I have written Java code that does what you described. I think you should
break up your problem.
1) Install your server certificate on the 389 DS first. You should consult
the following website
2) Write your Java application to use JNDI to talk with 389 DS via SSL.
You should follow the tutorial from the website.
An important thing to note is you need to create a Java keystore. The Java
keystore needs to be accessible by your application. You can pass in a
Java property that specifies the Java keystore. The JNDI Tutorial above
should give you some hint.
Good luck,
dc
On Wed, Mar 20, 2013 at 5:48 PM, Chandan Kumar <chandank.kumar(a)gmail.com>wrote:
Hi Rohit,
Months back Arpit responded to my similar query in this forum and it
worked. I am just re-posting his steps here.
The only difference is just ignore the slave certificate generation and
all should be good.
How about creating one CA cert & signing all RHDS server from same CA,
Then all you have to do is to import only one CA in clients.
Create a CA Cerfificate
# certutil -S -n "CA certificate" -s "cn=CA
cert,dc=directory,dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 720 -d
. -k rsa
Make sure you say yes to "Is this a CA certificate [y/N]?" and
everything else will be default.
Next we create your Server Cert.
Important - Make sure your cn is your FQDN of this server.
Create cert for
ldap1.example.com on
ldap1.example.com
# certutil -S -n "directory-Server-Cert-1" -s "cn=ldap1.example.com"
-c "CA certificate" -t "u,u,u" -m 1001 -v 720 -d . -k rsa
Create cert for
ldap2.example.com on
ldap1.example.com
# certutil -S -n "directory-Server-Cert-2" -s "cn=ldap2.example.com"
-c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d . -k rsa
Then check to make sure it looks ok
# certutil -L -n "directory-Server-Cert-2" -d .
Export keys & certs for
ldap2.example.com
# pk12util -d . -o server2.p12 -n directory-Server-Cert-2
# certutil -L -d . -n "CA certificate" -a > cacert.asc
Copy the 'server2.p12' and 'cacert.asc' created above to the 2nd Red
Hat Directory Server.
Create your public ca for your clients.
# certutil -d . -L -n "CA certificate" -a > my-public-ca.asc
While logged in to the 2nd RHDS i.e.
ldap2.example.com, run the following:
# service dirsrv stop
# cd /etc/disrv/slapd-INSTANCE2/
# mv /path/to/server2.p12 /etc/dirsrv/slapd-INSTANCE2/
# mv /path/to/cacert.asc /etc/dirsrv/slapd-INSTANCE2/
# pk12util -d . -i server2.p12
# certutil -A -d . -n "CA certificate" -t "CT,," -a -i cacert.asc
# service dirsrv start
Thanks
Chandan
On Wednesday, March 20, 2013, Chaudhari, Rohit K. wrote:
> Hey everyone,
>
> I need help implementing a client-server SSL connection. I've been
> researching on the web and I have no idea how to get my Java application to
> talk to the 389DS securely. I have been looking into keytool and JSSE, but
> there is no clear cut explanation on how it should be done. I have a
> self-signed CA certificate that I created using certutil, and then a server
> certificate generated from that self-signed CA. Is there anyone who knows
> a path to a solution?
>
> Thanks,
>
> Rohit
>
--
--
http://about.me/chandank
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users