<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
mso-fareast-language:EN-GB;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Problem solved.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Copied a CA certificate to /etc/pki/CA/certs and updated /etc/openldap/ldap.conf the location of the CA by adding line TLS_CACERT /etc/openldap/certs/<ca cert><o:p></o:p></span></p><p class=MsoNormal><a name="_MailEndCompose"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></a></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Andy [mailto:racingyacht1@gmail.com] <br><b>Sent:</b> 18 April 2014 01:43<br><b>To:</b> 'General discussion list for the 389 Directory server project.'<br><b>Subject:</b> RE: [389-users] SSL<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Further information using ldapsearch that substantiates the log file. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>[root@xxx ~]# ldapsearch -x -ZZ serverxxx.com<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>ldap_start_tls: Connect error (-11)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Andy [<a href="mailto:racingyacht1@gmail.com">mailto:racingyacht1@gmail.com</a>] <br><b>Sent:</b> 18 April 2014 01:40<br><b>To:</b> 'General discussion list for the 389 Directory server project.'<br><b>Subject:</b> RE: [389-users] SSL<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I have done a system check and the SSL certificate has a problem. Error log:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>[18/Apr/2014:01:33:53 +0100] conn=40 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>[18/Apr/2014:01:33:53 +0100] conn=40 op=0 RESULT err=0 tag=120 nentries=0 etime=0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>[18/Apr/2014:01:33:53 +0100] conn=40 op=-1 fd=70 closed - Peer does not recognize and trust the CA that issued your certificate.<o:p></o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Andy [<a href="mailto:racingyacht1@gmail.com">mailto:racingyacht1@gmail.com</a>] <br><b>Sent:</b> 18 April 2014 00:40<br><b>To:</b> 'General discussion list for the 389 Directory server project.'<br><b>Subject:</b> RE: [389-users] SSL<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi Justin,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks for the prompt advice.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Replication is now working between Master and a single consumer. Thanks for your help.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I will continue to do a full test.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Best regards<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:389-users-bounces@lists.fedoraproject.org">389-users-bounces@lists.fedoraproject.org</a> [<a href="mailto:389-users-bounces@lists.fedoraproject.org">mailto:389-users-bounces@lists.fedoraproject.org</a>] <b>On Behalf Of </b>Justin Edmands<br><b>Sent:</b> 17 April 2014 20:55<br><b>To:</b> General discussion list for the 389 Directory server project.<br><b>Subject:</b> Re: [389-users] SSL<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><div><div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I am having an issue with securing Directory Server communication using SSL which I need guidance on how to solve. I am setting up a master and slave which will use SSL to secure communication between the two servers and to all other clients. <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I used openssl to create a CA cert and sign the Manager server certificate as follows: <o:p></o:p></p><p>- CA cert created by <span style='font-family:"Calibri","sans-serif";color:#3B3B3B;background:white'>openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/ca.key<b> </b>-out certs/ca.crt -days 3650</span><b> </b><o:p></o:p></p><p>- Manager server csr signed - <span style='font-family:"Calibri","sans-serif";color:#3B3B3B;background:white'>openssl ca -config openssl.cnf -policy policy_anything -out certs/</span><span style='font-family:"Calibri","sans-serif";background:white'>xxx<span style='color:#3B3B3B'>.crt -infiles</span></span><b><span style='color:#3B3B3B;background:white'> </span></b><span style='font-family:"Calibri","sans-serif";background:white'>xxx<span style='color:#3B3B3B'>.csr</span></span> <o:p></o:p></p><p>- Checked both certs using before installing on Manager<o:p></o:p></p><p>- Both certs were installed using root. <o:p></o:p></p><p>- Enabled encryption via the console and restarted dirsrv. Note coms remain of port 389 after the reboot. E.g. <a href="http://xxx.com:389" target="_blank">xxx.com:389</a> <o:p></o:p></p><p><img border=0 width=227 height=131 id="_x0000_i1025" src="cid:image001.jpg@01CF5AAC.A89AB660"><o:p></o:p></p><p>- <o:p></o:p></p><p style='margin-left:72.0pt'><span style='font-family:"Courier New"'>o</span><span style='font-size:7.0pt'> </span>certutil -L -d . output show that both a CA cert and server cert are installed as follows: <o:p></o:p></p><p style='margin-left:72.0pt'>server-cert u,u,u<o:p></o:p></p><p style='margin-left:72.0pt'>xxxx-ca.crt CT,, <o:p></o:p></p><p>- I checked that the server is listening on port 636. Logs also confirmed that the Manager is listening on port 636<o:p></o:p></p><p>- I tested that the Manager can receive connection on port 636, by connecting using telnet from another server – telnet <server name> 636. The connect was also visible on netstat output.<o:p></o:p></p><p>- I can’t see any errors in /var/log/dirsrv/slpad-<server>/errors <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Can you help so that I can setup secure communication correctly?<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Kind regards<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Andy<o:p></o:p></p></div></blockquote></div></blockquote><div><div><div><div><div><div><div><div><p class=MsoNormal>1 - Do you have a replication agreement setup?<o:p></o:p></p></div><p class=MsoNormal>1a - In your replication agreement did you specify the Replication Manager account with correct password? (mine is cn=Replication Manager,cn=config)?<o:p></o:p></p></div><p class=MsoNormal>2 - Did you make sure you specify the "Supplier" as coming from port 389 and the "Consumer" using port 636?<o:p></o:p></p></div><p class=MsoNormal>2a - Did you select the following for the Connection:<o:p></o:p></p></div><p class=MsoNormal>"Use TLS/SSL (TLS/SSL Encryption with LDAPS)"<o:p></o:p></p></div><p class=MsoNormal>"Simple (Bind DN/Password)"<o:p></o:p></p></div><p class=MsoNormal>Bind as: cn=Replication Manager(or whatever you have),cn=config<o:p></o:p></p></div><p class=MsoNormal>Password: (password) <o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'>Note: To check for Replication Manager account, browse to Directory Tab. Click config. Replication Manager will appear. Edit password here. This needs to exist on both directory servers.<o:p></o:p></p></div><div><p class=MsoNormal>3. Did you assign them different unique IDs when creating the client certificates? Note the "m" option.<o:p></o:p></p><pre style='margin-bottom:12.0pt'>certutil -S -n "Server-Cert-dirsrv2-hq" -s "cn=<a href="http://dirsrv2.example.com">dirsrv2.example.com</a>,cn=Directory Server" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d . -z noise.txt -f pwdfile.txt<o:p></o:p></pre></div></div></div></body></html>