[Fedora-directory-users] question about SSL configuration with IP takeover HA setup
Ryan Braun
Ryan.Braun at ec.gc.ca
Fri Sep 21 16:14:01 UTC 2007
On Thursday 20 September 2007 21:36, George Holbert wrote:
Ok so I managed to create a new certificate using subjectAltName extenstions,
and it works as advertised. I can run ldapsearchs on eastldap on both
eastldap0.
Now my question is for generating certs for the other servers. Now that I
have the CA cert on eastldap0, I would assume I need to install the CA on
each additional server. Can I just copy and paste the cacert.asc into the
manage certificate wizard?
Then I would generate new certs for each server. Now do I need to generate
the certs all from eastldap0? or once the CA cert is installed on the rest
of the boxes, am I able to generate the required certs on each box? Is it
generally a good idea to keep all the cert creation in a central location?
And for the clients, all they need is the one cacert.asc to be able to
encrypt comms with each server?
Thanks
Ryan
>
> Each running FDS server instance will have just one SSL certificate.
> If you want your server to identify with multiple names, you can either:
> - Do a cert with subjectAltName extensions.
> - Do a cert with a wildcard in the subject's CN (e.g., cn=*.test.com).
>
> LDAP / SSL client support for these varies, so you will probably want to
> test both ways and see what works with better with your clients.
> If it works for you, the subjectAltName method is probably preferable,
> because you can precisely list the valid names for your server.
>
> Also, consider keeping it simple and just doing certs with single names
> (e.g., one cert each for 'westldap.test.com' and 'eastldap.test.com'),
> and installing that same cert on each server which should have that SSL
> identity. This is actually a pretty common way to do it, though it will
> limit your ability to make SSL connections to individual nodenames, like
> eastldap0.test.com (as you noticed).
>
> Ryan Braun wrote:
> > Hey guys, installed FDS on a couple debian servers this week and am
> > liking it so far. I have a couple questions regarding SSL/TLS setup with
> > servers setup for IP takeover type HA setup. Keep in mind I have some
> > experience with the LDAP side of things, it's the ssl and all the
> > different certs and whatnot that keeps me up at night.
> >
> > Essentially what I'm looking at is a 4 way multimaster setup, ending up
> > with 2 HA pairs of servers. call them eastldap and westldap. I've
> > implemented the east side in my test lab and have it replicating and can
> > pull any user info I need off the directory no problem.
> >
> > so
> > eastldap0.test.com ip 192.168.0.11
> > eastldap1.test.com ip 192.168.0.12
> > and the virtual interface on whichever machine is master would be
> > eastldap.test.com ip 192.168.0.10
> >
> > and then the exact same setup with the last 2
> >
> > westldap0.test.com ip 192.168.1.11
> > westldap1.test.com ip 192.168.1.12
> > westldap.test.com ip 192.168.1.10
> >
> > Once everything is setup and running clients would be primarily only
> > connecting to either virtual interface west/eastldap using TLS over port
> > 389 and the 4 masters replicating with encryption (not sure but I imagine
> > this takes place on ldaps port).
> >
> > I followed the instructions on the howto:ssl page and created a cert
> > located on eastldap0. But instead of using the eastldap0.test.com as the
> > cn, I used eastldap.test.com. Cert installed ok, made sure eastldap0
> > was the HA master and restarted fds.
> >
> > When I copied over the cacert to a linux client, I can run searches
> > using ldapsearch -ZZ -h eastldap.test.com. Server logs and wire sniffs
> > confirm everything is coming back encrypted. It seems to be behaving as
> > expected, when I try ldapsearch -ZZ -h eastldap0.test.com, it pukes with
> > error 11 additional info: TLS: hostname does not match CN in peer
> > certificate, which is right as the name in the cert is
> > eastldap.test.com.
> >
> > So it would appear I'm on my way, I just am not sure about what certs I
> > need now, and how to add them properly. I would think I need at the very
> > least
> >
> > eastldap0
> > - eastldap0.test.com cert
> > - eastldap.test.com cert
> > eastldap1
> > - eastldap1.test.com cert
> > - eastldap.test.com cert
> > westldap0
> > - westldap0.test.com cert
> > - westldap.test.com cert
> > westldap1
> > - westldap1.test.com cert
> > - westldap.test.com cert
> >
> > I'm just not sure if that is the proper way to go about it. Also, I
> > would like to have the clients to be able to have all the cacerts to be
> > able to communicate with all virtual and physical address' if need be.
> > Later on, I would be adding probably 5 or 6 consumer read only replicas
> > inbetween the suppliers and the clients, but one must walk before they
> > run I guess :)
> >
> > Long post I know, just trying to make sure I get all the important stuff
> > out there. Be kind if I was using the incorrect terminology for the
> > certs/cacerts :)
> >
> > Ryan
> >
> > PS. anyone have a good SSL for dummies reference that lays out what the
> > heck is going on with SSL (pems,keys,certs,cacerts etc)
> >
> > --
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
More information about the Fedora-directory-users
mailing list