[Fedora-directory-users]: SSL directory server gateway, one-button SSL Certs (slapd + Admin Server) generation script

Richard Megginson rmeggins at redhat.com
Thu Apr 20 14:12:58 UTC 2006 

Tay, Gary wrote:

>I couldn't find setupssl.sh anywhere on the HowTo SSL link.
>  
>
It's http://directory.fedora.redhat.com/wiki/Howto:SSL#Script under 
http://directory.fedora.redhat.com/wiki/Howto:SSL

When I get a chance, I'm going to merge some of the features from your 
script into that one.

>Anyway, I have written cr_ssl_certs.sh which works for both FDS and
>SUN-ONE DS, and this script will create also the Admin Server SSL Cert
>(the same as slapd), once you have used Admin Console to enable SSL for
>Admin Server at "Encryption" TAB, you would see a few .conf files
>including console.conf get updated at $SERVER_ROOT/admin-serv/config,
>the rest is history.
>
>Note that it is not a MUST to create different CA Certs for different
>FDS Servers, they are so for testing purposes only, for production
>usage, you would most likely purchase signed SSL Server Certs for your
>different FDS Servers
>  
>
Or purchase a CA product and assign your own.

>HTH.
>
>Gary
>
>Content of cr_ssl_certs.sh
>
>#! /bin/sh
>#
># cr_ssl_certs.sh - This script works for either Fedora or SUN-ONE DS
>#
># Gary Tay
>#
># 1) Make sure 'root' is used to run this script
># 2) Make sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory
>Manager
>#
>#set -vx
>IS_ROOT_UID=`id | grep "uid=0(root)"`
>if [ ! -n "$IS_ROOT_UID" ]; then
>   echo "Please run this script as root"
>   exit 1
>fi
>chmod 700 $0
>if [ ! -f /home/ldap/dirmgr.pwd ]; then
>   echo "Please setup /home/ldap/dirmgr.pwd."
>   exit 1
>else
>   chmod 600 /home/ldap/dirmgr.pwd
>fi
># Pls customize the followings
>HOST=`hostname`
>DOMAIN="example.com"
>BASEDN="dc=example,dc=com"
>FQDN="$HOST.$DOMAIN"
>ORG="Example Companies"
>LOCALITY="NewYork City"
>STATE="NewYork"
>COUNTRY="US"
># Uncomment for Fedora/RedHat Directory Server
>SERVER_ROOT="/opt/fedora-ds"
># Uncomment for SUN-ONE/Java System Directory Server
>#SERVER_ROOT="/var/Sun/mps"
>if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then
>   LD_LIBRARY_PATH=$SERVER_ROOT/lib:$SERVER_ROOT/shared/lib
>   SLAPD_OWNER="ldap"
>   SLAPD_GROUP="ldap"
>   TAR_CVF="tar -Pcvf"
>   TAR_XVF="tar -Pxvf"
>fi
>if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then
>   LD_LIBRARY_PATH=$SERVER_ROOT/lib
>   SLAPD_OWNER="root"
>   SLAPD_GROUP="root"
>   TAR_CVF="tar -cvf"
>   TAR_XVF="tar -xvf"
>fi
>export LD_LIBRARY_PATH
>PATH=$SERVER_ROOT/shared/bin:$PATH; export PATH
>echo "Please shutdown slapd and Admin Server and perform a tar backup"
>echo "and db2ldif backup of currently working system, and restart them
>again."
>echo "Example of tar command: $TAR_CVF /var/tmp/ds_backup.tar
>$SERVER_ROOT"
>echo "When you are ready, answer Yes and press Enter to continue."
>echo "Press Ctrl-C to cancel."
>read READY
>[ "$READY" != "Yes" ] && exit 1
>echo "Enter an UNIQUE SERIAL NUMBER for CA Cert."
>echo "Eg: 1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc..."
>read UNIQUE_SN_CA
>echo "Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert."
>echo "Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3."
>read UNIQUE_SN_LDAP
>cd $SERVER_ROOT/alias
>echo "Backing up existing *.db (if any) to backup_$$."
>mkdir -p backup_$$ >/dev/null 2>/dev/null
>cp -p *.db backup_$$ >/dev/null 2>/dev/null
>/bin/rm -f *.db >/dev/null 2>/dev/null
>echo "secretpwd" >pwdfile.txt
>chmod 600 pwdfile.txt
>echo "dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk"
>  
>
>>noise.txt
>>    
>>
>echo "Creating new security key3.db/cert8.db pair."
