<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF">
<blockquote type="cite">
<div>
<p class="MsoNormal">I am having an issue with securing
Directory Server communication using SSL which I need guidance
on how to solve. I am setting up a master and slave which will
use SSL to secure communication between the two servers and to
all other clients. <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I used openssl to create a CA cert and sign
the Manager server certificate as follows: <u></u><u></u></p>
<p><span>-<span> </span></span>CA
cert created by <b><span style="font-family:"Calibri","sans-serif";color:rgb(59,59,59);background:none repeat scroll 0% 0% white;font-weight:normal">openssl
req -config openssl.cnf -new -x509 -extensions v3_ca
-keyout private/ca.key</span></b><b><span style="font-family:"Calibri","sans-serif";color:rgb(59,59,59);background:none repeat scroll 0% 0% white">
</span></b><b><span style="font-family:"Calibri","sans-serif";color:rgb(59,59,59);background:none repeat scroll 0% 0% white;font-weight:normal">-out
certs/ca.crt -days 3650</span></b><b> </b><u></u><u></u></p>
<p><span>-<span> </span></span>Manager
server csr signed - <b><span style="font-family:"Calibri","sans-serif";color:rgb(59,59,59);background:none repeat scroll 0% 0% white;font-weight:normal">openssl
ca -config openssl.cnf -policy policy_anything -out certs/</span></b><b><span style="font-family:"Calibri","sans-serif";background:none repeat scroll 0% 0% white;font-weight:normal">xxx<span style="color:rgb(59,59,59)">.crt -infiles</span></span></b><span><b><span style="color:rgb(59,59,59);background:none repeat scroll 0% 0% white"> </span></b></span><b><span style="font-family:"Calibri","sans-serif";background:none repeat scroll 0% 0% white;font-weight:normal">xxx<span style="color:rgb(59,59,59)">.csr</span></span></b> <u></u><u></u></p>
<p><span>-<span> </span></span>Checked
both certs using before installing on Manager<u></u><u></u></p>
<p><span>-<span> </span></span>Both
certs were installed using root. <u></u><u></u></p>
<p><span>-<span> </span></span>Enabled
encryption via the console and restarted dirsrv. Note coms
remain of port 389 after the reboot. E.g. <a href="http://xxx.com:389" target="_blank">xxx.com:389</a> <u></u><u></u></p>
<p><span><img src="cid:part1.04090207.02030504@redhat.com" height="131" width="227"></span><u></u><u></u></p>
<p><span>-<span> </span></span><u></u> <u></u></p>
<p style="margin-left:72pt"><span style="font-family:"Courier New""><span>o<span style="font:7pt "Times New Roman""> </span></span></span>certutil
-L -d . output show that both a CA cert and server cert are
installed as follows: <u></u><u></u></p>
<p style="margin-left:72pt">server-cert
u,u,u<u></u><u></u></p>
<p style="margin-left:72pt">xxxx-ca.crt
CT,, <u></u><u></u></p>
<p><span>-<span> </span></span>I
checked that the server is listening on port 636. Logs also
confirmed that the Manager is listening on port 636<u></u><u></u></p>
<p><span>-<span> </span></span>I
tested that the Manager can receive connection on port 636, by
connecting using telnet from another server – telnet
<server name> 636. The connect was also visible on
netstat output.<u></u><u></u></p>
<p><span>-<span> </span></span>I
can’t see any errors in
/var/log/dirsrv/slpad-<server>/errors <u></u><u></u></p>
<p class="MsoNormal">Can you help so that I can setup secure
communication correctly?<u></u><u></u></p>
<p class="MsoNormal">Kind regards<u></u><u></u></p>
<p class="MsoNormal">Andy</p></div></blockquote></div></blockquote><div><div><div><div><div><div><div><div>1 - Do you have a replication agreement setup?<br></div>1a - In your replication agreement did you specify the Replication Manager
account with correct password? (mine is cn=Replication
Manager,cn=config)?<br></div>2 - Did you make sure you specify the "Supplier" as coming from port 389 and the "Consumer" using port 636?<br></div>2a - Did you select the following for the Connection:<br>
</div>"Use TLS/SSL (TLS/SSL Encryption with LDAPS)"<br></div>"Simple (Bind DN/Password)"<br></div>Bind as: cn=Replication Manager(or whatever you have),cn=config<br></div>Password: (password) <br></div>
</div><br></div><div class="gmail_extra">Note: To check for Replication Manager account, browse to Directory Tab. Click config. Replication Manager will appear. Edit password here. This needs to exist on both directory servers.<br>
<br></div><div class="gmail_extra">3. Did you assign them different unique IDs when creating the client certificates? Note the "m" option.<br><pre>certutil -S -n "Server-Cert-dirsrv2-hq" -s "cn=<a href="http://dirsrv2.example.com">dirsrv2.example.com</a>,cn=Directory Server" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d . -z noise.txt -f pwdfile.txt<br>
</pre></div></div>