-----Original Message-----
From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Tay, Gary
Sent: Wednesday, April 12, 2006 6:20 PM
To: fedora-directory-users@redhat.com
Subject: **Caution-External**: [Fedora-directory-users] Automated script for complementing SSLHowToFDS Folks,
I wrote this script for the benefits of all.
Gary
Content of cr_ssl_certs_fds1ldap.sh
#! /bin/sh
#
# cr_ssl_certs_fds1ldap.sh
#
# 1) Make sure 'root' is used to run this script
# 2) Make sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory Manager
#
#set -vx
IS_ROOT_UID=`id | grep "uid=0(root)"`
if [ ! -n "$IS_ROOT_UID" ]; then
echo "Please run this script as root"
exit 1
fi
if [ ! -f /home/ldap/dirmgr.pwd ]; then
echo "Please setup /home/ldap/dirmgr.pwd."
exit 1
else
chmod 600 /home/ldap/dirmgr.pwd
fi
# Pls customize the followings
HOST="ldap1"
DOMAIN="example.com"
BASEDN="dc=example,dc=com"
FQDN="$HOST.$DOMAIN"
ORG="Example Companies"
LOCALITY="NewYork City"
STATE="NewYork"
COUNTRY="US"
SLAPD_OWNER="nobody"
SLAPD_GROUP="nobody"
FDS1_PATH=/opt/fedora-ds
LD_LIBRARY_PATH=$FDS1_PATH/shared/lib:$FDS1_PATH/lib
export LD_LIBRARY_PATH
PATH=$FDS1_PATH/shared/bin:$PATH; export PATH
cd $FDS1_PATH/alias
DOW=`date | cut -d' ' -f1`
echo "Backing up existing *.db (if any) to backup_$DOW."
mkdir -p backup_$DOW >/dev/null 2>/dev/null
cp -p *.db backup_$DOW >/dev/null 2>/dev/null
/bin/rm -f *.db >/dev/null 2>/dev/null
echo "secretpwd" >pwdfile.txt
chmod 600 pwdfile.txt
echo "dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk" >noise.txt
echo "Creating new security key3.db/cert8.db pair."
../shared/bin/certutil -N -d . -f pwdfile.txt
echo "Generating encryption key."
../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt
echo "Generating self-signed CA certificate."
../shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x \
-t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt
echo "Generating self-signed Server certificate."
../shared/bin/certutil -S -n "Server-Cert" -s \
"cn=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -c "CA certificate" \
-t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt
echo "Renaming and linking modified security DBs."
mv -f key3.db slapd-$HOST-key3.db
mv -f cert8.db slapd-$HOST-cert8.db
ln -s slapd-$HOST-key3.db key3.db
ln -s slapd-$HOST-cert8.db cert8.db
echo "Setting the correct ownership of security DBs"
chown $SLAPD_OWNER:$SLAPD_GROUP *.db
echo "Self-signed CA and SSL Server certs generated."
echo ""
echo "The following commands are OPTIONAL."
echo "They are for backing up CA and Server Certs in PK12 format,"
echo "exporting the CA Cert in ASCII format or DER format, and"
echo "importing the CA Cert into the Admin Server"
echo ""
echo "---Start of OPTIONAL commands---"
cat <<EOF >optional_cmds.txt
../shared/bin/pk12util -d . -P slapd-$HOST- -o cacert.pfx -n "CA certificate"
../shared/bin/pk12util -d . -P slapd-$HOST- -o servercert.pfx -n "Server-Cert"
../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \
-a > cacert.asc
../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \
-r > cacert.der
../shared/bin/certutil -A -d . -P admin-serv-$HOST- -n "CA certificate" \
-t "CT,," -a -i cacert.asc
EOF
cat optional_cmds.txt
echo "---End of OPTIONAL commands---"
echo ""
echo "Modifying server SSL configurations."