>../shared/bin/certutil -N -d . -f pwdfile.txt
>echo "Generating encryption key."
>../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt
>echo "Generating self-signed CA certificate."
>../shared/bin/certutil -S -n "CA certificate" \
>   -s "cn=CAcert $HOST" -x \
>   -t "CT,," -m $UNIQUE_SN_CA -v 120 -d . -z noise.txt -f pwdfile.txt
>echo "Generating self-signed Server certificate."
>../shared/bin/certutil -S -n "Server-Cert" \
>   -s "cn=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -c "CA
>certificate" \
>   -t "u,u,u" -m $UNIQUE_SN_LDAP -v 120 -d . -z noise.txt -f pwdfile.txt
>echo "Renaming and linking modified security DBs."
>mv -f key3.db slapd-$HOST-key3.db
>mv -f cert8.db slapd-$HOST-cert8.db
>ln -s slapd-$HOST-key3.db key3.db
>ln -s slapd-$HOST-cert8.db cert8.db
>echo "Setting the correct ownership of security DBs"
>chown $SLAPD_OWNER:$SLAPD_GROUP *.db
>echo "Self-signed CA and SSL Server certs generated."
>echo ""
>echo "The following commands are OPTIONAL."
>echo "They are for backing up CA and Server Certs in PK12 format."
>echo ""
>echo "---Start of OPTIONAL commands---"
>cat <<EOF >optional_cmds.txt
>../shared/bin/pk12util -d . -P slapd-$HOST- -o cacert.pfx -n "CA
>certificate"
>../shared/bin/pk12util -d . -P slapd-$HOST- -o servercert.pfx -n
>"Server-Cert"
>EOF
>cat optional_cmds.txt
>echo "---End of OPTIONAL commands---"
>echo ""
>#
>echo "Enabling SSL."
>echo "NOTE: changes will be saved to config/dse.ldif when slapd is
>shutdown"
>cat <<EOF >/tmp/ssl_enable.ldif
>dn: cn=encryption,cn=config
>changetype: modify
>replace: nsSSL3
>nsSSL3: on
>-
>replace: nsSSLClientAuth
>nsSSLClientAuth: allowed
>
>dn: cn=config
>changetype: modify
>add: nsslapd-security
>nsslapd-security: on
>
>EOF
>if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then
>cat <<EOF >>/tmp/ssl_enable.ldif
>dn: cn=config
>replace: nsslapd-ssl-check-hostname
>nsslapd-ssl-check-hostname: off
>
>EOF
>fi
>../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat
>/home/ldap/dirmgr.pwd` -f /tmp/ssl_enable.ldif
>[ $? -eq 0 ] && \
>   echo "Enabling SSL in cn=encryption,cn=config and cn=config done."
>[ $? -ne 0 ] && \
>   echo "Enabling SSL in cn=encryption,cn=config and cn=config failed."
>#
>cat <<EOF >/tmp/add_ssl_configs.ldif
>dn: cn=encryption,cn=config
>changetype: modify
>add: nsSSL3Ciphers
>nsSSL3Ciphers:
>-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
> 
>+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezz
>a,
> 
>+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha
>,
> +tls_rsa_export1024_with_des_cbc_sha
>-
>add: nsKeyfile
>nsKeyfile: alias/slapd-$HOST-key3.db
>-
>add: nsCertfile
>nsCertfile: alias/slapd-$HOST-cert8.db
>
>EOF
>../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat
>/home/ldap/dirmgr.pwd` -f /tmp/add_ssl_configs.ldif
>[ $? -eq 0 ] && echo "Adding SSL configs in cn=encryption,cn=config
>done."
>[ $? -ne 0 ] && echo "Adding SSL configs in cn=encryption,cn=config
>failed."
>#
>cat <<EOF >/tmp/addRSA.ldif
>dn: cn=RSA,cn=encryption,cn=config
>objectclass: top
>objectclass: nsEncryptionModule
>cn: RSA
>nsSSLPersonalitySSL: Server-Cert
>nsSSLToken: internal (software)
>nsSSLActivation: on
>
>EOF
>../shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w `cat
>/home/ldap/dirmgr.pwd` -f /tmp/addRSA.ldif
>[ $? -eq 0 ] && echo "Adding cn=RSA,cn=encryption,cn=config done."
>[ $? -ne 0 ] && echo "Adding cn=RSA,cn=encryption,cn=config failed."
>#
>echo "Creating a pin.txt for auto-starting of slapd."
>echo "Internal (Software) Token:`cat pwdfile.txt`" >slapd-$HOST-pin.txt
>chown $SLAPD_OWNER:$SLAPD_GROUP slapd-$HOST-pin.txt
