Hello, I've worked through the SSL howto on the FDS site and everything went well until I got to the part where I modified the schema. The /tmp/ssl_enable.ldif modifications that are suggested work well up to the point where it tries to modify cn=RSA,cn=encryption,cn=config To be specific, the recommended changes are as follows... dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: on - replace: nsSSLClientAuth nsSSLClientAuth: allowed - add: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha, +rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo - add: nsKeyfile nsKeyfile: alias/slapd-directory-key3.db - add: nsCertfile nsCertfile: alias/slapd-directory-cert8.db dn: cn=RSA,cn=encryption,cn=config changetype: modify add: nsSSLPersonalitySSL nsSSLPersonalitySSL: Server-Cert dn: cn=config changetype: modify add: nsslapd-security nsslapd-security: on - replace: nsslapd-ssl-check-hostname nsslapd-ssl-check-hostname: off It seems as though when I get to the point where I want to add the 'nsSSLPersonalitySSL' attribute my directory server complains that the 'cn=RSA,cn=encryption,cn=config' object does not exist to be modified. I don't see anywhere in the HOWTO where I would have created this object. Am I missing something? Thanks. - Kevin -- Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Thanks for the help. I've added that object and was able to modify the configuration without further issues. Unfortunately, I've run into another problem now. Now when I try to start the directory it's complaining about one of the ciphers. I get the following error when I attempt to start the server ... [03/Aug/2005:13:19:35 -0400] - SSL alert: Security Initialization: Failed to set SSL cipher preference information: unknown cipher fo (Netscape Portable Runtime error -5950 - File not found.) [03/Aug/2005:13:19:35 -0400] - ERROR: SSL Initialization Failed. It looks like it's complaining about the 'fo cipher' that was added in the same configuration modifications? The change I'm talking about is the following ... add: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha, +rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo I looked at the dse.ldif file and it looks like it was added correctly (as it's presented in the SSL HOWTO) Any advice? Thanks. - Kevin On 8/3/05, Adam Stokes <astokes(a)redhat.com&gt; wrote: > On Wed, 2005-08-03 at 10:35 -0400, Kevin Kovach wrote: > > Hello, > > > > I've worked through the SSL howto on the FDS site and everything went > > well until I got to the part where I modified the schema. > > > > The /tmp/ssl_enable.ldif modifications that are suggested work well up > > to the point where it tries to modify cn=RSA,cn=encryption,cn=config > > > > To be specific, the recommended changes are as follows... > > > > dn: cn=encryption,cn=config > > changetype: modify > > replace: nsSSL3 > > nsSSL3: on > > - > > replace: nsSSLClientAuth > > nsSSLClientAuth: allowed > > - > > add: nsSSL3Ciphers > > nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha, > > +rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo > > - > > add: nsKeyfile > > nsKeyfile: alias/slapd-directory-key3.db > > - > > add: nsCertfile > > nsCertfile: alias/slapd-directory-cert8.db > > > > dn: cn=RSA,cn=encryption,cn=config > > changetype: modify > > add: nsSSLPersonalitySSL > > nsSSLPersonalitySSL: Server-Cert > > > > dn: cn=config > > changetype: modify > > add: nsslapd-security > > nsslapd-security: on > > - > > replace: nsslapd-ssl-check-hostname > > nsslapd-ssl-check-hostname: off > > > > It seems as though when I get to the point where I want to add the > > 'nsSSLPersonalitySSL' attribute my directory server complains that the > > 'cn=RSA,cn=encryption,cn=config' object does not exist to be modified. > > > > I don't see anywhere in the HOWTO where I would have created this > > object. Am I missing something? Thanks. > > > > - Kevin > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users(a)redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > Refresh the wiki page I have updated this problem. > > Thanks for pointing that out please create an ldif /tmp/addrsa.ldif and > have the following : > > dn: cn=RSA,cn=encryption,cn=config > objectclass: top > objectclass: nsEncryptionModule > cn: RSA > nsSSLPersonalitySSL: Server-Cert > nsSSLToken: internal (software) > > Use ldapadd to add the entry into the directory server.. Ill fix the > how-to now as well :) > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >

Kevin Kovach wrote: >Thanks for the help. I've added that object and was able to modify >the configuration without further issues. > >Unfortunately, I've run into another problem now. Now when I try to >start the directory it's complaining about one of the ciphers. I get >the following error when I attempt to start the server ... > >[03/Aug/2005:13:19:35 -0400] - SSL alert: Security Initialization: >Failed to set SSL cipher preference information: unknown cipher fo >(Netscape Portable Runtime error -5950 - File not found.) >[03/Aug/2005:13:19:35 -0400] - ERROR: SSL Initialization Failed. > >It looks like it's complaining about the 'fo cipher' that was added in >the same configuration modifications? The change I'm talking about is >the following ... > >add: nsSSL3Ciphers >nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha, >+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo > > That's definitely truncated. +fo is not correct. It's probably another Fortezza cipher. There may be other ciphers that are missing.