echo "NOTE: changes will be saved to config/dse.ldif when slapd is shutdown"
cat <<EOF >/tmp/ssl_enable.ldif
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
-
add: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
+tls_rsa_export1024_with_des_cbc_sha
-
add: nsKeyfile
nsKeyfile: alias/slapd-$HOST-key3.db
-
add: nsCertfile
nsCertfile: alias/slapd-$HOST-cert8.dbdn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: offEOF
../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/ssl_enable.ldif
cat <<EOF >/tmp/delRSA.ldif
cn=RSA,cn=encryption,cn=configEOF
../shared/bin/ldapdelete -c -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/delRSA.ldif
[ $? -eq 0 ] && echo "deleting cn=RSA,cn=encryption,cn=config"
cat <<EOF >/tmp/addRSA.ldif
dn: cn=RSA,cn=encryption,cn=config
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)
nsSSLActivation: onEOF
../shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/addRSA.ldif
echo "Creating a pin.txt for auto-starting of slapd."
echo "Internal (Software) Token:`cat pwdfile.txt`" >slapd-$HOST-pin.txt
chown $SLAPD_OWNER:$SLAPD_GROUP slapd-$HOST-pin.txt
chmod 400 slapd-$HOST-pin.txt
echo ""
echo "IMPORTANT NOTES:"
echo ""
echo "1. How to check if SSL Configurations are done properly?"
echo "You may view config/dse.ldif after shutting down slapd"
echo "to verify all the required SSL configurations are there."
echo ""
echo "2. How to fix slapd startup issue due to mis-configuration of SSL?"
echo "If for any reason slapd fails to start due to SSL issue,"
echo "you may edit config/dse.ldif after shutting down slapd"
echo "and revert back to non-SSL configs."
echo "i.e. set nsSSL3: off, nsslapd-security: off"
echo "and then try to restart slapd."
echo ""=======Sample run.
# ./cr_ssl_certs_fds1ldap.sh
Backing up existing *.db (if any) to backup_Wed.
Creating new security key3.db/cert8.db pair.
Generating encryption key.
Generating key. This may take a few moments...
Generating self-signed CA certificate.
Generating key. This may take a few moments...
Generating self-signed Server certificate.
Generating key. This may take a few moments...
Renaming and linking modified security DBs.
Setting the correct ownership of security DBs
Self-signed CA and SSL Server certs generated.The following commands are OPTIONAL.
They are for backing up CA and Server Certs in PK12 format,
exporting the CA Cert in ASCII format or DER format, and
importing the CA Cert into the Admin Server---Start of OPTIONAL commands---
../shared/bin/pk12util -d . -P slapd-nj1net200plmon- -o cacert.pfx -n "CA certificate"
../shared/bin/pk12util -d . -P slapd-nj1net200plmon- -o servercert.pfx -n "Server-Cert"
../shared/bin/certutil -L -d . -P slapd-nj1net200plmon- -n "CA certificate" -a > cacert.asc
../shared/bin/certutil -L -d . -P slapd-nj1net200plmon- -n "CA certificate" -r > cacert.der
../shared/bin/certutil -A -d . -P admin-serv-nj1net200plmon- -n "CA certificate" -t "CT,," -a -i cacert.asc
---End of OPTIONAL commands---Modifying server SSL configurations.
NOTE: changes will be saved to config/dse.ldif when slapd is shutdown
modifying entry cn=encryption,cn=config
ldap_modify: Type or value existsdeleting cn=RSA,cn=encryption,cn=config
adding new entry cn=RSA,cn=encryption,cn=configCreating a pin.txt for auto-starting of slapd.
IMPORTANT NOTES:
1. How to check if SSL Configurations are done properly?
You may view config/dse.ldif after shutting down slapd
to verify all the required SSL configurations are there.2. How to fix slapd startup issue due to mis-configuration of SSL?
If for any reason slapd fails to start due to SSL issue,
you may edit config/dse.ldif after shutting down slapd
and revert back to non-SSL configs.
i.e. set nsSSL3: off, nsslapd-security: off
and then try to restart slapd.