Hey everyone,
I need help implementing a client-server SSL connection. I've been researching on the web and I have no idea how to get my Java application to talk to the 389DS securely. I have been looking into keytool and JSSE, but there is no clear cut explanation on how it should be done. I have a self-signed CA certificate that I created using certutil, and then a server certificate generated from that self-signed CA. Is there anyone who knows a path to a solution?
Thanks,
Rohit
Hi Rohit,
Months back Arpit responded to my similar query in this forum and it worked. I am just re-posting his steps here.
The only difference is just ignore the slave certificate generation and all should be good.
How about creating one CA cert & signing all RHDS server from same CA, Then all you have to do is to import only one CA in clients.
Create a CA Cerfificate # certutil -S -n "CA certificate" -s "cn=CA cert,dc=directory,dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 720 -d . -k rsa
Make sure you say yes to "Is this a CA certificate [y/N]?" and everything else will be default.
Next we create your Server Cert. Important - Make sure your cn is your FQDN of this server.
Create cert for ldap1.example.com on ldap1.example.com # certutil -S -n "directory-Server-Cert-1" -s "cn=ldap1.example.com" -c "CA certificate" -t "u,u,u" -m 1001 -v 720 -d . -k rsa
Create cert for ldap2.example.com on ldap1.example.com # certutil -S -n "directory-Server-Cert-2" -s "cn=ldap2.example.com" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d . -k rsa
Then check to make sure it looks ok # certutil -L -n "directory-Server-Cert-2" -d .
Export keys & certs for ldap2.example.com # pk12util -d . -o server2.p12 -n directory-Server-Cert-2 # certutil -L -d . -n "CA certificate" -a > cacert.asc
Copy the 'server2.p12' and 'cacert.asc' created above to the 2nd Red Hat Directory Server.
Create your public ca for your clients. # certutil -d . -L -n "CA certificate" -a > my-public-ca.asc
While logged in to the 2nd RHDS i.e. ldap2.example.com, run the following:
# service dirsrv stop # cd /etc/disrv/slapd-INSTANCE2/ # mv /path/to/server2.p12 /etc/dirsrv/slapd-INSTANCE2/ # mv /path/to/cacert.asc /etc/dirsrv/slapd-INSTANCE2/ # pk12util -d . -i server2.p12 # certutil -A -d . -n "CA certificate" -t "CT,," -a -i cacert.asc # service dirsrv start
Thanks
Chandan
On Wednesday, March 20, 2013, Chaudhari, Rohit K. wrote:
Hey everyone,
I need help implementing a client-server SSL connection. I've been researching on the web and I have no idea how to get my Java application to talk to the 389DS securely. I have been looking into keytool and JSSE, but there is no clear cut explanation on how it should be done. I have a self-signed CA certificate that I created using certutil, and then a server certificate generated from that self-signed CA. Is there anyone who knows a path to a solution?
Thanks,
Rohit
I have written Java code that does what you described. I think you should break up your problem.
1) Install your server certificate on the 389 DS first. You should consult the following website https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/...
2) Write your Java application to use JNDI to talk with 389 DS via SSL. You should follow the tutorial from the website. http://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html
An important thing to note is you need to create a Java keystore. The Java keystore needs to be accessible by your application. You can pass in a Java property that specifies the Java keystore. The JNDI Tutorial above should give you some hint.
Good luck,
dc
On Wed, Mar 20, 2013 at 5:48 PM, Chandan Kumar chandank.kumar@gmail.comwrote:
Hi Rohit,
Months back Arpit responded to my similar query in this forum and it worked. I am just re-posting his steps here.
The only difference is just ignore the slave certificate generation and all should be good.
How about creating one CA cert & signing all RHDS server from same CA, Then all you have to do is to import only one CA in clients.
Create a CA Cerfificate # certutil -S -n "CA certificate" -s "cn=CA cert,dc=directory,dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 720 -d . -k rsa
Make sure you say yes to "Is this a CA certificate [y/N]?" and everything else will be default.
Next we create your Server Cert. Important - Make sure your cn is your FQDN of this server.
Create cert for ldap1.example.com on ldap1.example.com # certutil -S -n "directory-Server-Cert-1" -s "cn=ldap1.example.com" -c "CA certificate" -t "u,u,u" -m 1001 -v 720 -d . -k rsa
Create cert for ldap2.example.com on ldap1.example.com # certutil -S -n "directory-Server-Cert-2" -s "cn=ldap2.example.com" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d . -k rsa
Then check to make sure it looks ok # certutil -L -n "directory-Server-Cert-2" -d .
Export keys & certs for ldap2.example.com # pk12util -d . -o server2.p12 -n directory-Server-Cert-2 # certutil -L -d . -n "CA certificate" -a > cacert.asc
Copy the 'server2.p12' and 'cacert.asc' created above to the 2nd Red Hat Directory Server.
