I have written Java code that does what you described. I think you should break up your problem.
1) Install your server certificate on the 389 DS first. You should consult the following website
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_SSL.html
2) Write your Java application to use JNDI to talk with 389 DS via SSL. You should follow the tutorial from the website.
http://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html
An important thing to note is you need to create a Java keystore. The Java keystore needs to be accessible by your application. You can pass in a Java property that specifies the Java keystore. The JNDI Tutorial above should give you some hint.
Good luck,
dc
Hi Rohit,Months back Arpit responded to my similar query in this forum and it worked. I am just re-posting his steps here.The only difference is just ignore the slave certificate generation and all should be good.How about creating one CA cert & signing all RHDS server from same CA,Then all you have to do is to import only one CA in clients.Create a CA Cerfificate# certutil -S -n "CA certificate" -s "cn=CAcert,dc=directory,dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 720 -d. -k rsaMake sure you say yes to "Is this a CA certificate [y/N]?" andeverything else will be default.Next we create your Server Cert.Important - Make sure your cn is your FQDN of this server.Create cert for ldap1.example.com on ldap1.example.com# certutil -S -n "directory-Server-Cert-1" -s "cn=ldap1.example.com"-c "CA certificate" -t "u,u,u" -m 1001 -v 720 -d . -k rsaCreate cert for ldap2.example.com on ldap1.example.com# certutil -S -n "directory-Server-Cert-2" -s "cn=ldap2.example.com"-c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d . -k rsaThen check to make sure it looks ok# certutil -L -n "directory-Server-Cert-2" -d .Export keys & certs for ldap2.example.com# pk12util -d . -o server2.p12 -n directory-Server-Cert-2# certutil -L -d . -n "CA certificate" -a > cacert.ascCopy the 'server2.p12' and 'cacert.asc' created above to the 2nd RedHat Directory Server.Create your public ca for your clients.# certutil -d . -L -n "CA certificate" -a > my-public-ca.ascWhile logged in to the 2nd RHDS i.e. ldap2.example.com, run the following:# service dirsrv stop# cd /etc/disrv/slapd-INSTANCE2/# mv /path/to/server2.p12 /etc/dirsrv/slapd-INSTANCE2/# mv /path/to/cacert.asc /etc/dirsrv/slapd-INSTANCE2/# pk12util -d . -i server2.p12# certutil -A -d . -n "CA certificate" -t "CT,," -a -i cacert.asc# service dirsrv startThanksChandan
On Wednesday, March 20, 2013, Chaudhari, Rohit K. wrote:Hey everyone,I need help implementing a client-server SSL connection. I've been researching on the web and I have no idea how to get my Java application to talk to the 389DS securely. I have been looking into keytool and JSSE, but there is no clear cut explanation on how it should be done. I have a self-signed CA certificate that I created using certutil, and then a server certificate generated from that self-signed CA. Is there anyone who knows a path to a solution?Thanks,Rohit
----
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users