>chmod 400 slapd-$HOST-pin.txt
>echo "Exporting the CA Cert in ASCII format or DER format"
>../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \
>   -a > cacert.asc
>../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \
>   -r > cacert.der
>echo "Copying Server-Cert to Admin Server for Admin Server SSL
>connection."
>cp slapd-$HOST-key3.db admin-serv-$HOST-key3.db
>cp slapd-$HOST-cert8.db admin-serv-$HOST-cert8.db
>echo "Setting the correct ownership of Admin Server security DBs"
>chown $SLAPD_OWNER:$SLAPD_GROUP admin-serv-$HOST-*.db
>echo "Remember to enable SSL in Admin Server later."
>echo "Remember to select 'Server-Cert' as the Certificate and click OK."
>echo "Remember to restart Admin Server after that."
>echo "Creating a pin.txt for auto-starting of Admin Server."
>echo "`cat pwdfile.txt`" >admin-serv-$HOST-pin.txt
>chown $SLAPD_OWNER:$SLAPD_GROUP admin-serv-$HOST-pin.txt
>chmod 400 admin-serv-$HOST-pin.txt
>echo "Patching start-admin and creating start-admin.auto."
>if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then
> sed -e \
>   '/^\$HTTPD/s/$/
>\<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/' \
>   $SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto
>fi
>if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then
> sed -e \
>   '/uxwdog/s/$/
>\<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/' \
>   $SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto
>fi
>chmod 755 $SERVER_ROOT/start-admin.auto
>echo "Please use $SERVER_ROOT/start-admin.auto in rc3.d as autostart
>script."
>echo ""
>echo "IMPORTANT NOTES:"
>echo ""
>echo "1. How to check if SSL Configurations are done properly?"
>echo "You may view config/dse.ldif after shutting down slapd"
>echo "to verify all the required SSL configurations are there."
>echo ""
>echo "2. How to fix slapd startup issue due to mis-configuration of
>SSL?"
>echo "If for any reason slapd fails to start due to SSL issue,"
>echo "you may edit config/dse.ldif after shutting down slapd"
>echo "and revert back to non-SSL configs."
>echo "i.e. set nsSSL3: off, nsSSLActivation: off and nsslapd-security:
>off"
>echo "and then try to restart slapd."
>echo ""
>echo "3. How to fix Admin Server login issue due to mis-configuration of
>SSL?"
>echo "If for any reason Admin Server login fails and you wish to give
>up,"
>echo "simply stop slapd and admin-serv and restore using the tar backup"
>echo "i.e. rm -f $SERVER_ROOT/alias/*.db;$TAR_XVF
>/var/tmp/ds_backup.tar"
>echo ""
>
>===Sample Run===
>
># ./cr_ssl_certs.sh
>Please shutdown slapd and Admin Server and perform a tar backup
>and db2ldif backup of currently working system, and restart them again.
>Example of tar command: tar -cvf /var/tmp/ds_backup.tar /var/Sun/mps
>When you are ready, answer Yes and press Enter to continue.
>Press Ctrl-C to cancel.
>Yes
>Enter an UNIQUE SERIAL NUMBER for CA Cert.
>Eg: 1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc...
>1000
>Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert.
>Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3.
>1001
>Backing up existing *.db (if any) to backup_24872.
>Creating new security key3.db/cert8.db pair.
>Generating encryption key.
>
>
>Generating key.  This may take a few moments...
>
>Generating self-signed CA certificate.
>
>
>Generating key.  This may take a few moments...
>
>Generating self-signed Server certificate.
>
>
>Generating key.  This may take a few moments...
>
>Renaming and linking modified security DBs.
>Setting the correct ownership of security DBs
>Self-signed CA and SSL Server certs generated.
>
>The following commands are OPTIONAL.
