off" echo "and then try to restart slapd." echo ""
echo "3. How to fix Admin Server login issue due to mis-configuration of
SSL?" echo "If for any reason Admin Server login fails and you wish to
give up," echo "simply stop slapd and admin-serv and restore using the
tar backup" echo "i.e. rm -f $SERVER_ROOT/alias/*.db;$TAR_XVF
/var/tmp/ds_backup.tar" echo ""
===Sample Run===
# ./cr_ssl_certs.sh
Please shutdown slapd and Admin Server and perform a tar backup and
db2ldif backup of currently working system, and restart them again.
Example of tar command: tar -cvf /var/tmp/ds_backup.tar /var/Sun/mps
When you are ready, answer Yes and press Enter to continue. Press Ctrl-C
to cancel. Yes Enter an UNIQUE SERIAL NUMBER for CA Cert.
Eg: 1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc...
1000
Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert.
Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3.
1001
Backing up existing *.db (if any) to backup_24872.
Creating new security key3.db/cert8.db pair.
Generating encryption key.
Generating key. This may take a few moments...
Generating self-signed CA certificate.
Generating key. This may take a few moments...
Generating self-signed Server certificate.
Generating key. This may take a few moments...
Renaming and linking modified security DBs.
Setting the correct ownership of security DBs
Self-signed CA and SSL Server certs generated.
The following commands are OPTIONAL.
They are for backing up CA and Server Certs in PK12 format.
---Start of OPTIONAL commands---
../shared/bin/pk12util -d . -P slapd-ldap1- -o cacert.pfx -n "CA
certificate" ../shared/bin/pk12util -d . -P slapd-ldap1- -o
servercert.pfx -n "Server-Cert" ---End of OPTIONAL commands---
Enabling SSL.
NOTE: changes will be saved to config/dse.ldif when slapd is shutdown
modifying entry cn=encryption,cn=config
modifying entry cn=config
Enabling SSL in cn=encryption,cn=config and cn=config done. modifying
entry cn=encryption,cn=config
Adding SSL configs in cn=encryption,cn=config done.
adding new entry cn=RSA,cn=encryption,cn=config
Adding cn=RSA,cn=encryption,cn=config done.
Creating a pin.txt for auto-starting of slapd.
Exporting the CA Cert in ASCII format or DER format
Copying Server-Cert to Admin Server for Admin Server SSL connection.
Setting the correct ownership of Admin Server security DBs Remember to
enable SSL in Admin Server later. Remember to select 'Server-Cert' as
the Certificate and click OK. Remember to restart Admin Server after
that. Creating a pin.txt for auto-starting of Admin Server. Patching
start-admin and creating start-admin.auto. Please use
/var/Sun/mps/start-admin.auto in rc3.d as autostart script.
IMPORTANT NOTES:
1. How to check if SSL Configurations are done properly?
You may view config/dse.ldif after shutting down slapd
to verify all the required SSL configurations are there.
2. How to fix slapd startup issue due to mis-configuration of SSL? If
for any reason slapd fails to start due to SSL issue, you may edit
config/dse.ldif after shutting down slapd and revert back to non-SSL
configs. i.e. set nsSSL3: off, nsSSLActivation: off and
nsslapd-security: off and then try to restart slapd.
3. How to fix Admin Server login issue due to mis-configuration of SSL?
If for any reason Admin Server login fails and you wish to give up,
simply stop slapd and admin-serv and restore using the tar backup i.e.
rm -f /var/Sun/mps/alias/*.db;tar -xvf /var/tmp/ds_backup.tar
-----Original Message-----
From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Jason
Russler
Sent: Thursday, April 20, 2006 4:15 AM
To: General discussion list for the Fedora Directory server project.
Subject: [Fedora-directory-users] SSL directory server gateway
Hi all,
I'm pretty uncertain about the best way to go about configuring the
admin server to use SSL (FDS1.0.2) . All of the docs I'm finding are
pretty shaky. Ultimately, I want users to manage their passwords and
info via the web-based Directory Server Gateway over SSL. This would
appear to be the same thing as enabling SSL for the admin server. The
setupssl.sh script provided by the SSL howto, generates the keys/certs
for the admin server and imports them into the appropriate cert db (I
guess, I've performed the process by hand as well, based on RedHat's
docs and the script itself). This would imply to me that the admin
console would find the generated certs and present them in the admin
server's console (under the Configuration -> Encryption tab) in much the
same way that it does in the directory server's console. I can't tell
if something that's suppose to work isn't or if I'm misunderstanding
something. I'd like to know before I try to generate new SSL
certificates and import them.
Thanks much,
Jason
--
Fedora-directory-users mailing list Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
More information about the Fedora-directory-users
mailing list