Create your public ca for your clients. # certutil -d . -L -n "CA certificate" -a > my-public-ca.asc
While logged in to the 2nd RHDS i.e. ldap2.example.com, run the following:
# service dirsrv stop # cd /etc/disrv/slapd-INSTANCE2/ # mv /path/to/server2.p12 /etc/dirsrv/slapd-INSTANCE2/ # mv /path/to/cacert.asc /etc/dirsrv/slapd-INSTANCE2/ # pk12util -d . -i server2.p12 # certutil -A -d . -n "CA certificate" -t "CT,," -a -i cacert.asc # service dirsrv start
Thanks
Chandan
On Wednesday, March 20, 2013, Chaudhari, Rohit K. wrote:
Hey everyone,
I need help implementing a client-server SSL connection. I've been researching on the web and I have no idea how to get my Java application to talk to the 389DS securely. I have been looking into keytool and JSSE, but there is no clear cut explanation on how it should be done. I have a self-signed CA certificate that I created using certutil, and then a server certificate generated from that self-signed CA. Is there anyone who knows a path to a solution?
Thanks,
Rohit
--
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Hey dc,
I did create a keystore, but every time I try to get it to work, I get stuck. I will post my java code tomorrow to show you what my code looks like, and then I will mention the exact 389 DS configuration.
Thanks,
Rohit ________________________________________ From: 389-users-bounces@lists.fedoraproject.org [389-users-bounces@lists.fedoraproject.org] On Behalf Of Chun Tat David Chu [beyonddc.storage@gmail.com] Sent: Wednesday, March 20, 2013 9:15 PM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] Using JNDI and 389DS
I have written Java code that does what you described. I think you should break up your problem.
1) Install your server certificate on the 389 DS first. You should consult the following website https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/...
2) Write your Java application to use JNDI to talk with 389 DS via SSL. You should follow the tutorial from the website. http://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html
An important thing to note is you need to create a Java keystore. The Java keystore needs to be accessible by your application. You can pass in a Java property that specifies the Java keystore. The JNDI Tutorial above should give you some hint.
Good luck,
dc
On Wed, Mar 20, 2013 at 5:48 PM, Chandan Kumar <chandank.kumar@gmail.commailto:chandank.kumar@gmail.com> wrote: Hi Rohit,
Months back Arpit responded to my similar query in this forum and it worked. I am just re-posting his steps here.
The only difference is just ignore the slave certificate generation and all should be good.
How about creating one CA cert & signing all RHDS server from same CA, Then all you have to do is to import only one CA in clients.
Create a CA Cerfificate # certutil -S -n "CA certificate" -s "cn=CA cert,dc=directory,dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 720 -d . -k rsa
Make sure you say yes to "Is this a CA certificate [y/N]?" and everything else will be default.
Next we create your Server Cert. Important - Make sure your cn is your FQDN of this server.
Create cert for ldap1.example.comhttp://ldap1.example.com on ldap1.example.comhttp://ldap1.example.com # certutil -S -n "directory-Server-Cert-1" -s "cn=ldap1.example.comhttp://ldap1.example.com" -c "CA certificate" -t "u,u,u" -m 1001 -v 720 -d . -k rsa
Create cert for ldap2.example.comhttp://ldap2.example.com on ldap1.example.comhttp://ldap1.example.com # certutil -S -n "directory-Server-Cert-2" -s "cn=ldap2.example.comhttp://ldap2.example.com" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d . -k rsa
Then check to make sure it looks ok # certutil -L -n "directory-Server-Cert-2" -d .
Export keys & certs for ldap2.example.comhttp://ldap2.example.com # pk12util -d . -o server2.p12 -n directory-Server-Cert-2 # certutil -L -d . -n "CA certificate" -a > cacert.asc
Copy the 'server2.p12' and 'cacert.asc' created above to the 2nd Red Hat Directory Server.
Create your public ca for your clients. # certutil -d . -L -n "CA certificate" -a > my-public-ca.asc
While logged in to the 2nd RHDS i.e. ldap2.example.comhttp://ldap2.example.com, run the following:
# service dirsrv stop # cd /etc/disrv/slapd-INSTANCE2/ # mv /path/to/server2.p12 /etc/dirsrv/slapd-INSTANCE2/ # mv /path/to/cacert.asc /etc/dirsrv/slapd-INSTANCE2/ # pk12util -d . -i server2.p12 # certutil -A -d . -n "CA certificate" -t "CT,," -a -i cacert.asc # service dirsrv start
Thanks
Chandan
On Wednesday, March 20, 2013, Chaudhari, Rohit K. wrote: Hey everyone,
I need help implementing a client-server SSL connection. I've been researching on the web and I have no idea how to get my Java application to talk to the 389DS securely. I have been looking into keytool and JSSE, but there is no clear cut explanation on how it should be done. I have a self-signed CA certificate that I created using certutil, and then a server certificate generated from that self-signed CA. Is there anyone who knows a path to a solution?
Thanks,
Rohit
--
-- 389 users mailing list 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org