>They are for backing up CA and Server Certs in PK12 format.
>
>---Start of OPTIONAL commands---
>../shared/bin/pk12util -d . -P slapd-ldap1- -o cacert.pfx -n "CA
>certificate"
>../shared/bin/pk12util -d . -P slapd-ldap1- -o servercert.pfx -n
>"Server-Cert"
>---End of OPTIONAL commands---
>
>Enabling SSL.
>NOTE: changes will be saved to config/dse.ldif when slapd is shutdown
>modifying entry cn=encryption,cn=config
>
>modifying entry cn=config
>
>Enabling SSL in cn=encryption,cn=config and cn=config done.
>modifying entry cn=encryption,cn=config
>
>Adding SSL configs in cn=encryption,cn=config done.
>adding new entry cn=RSA,cn=encryption,cn=config
>
>Adding cn=RSA,cn=encryption,cn=config done.
>Creating a pin.txt for auto-starting of slapd.
>Exporting the CA Cert in ASCII format or DER format
>Copying Server-Cert to Admin Server for Admin Server SSL connection.
>Setting the correct ownership of Admin Server security DBs
>Remember to enable SSL in Admin Server later.
>Remember to select 'Server-Cert' as the Certificate and click OK.
>Remember to restart Admin Server after that.
>Creating a pin.txt for auto-starting of Admin Server.
>Patching start-admin and creating start-admin.auto.
>Please use /var/Sun/mps/start-admin.auto in rc3.d as autostart script.
>
>IMPORTANT NOTES:
>
>1. How to check if SSL Configurations are done properly?
>You may view config/dse.ldif after shutting down slapd
>to verify all the required SSL configurations are there.
>
>2. How to fix slapd startup issue due to mis-configuration of SSL?
>If for any reason slapd fails to start due to SSL issue,
>you may edit config/dse.ldif after shutting down slapd
>and revert back to non-SSL configs.
>i.e. set nsSSL3: off, nsSSLActivation: off and nsslapd-security: off
>and then try to restart slapd.
>
>3. How to fix Admin Server login issue due to mis-configuration of SSL?
>If for any reason Admin Server login fails and you wish to give up,
>simply stop slapd and admin-serv and restore using the tar backup
>i.e. rm -f /var/Sun/mps/alias/*.db;tar -xvf /var/tmp/ds_backup.tar
>
>
>-----Original Message-----
>From: fedora-directory-users-bounces at redhat.com
>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Jason
>Russler
>Sent: Thursday, April 20, 2006 4:15 AM
>To: General discussion list for the Fedora Directory server project.
>Subject: [Fedora-directory-users] SSL directory server gateway
>
>
>Hi all,
>I'm pretty uncertain about the best way to go about configuring the 
>admin server to use SSL (FDS1.0.2) .  All of the docs I'm finding are 
>pretty shaky.  Ultimately, I want users to manage their passwords and 
>info via the web-based Directory Server Gateway over SSL.  This would 
>appear to be the same thing as enabling SSL for the admin server.  The 
>setupssl.sh script provided by the SSL howto,  generates the keys/certs 
>for the admin server and imports them into the appropriate cert db (I 
>guess, I've performed  the process by hand as well, based on RedHat's 
>docs and the script itself).  This would imply to me that the admin 
>console would find the generated certs and present them in the admin 
>server's console (under the Configuration -> Encryption tab) in much the
>
>same way that it does in the directory server's console.  I can't tell 
>if something that's suppose to work isn't or if I'm misunderstanding 
>something.  I'd like to know before I try to generate new SSL 
>certificates and import them.
>Thanks much,
>Jason
>
>--
>Fedora-directory-users mailing list Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060420/17f71bd6/attachment.bin>

More information about the Fedora-directory-users mailing list