[Fedora-directory-users] question about SSL configuration with IP takeover HA setup

Ryan Braun Ryan.Braun at ec.gc.ca
Fri Sep 21 16:14:01 UTC 2007 

On Thursday 20 September 2007 21:36, George Holbert wrote:

Ok so I managed to create a new certificate using subjectAltName extenstions,  
and it works as advertised.  I can run ldapsearchs on eastldap on both 
eastldap0.

Now my question is for generating certs for the other servers.  Now that I 
have the CA cert on eastldap0,  I would assume I need to install the CA on 
each additional server.  Can I just copy and paste the cacert.asc into the 
manage certificate wizard?

Then I would generate new certs for each server.  Now do I need to generate 
the certs all from eastldap0?  or once the CA cert is installed on the rest 
of the boxes,  am I able to generate the required certs on each box?  Is it 
generally a good idea to keep all the cert creation in a central location?

And for the clients,  all they need is the one cacert.asc to be able to 
encrypt comms with each server?

Thanks

Ryan


>
> Each running FDS server instance will have just one SSL certificate.
> If you want your server to identify with multiple names, you can either:
> - Do a cert with subjectAltName extensions.
> - Do a cert with a wildcard in the subject's CN (e.g., cn=*.test.com).
>
> LDAP / SSL client support for these varies, so you will probably want to
> test both ways and see what works with better with your clients.
> If it works for you, the subjectAltName method is probably preferable,
> because you can precisely list the valid names for your server.
>
> Also, consider keeping it simple and just doing certs with single names
> (e.g.,  one cert each for 'westldap.test.com' and 'eastldap.test.com'),
> and installing that same cert on each server which should have that SSL
> identity.  This is actually a pretty common way to do it, though it will
> limit your ability to make SSL connections to individual nodenames, like
> eastldap0.test.com (as you noticed).
>
> Ryan Braun wrote:
> > Hey guys,  installed FDS on a couple debian servers this week and am
> > liking it so far.  I have a couple questions regarding SSL/TLS setup with
> > servers setup for  IP takeover type HA setup.  Keep in mind I have some
> > experience with the LDAP side of things,  it's the ssl and all the
> > different certs and whatnot that keeps me up at night.
> >
> > Essentially what I'm looking at is a 4 way multimaster setup,  ending up
> > with 2 HA pairs of servers.  call them eastldap and westldap.   I've
> > implemented the east side in my test lab and have it replicating and can
> > pull any user info I need off the directory no problem.
> >
> > so
> > eastldap0.test.com ip 192.168.0.11
> > eastldap1.test.com ip 192.168.0.12
> > and the virtual interface on whichever machine is master would be
> > eastldap.test.com ip 192.168.0.10
> >
> > and then the exact same setup with the last 2
> >
> > westldap0.test.com ip 192.168.1.11
> > westldap1.test.com ip 192.168.1.12
> > westldap.test.com ip 192.168.1.10
> >
> > Once everything is setup and running clients would be primarily only
> > connecting to either virtual interface west/eastldap using TLS over port
> > 389 and the 4 masters replicating with encryption (not sure but I imagine
> > this takes place on ldaps port).
> >
> > I followed the instructions on the howto:ssl page and created a cert
> > located on eastldap0.  But instead of using the eastldap0.test.com as the
> > cn,  I used eastldap.test.com.  Cert installed ok, made sure eastldap0
> > was the HA master and restarted fds.
> >
> > When I copied over the cacert to a linux client,  I can run searches
> > using ldapsearch -ZZ -h eastldap.test.com.  Server logs and wire sniffs
> > confirm everything is coming back encrypted.  It seems to be behaving as
> > expected, when I try ldapsearch -ZZ -h eastldap0.test.com,  it pukes with
> > error 11 additional info: TLS: hostname does not match CN in peer
> > certificate,  which is right as the name in the cert is
> > eastldap.test.com.
> >
> > So it would appear I'm on my way,  I just am not sure about what certs I
> > need now, and how to add them properly.  I would think I need at the very
> > least
> >
> > eastldap0
> > - eastldap0.test.com cert
> > - eastldap.test.com cert
> > eastldap1
> > - eastldap1.test.com cert
> > - eastldap.test.com cert
> > westldap0
> > - westldap0.test.com cert
> > - westldap.test.com cert
> > westldap1
> > - westldap1.test.com cert
> > - westldap.test.com cert
> >
> > I'm just not sure if that is the proper way to go about it.  Also,  I
> > would like to have the clients to be able to have all the cacerts to be
> > able to communicate with all virtual and physical address' if need be. 
> > Later on,  I would be adding probably 5 or 6 consumer read only replicas
> > inbetween the suppliers and the clients,  but one must walk before they
> > run I guess :)
> >
> > Long post I know,  just trying to make sure I get all the important stuff
> > out there.  Be kind if I was using the incorrect terminology for the
> > certs/cacerts :)
> >
> > Ryan
> >
> > PS.  anyone have a good SSL for dummies reference that lays out what the
> > heck is going on with SSL (pems,keys,certs,cacerts etc)
> >
> > --
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

More information about the Fedora-directory-users mailing list