**Caution-External**: [Fedora-directory-users] Automated script for complementing SSLHowTo

Tay, Gary Gary_Tay at platts.com
Thu Apr 20 09:11:25 UTC 2006 

Version 2 of this script has been renamed cr_ssl_certs.sh and works for
both FDS and SUN-ONE DS, check it out at:
 
https://www.redhat.com/archives/fedora-directory-users/2006-April/msg001
45.html

	-----Original Message-----
	From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Tay,
Gary
	Sent: Wednesday, April 12, 2006 6:20 PM
	To: fedora-directory-users at redhat.com
	Subject: **Caution-External**: [Fedora-directory-users]
Automated script for complementing SSLHowTo
	
	

	FDS Folks, 

	I wrote this script for the benefits of all. 

	Gary 

	Content of cr_ssl_certs_fds1ldap.sh 

	#! /bin/sh 
	# 
	# cr_ssl_certs_fds1ldap.sh 
	# 
	# 1) Make sure 'root' is used to run this script 
	# 2) Make sure /home/ldap/dirmgr.pwd contains password of
cn=Direcyory Manager 
	# 
	#set -vx 
	IS_ROOT_UID=`id | grep "uid=0(root)"` 
	if [ ! -n "$IS_ROOT_UID" ]; then 
	   echo "Please run this script as root" 
	   exit 1 
	fi 
	if [ ! -f /home/ldap/dirmgr.pwd ]; then 
	   echo "Please setup /home/ldap/dirmgr.pwd." 
	   exit 1 
	else 
	   chmod 600 /home/ldap/dirmgr.pwd 
	fi 
	# Pls customize the followings 
	HOST="ldap1" 
	DOMAIN="example.com" 
	BASEDN="dc=example,dc=com" 
	FQDN="$HOST.$DOMAIN" 
	ORG="Example Companies" 
	LOCALITY="NewYork City" 
	STATE="NewYork" 
	COUNTRY="US" 
	SLAPD_OWNER="nobody" 
	SLAPD_GROUP="nobody" 
	FDS1_PATH=/opt/fedora-ds 
	LD_LIBRARY_PATH=$FDS1_PATH/shared/lib:$FDS1_PATH/lib 
	export LD_LIBRARY_PATH 
	PATH=$FDS1_PATH/shared/bin:$PATH; export PATH 
	cd $FDS1_PATH/alias 
	DOW=`date | cut -d' ' -f1` 
	echo "Backing up existing *.db (if any) to backup_$DOW." 
	mkdir -p backup_$DOW >/dev/null 2>/dev/null 
	cp -p *.db backup_$DOW >/dev/null 2>/dev/null 
	/bin/rm -f *.db >/dev/null 2>/dev/null 
	echo "secretpwd" >pwdfile.txt 
	chmod 600 pwdfile.txt 
	echo "dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk"
>noise.txt 
	echo "Creating new security key3.db/cert8.db pair." 
	../shared/bin/certutil -N -d . -f pwdfile.txt 
	echo "Generating encryption key." 
	../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt 
	echo "Generating self-signed CA certificate." 
	../shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x
\ 
	   -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt 
	echo "Generating self-signed Server certificate." 
	../shared/bin/certutil -S -n "Server-Cert" -s \ 
	   "cn=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -c "CA
certificate" \ 
	   -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt 
	echo "Renaming and linking modified security DBs." 
	mv -f key3.db slapd-$HOST-key3.db 
	mv -f cert8.db slapd-$HOST-cert8.db 
	ln -s slapd-$HOST-key3.db key3.db 
	ln -s slapd-$HOST-cert8.db cert8.db 
	echo "Setting the correct ownership of security DBs" 
	chown $SLAPD_OWNER:$SLAPD_GROUP *.db 
	echo "Self-signed CA and SSL Server certs generated." 
	echo "" 
	echo "The following commands are OPTIONAL." 
	echo "They are for backing up CA and Server Certs in PK12
format," 
	echo "exporting the CA Cert in ASCII format or DER format, and" 
	echo "importing the CA Cert into the Admin Server" 
	echo "" 
	echo "---Start of OPTIONAL commands---" 
	cat <<EOF >optional_cmds.txt 
	../shared/bin/pk12util -d . -P slapd-$HOST- -o cacert.pfx -n "CA
certificate" 
	../shared/bin/pk12util -d . -P slapd-$HOST- -o servercert.pfx -n
"Server-Cert" 
	../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA
certificate" \ 
	   -a > cacert.asc 
	../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA
certificate" \ 
	   -r > cacert.der 
	../shared/bin/certutil -A -d . -P admin-serv-$HOST- -n "CA
certificate" \ 
	   -t "CT,," -a -i cacert.asc 
	EOF 
	cat optional_cmds.txt 
	echo "---End of OPTIONAL commands---" 
	echo "" 
	echo "Modifying server SSL configurations." 
	echo "NOTE: changes will be saved to config/dse.ldif when slapd
is shutdown" 
	cat <<EOF >/tmp/ssl_enable.ldif 
	dn: cn=encryption,cn=config 
	changetype: modify 
	replace: nsSSL3 
	nsSSL3: on 
	- 
	replace: nsSSLClientAuth 
	nsSSLClientAuth: allowed 
	- 
	add: nsSSL3Ciphers 
	nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, 
	
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezz
a, 
	
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha
, 
	 +tls_rsa_export1024_with_des_cbc_sha 
	- 
	add: nsKeyfile 
	nsKeyfile: alias/slapd-$HOST-key3.db 
	- 
	add: nsCertfile 
	nsCertfile: alias/slapd-$HOST-cert8.db 

	dn: cn=config 
	changetype: modify 
	add: nsslapd-security 
	nsslapd-security: on 
	- 
	replace: nsslapd-ssl-check-hostname 
	nsslapd-ssl-check-hostname: off 

	EOF 
	../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat
/home/ldap/dirmgr.pwd` -f /tmp/ssl_enable.ldif 
	cat <<EOF >/tmp/delRSA.ldif 
	cn=RSA,cn=encryption,cn=config 

	EOF 
	../shared/bin/ldapdelete -c -D "cn=Directory Manager" -w `cat
/home/ldap/dirmgr.pwd` -f /tmp/delRSA.ldif 
	[ $? -eq 0 ] && echo "deleting cn=RSA,cn=encryption,cn=config" 
	cat <<EOF >/tmp/addRSA.ldif 
	dn: cn=RSA,cn=encryption,cn=config 
	objectclass: top 
	objectclass: nsEncryptionModule 
	cn: RSA 
	nsSSLPersonalitySSL: Server-Cert 
	nsSSLToken: internal (software) 
	nsSSLActivation: on 

	EOF 
	../shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w `cat
/home/ldap/dirmgr.pwd` -f /tmp/addRSA.ldif 
	echo "Creating a pin.txt for auto-starting of slapd." 
	echo "Internal (Software) Token:`cat pwdfile.txt`"
>slapd-$HOST-pin.txt 
	chown $SLAPD_OWNER:$SLAPD_GROUP slapd-$HOST-pin.txt 
	chmod 400 slapd-$HOST-pin.txt 
	echo "" 
	echo "IMPORTANT NOTES:" 
	echo "" 
	echo "1. How to check if SSL Configurations are done properly?" 
	echo "You may view config/dse.ldif after shutting down slapd" 
	echo "to verify all the required SSL configurations are there." 
	echo "" 
	echo "2. How to fix slapd startup issue due to mis-configuration
of SSL?" 
	echo "If for any reason slapd fails to start due to SSL issue," 
	echo "you may edit config/dse.ldif after shutting down slapd" 
	echo "and revert back to non-SSL configs." 
	echo "i.e. set nsSSL3: off, nsslapd-security: off" 
	echo "and then try to restart slapd." 
	echo "" 

	=======Sample run. 

	# ./cr_ssl_certs_fds1ldap.sh 
	Backing up existing *.db (if any) to backup_Wed. 
	Creating new security key3.db/cert8.db pair. 
	Generating encryption key. 


	Generating key.  This may take a few moments... 

	Generating self-signed CA certificate. 


	Generating key.  This may take a few moments... 

	Generating self-signed Server certificate. 


	Generating key.  This may take a few moments... 

	Renaming and linking modified security DBs. 
	Setting the correct ownership of security DBs 
	Self-signed CA and SSL Server certs generated. 

	The following commands are OPTIONAL. 
	They are for backing up CA and Server Certs in PK12 format, 
	exporting the CA Cert in ASCII format or DER format, and 
	importing the CA Cert into the Admin Server 

	---Start of OPTIONAL commands--- 
	../shared/bin/pk12util -d . -P slapd-nj1net200plmon- -o
cacert.pfx -n "CA certificate" 
	../shared/bin/pk12util -d . -P slapd-nj1net200plmon- -o
servercert.pfx -n "Server-Cert" 
	../shared/bin/certutil -L -d . -P slapd-nj1net200plmon- -n "CA
certificate"    -a > cacert.asc 
	../shared/bin/certutil -L -d . -P slapd-nj1net200plmon- -n "CA
certificate"    -r > cacert.der 
	../shared/bin/certutil -A -d . -P admin-serv-nj1net200plmon- -n
"CA certificate"    -t "CT,," -a -i cacert.asc 
	---End of OPTIONAL commands--- 

	Modifying server SSL configurations. 
	NOTE: changes will be saved to config/dse.ldif when slapd is
shutdown 
	modifying entry cn=encryption,cn=config 
	ldap_modify: Type or value exists 

	deleting cn=RSA,cn=encryption,cn=config 
	adding new entry cn=RSA,cn=encryption,cn=config 

	Creating a pin.txt for auto-starting of slapd. 

	IMPORTANT NOTES: 

	1. How to check if SSL Configurations are done properly? 
	You may view config/dse.ldif after shutting down slapd 
	to verify all the required SSL configurations are there. 

	2. How to fix slapd startup issue due to mis-configuration of
SSL? 
	If for any reason slapd fails to start due to SSL issue, 
	you may edit config/dse.ldif after shutting down slapd 
	and revert back to non-SSL configs. 
	i.e. set nsSSL3: off, nsslapd-security: off 
	and then try to restart slapd. 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060420/b442dcc7/attachment.htm>

More information about the Fedora-directory-users mailing list