>I looked at the dse.ldif file and it looks like it was added correctly >(as it's presented in the SSL HOWTO) Any advice? Thanks. > >- Kevin > > >On 8/3/05, Adam Stokes <astokes(a)redhat.com&gt; wrote: > > >>On Wed, 2005-08-03 at 10:35 -0400, Kevin Kovach wrote: >> >> >>>Hello, >>> >>>I've worked through the SSL howto on the FDS site and everything went >>>well until I got to the part where I modified the schema. >>> >>>The /tmp/ssl_enable.ldif modifications that are suggested work well up >>>to the point where it tries to modify cn=RSA,cn=encryption,cn=config >>> >>>To be specific, the recommended changes are as follows... >>> >>>dn: cn=encryption,cn=config >>>changetype: modify >>>replace: nsSSL3 >>>nsSSL3: on >>>- >>>replace: nsSSLClientAuth >>>nsSSLClientAuth: allowed >>>- >>>add: nsSSL3Ciphers >>>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha, >>>+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo >>>- >>>add: nsKeyfile >>>nsKeyfile: alias/slapd-directory-key3.db >>>- >>>add: nsCertfile >>>nsCertfile: alias/slapd-directory-cert8.db >>> >>>dn: cn=RSA,cn=encryption,cn=config >>>changetype: modify >>>add: nsSSLPersonalitySSL >>>nsSSLPersonalitySSL: Server-Cert >>> >>>dn: cn=config >>>changetype: modify >>>add: nsslapd-security >>>nsslapd-security: on >>>- >>>replace: nsslapd-ssl-check-hostname >>>nsslapd-ssl-check-hostname: off >>> >>>It seems as though when I get to the point where I want to add the >>>'nsSSLPersonalitySSL' attribute my directory server complains that the >>>'cn=RSA,cn=encryption,cn=config' object does not exist to be modified. >>> >>>I don't see anywhere in the HOWTO where I would have created this >>>object. Am I missing something? Thanks. >>> >>>- Kevin >>> >>>-- >>>Fedora-directory-users mailing list &gt;&gt;&gt;Fedora-directory-users(a)redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>Refresh the wiki page I have updated this problem. >> >>Thanks for pointing that out please create an ldif /tmp/addrsa.ldif and >>have the following : >> >>dn: cn=RSA,cn=encryption,cn=config >>objectclass: top >>objectclass: nsEncryptionModule >>cn: RSA >>nsSSLPersonalitySSL: Server-Cert >>nsSSLToken: internal (software) >> >>Use ldapadd to add the entry into the directory server.. Ill fix the >>how-to now as well :) >> >> >> >>-- >>Fedora-directory-users mailing list &gt;&gt;Fedora-directory-users(a)redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > > > > ------------------------------------------------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Thanks Nathan. I've made this change and again got farther than I have before. FYI, I got that cipher list from the Wiki. That will need to be updated to contain the complete list. Although I got farther the server is still not starting up. Now it's complaining that none of the ciphers are valid? How to I ensure that I'm using a valid cypher? Here's the error I'm seeing in the error log ... [03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1 B2005.201.2115 starting up [03/Aug/2005:13:56:23 -0400] - SSL failure: None of the cipher are valid Thanks again for the help. - Kevin And again have a different issue now. Now it's complaining that there are no

dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL2: off nsSSL3: on creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=directory manager createTimestamp: 20050701182744Z modifyTimestamp: 20050720192820Z nsSSL3Ciphers: -rsa_null_md5,rsa_rc4_128_md5,rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_fips_des_sha,rsa_3des_sha,rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha,fortezza_null,tls_rsa_export1024_with_rc4_56_sha,tls_rsa_export1024_with_des_cbc_sha nsKeyfile: alias/slapd-directory-key3.db nsCertfile: alias/slapd-directory-cert8.db numSubordinates: 1 Above is my entry for reference On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote: > Thanks Nathan. I've made this change and again got farther than I have before. > > FYI, I got that cipher list from the Wiki. That will need to be > updated to contain the complete list. > > Although I got farther the server is still not starting up. Now it's > complaining that none of the ciphers are valid? How to I ensure that > I'm using a valid cypher? Here's the error I'm seeing in the error > log ... > > [03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1 B2005.201.2115 starting up > [03/Aug/2005:13:56:23 -0400] - SSL failure: None of the cipher are valid > > Thanks again for the help. > > - Kevin > > And again have a different issue now. Now it's complaining that there are no -- Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Run pk12util to convert the certificate database to pkcs12 format, so it is accessbile by the Directory Server:

Again another typo the line should read pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert

Again another typo the line should read pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert

Rich M answered my question in his recent post: > If you followed the other steps up until this one, then you already > have the required certs for slapd to use. You only need to export > the cert to the .pfx file if you need to import that key and cert > into another program (e.g. use openssl to convert the .pfx file to > other formats). So there apparently is not a need for the pk12 file in the alias directory. Thanks Rich, -- George George Holbert wrote: > A follow up question: why does pk12util need to be run against the > certificate db at all? Doesn't RedHat/Fedora DS read certificate > and key information directly from the cert8.db and key3.db files? > > In the RedHat SSL setup docs at: > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158 > ... it says: > >> Run pk12util to convert the certificate database to pkcs12 format, >> so it is accessbile by the Directory Server: > > > > As Adam Stokes mentioned, the incantation for this should be: > >> Again another typo the line should read >> >> pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert >> > But what does it buy you to have the "servercert.pk12" file sitting > in the alias directory with the cert and key db files? How does > this make the certificate database "accessible by the Directory > Server"? > > In previous versions of Netscape DS, I don't recall the need for a > pk12 file in the alias directory. Is this a new requirement for > version 7.1 ? > > Thanks, > -- George > > > Adam Stokes wrote: > >> On Wed, 3 Aug 2005 15:48:42 -0400 >> Kevin Kovach <kovach(a)gmail.com&gt; wrote: >> >> Kevin, >> >> Again another typo the line should read >> >> pk12util -d . -P slapd-serverID- -o servercert.pk12 -n Server-Cert >> >> and the -P option is the dbprefix in which case slapd-serverID- >> should be replaced with whatever you have setup as your slapd- >> <instance>- >> >> Hope this helps >> >> >> >>> Adam, >>> >>> My entry looks the same. I'm pretty certain I have the ciphers >>> correct now. >>> >>> I am curious about one thing though. In following the wiki, I >>> did as suggested and converted the cert db to pkcs12 with the >>> following command ... >>> >>> pk12util -d . -P slapd-serverID- -o servercert.pfx -n Server-Cert >>> >>> However, I don't see anywhere where we make FDS aware of >>> servercert.pfx? I'd assume that we need to configure FDS for this >>> pkcs12 db somewhere? >>> >>> Also, the wiki mentions the trailing - on the -P option but does >>> not go into depth on it. I'm pretty sure I executed this command >>> correctly but am unsure how to double check it? >>> >>> Thanks again. >>> >>> - Kevin >>> >>> On 8/3/05, Adam Stokes <astokes(a)redhat.com&gt; wrote: >>> >>> >>>> dn: cn=encryption,cn=config >>>> objectClass: top >>>> objectClass: nsEncryptionConfig >>>> cn: encryption >>>> nsSSLSessionTimeout: 0 >>>> nsSSLClientAuth: allowed >>>> nsSSL2: off >>>> nsSSL3: on >>>> creatorsName: cn=server,cn=plugins,cn=config >>>> modifiersName: cn=directory manager >>>> createTimestamp: 20050701182744Z >>>> modifyTimestamp: 20050720192820Z >>>> nsSSL3Ciphers: >>>> - >>>> rsa_null_md5,rsa_rc4_128_md5,rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_fips_des_sha,rsa_3des_sha,rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha,fortezza_null,tls_rsa_export1024_with_rc4_56_sha,tls_rsa_export1024_with_des_cbc_sha >>>> >>>> nsKeyfile: alias/slapd-directory-key3.db nsCertfile: alias/slapd- >>>> directory-cert8.db numSubordinates: 1 >>>> >>>> Above is my entry for reference >>>> >>>> On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote: >>>> >>>> >>>>> Thanks Nathan. I've made this change and again got farther than >>>>> I have before. >>>>> >>>>> FYI, I got that cipher list from the Wiki. That will need to be >>>>> updated to contain the complete list. >>>>> >>>>> Although I got farther the server is still not starting up. Now >>>>> it's complaining that none of the ciphers are valid? How to I >>>>> ensure that I'm using a valid cypher? Here's the error I'm >>>>> seeing in the error log ... >>>>> >>>>> [03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1 >>>>> B2005.201.2115 starting up [03/Aug/2005:13:56:23 -0400] - SSL >>>>> failure: None of the cipher are valid >>>>> >>>>> Thanks again for the help. >>>>> >>>>> - Kevin >>>>> >>>>> And again have a different issue now. Now it's complaining that >>>>> there are no >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users(a)redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>> >>> -- >>> Take back the web, http://www.switch2firefox.com/ >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users(a)redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> >> >> > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Kevin Kovach wrote: >Adam, > >My entry looks the same. I'm pretty certain I have the ciphers correct now. > >I am curious about one thing though. In following the wiki, I did as >suggested and converted the cert db to pkcs12 with the following >command ... > >pk12util -d . -P slapd-serverID- -o servercert.pfx -n Server-Cert > >However, I don't see anywhere where we make FDS aware of >servercert.pfx? I'd assume that we need to configure FDS for this >pkcs12 db somewhere? > > If you followed the other steps up until this one, then you already have the required certs for slapd to use. You only need to export the cert to the .pfx file if you need to import that key and cert into another program (e.g. use openssl to convert the .pfx file to other formats). >Also, the wiki mentions the trailing - on the -P option but does not >go into depth on it. I'm pretty sure I executed this command >correctly but am unsure how to double check it? > > Look in your /opt/fedora-ds/alias directory. You should have files called slapd-serverID-cert8.db and slapd-serverID-key3.db, not slapd-serverIDcert8.db and slapd-serverIDkey3.db. >Thanks again. > >- Kevin > >On 8/3/05, Adam Stokes <astokes(a)redhat.com&gt; wrote: > > >>dn: cn=encryption,cn=config >>objectClass: top >>objectClass: nsEncryptionConfig >>cn: encryption >>nsSSLSessionTimeout: 0 >>nsSSLClientAuth: allowed >>nsSSL2: off >>nsSSL3: on >>creatorsName: cn=server,cn=plugins,cn=config >>modifiersName: cn=directory manager >>createTimestamp: 20050701182744Z >>modifyTimestamp: 20050720192820Z >>nsSSL3Ciphers: >>-rsa_null_md5,rsa_rc4_128_md5,rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_fips_des_sha,rsa_3des_sha,rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha,fortezza_null,tls_rsa_export1024_with_rc4_56_sha,tls_rsa_export1024_with_des_cbc_sha >>nsKeyfile: alias/slapd-directory-key3.db >>nsCertfile: alias/slapd-directory-cert8.db >>numSubordinates: 1 >> >>Above is my entry for reference >> >>On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote: >> >> >>>Thanks Nathan. I've made this change and again got farther than I have before. >>> >>>FYI, I got that cipher list from the Wiki. That will need to be >>>updated to contain the complete list. >>> >>>Although I got farther the server is still not starting up. Now it's >>>complaining that none of the ciphers are valid? How to I ensure that >>>I'm using a valid cypher? Here's the error I'm seeing in the error >>>log ... >>> >>>[03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1 B2005.201.2115 starting up >>>[03/Aug/2005:13:56:23 -0400] - SSL failure: None of the cipher are valid >>> >>>Thanks again for the help. >>> >>>- Kevin >>> >>> >>> >>-- >>Fedora-directory-users mailing list &gt;&gt;Fedora-directory-users(a)redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > > > >

On Wed, 3 Aug 2005 16:54:09 -0400 Kevin Kovach <kovach(a)gmail.com&gt; wrote: > I double checked my key and cert files and they are of the correct > format. Incidentally, those then correspond to the nsCertfile and > nsKeyfile attributes that are made in the config changes? It's not > real clear in the wiki. The wiki suggests that the nsKeyfile and > nsCertfile attrs include 'slapd-directory'. > > I ask because I originally made the config changes by just copying and > pasting the ldif and I went back and changed them afterwards to be > 'slapd-<instance name>'. The above is correct, again modified the wiki to resemble the changes. > > Regardless of that I'm still not able to get the directory to start > up. I'm still seeing the same error in the log ... > > [03/Aug/2005:16:21:44 -0400] - Fedora-Directory/7.1 B2005.201.2115 > starting up [03/Aug/2005:16:21:44 -0400] - SSL failure: None of the > cipher are valid > > I'm going to continue playing with it and research it online, but any > further advice or suggestions would be appreciated. Thanks. > > - Kevin Could you post your changes as it shows in /opt/fedora-ds/slapd- <instance>/config/dse.ldif? -- ....<(^_^)> adam stokes ....

dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL2: off nsSSL3: on creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=root createTimestamp: 20050726153224Z modifyTimestamp: 20050803144437Z nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des\ _sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha nsKeyfile: alias/slapd-birdie-key3.db nsCertfile: alias/slapd-birdie-cert8.db numSubordinates: 1 In the following entry I wasn't sure if '(software)' was a comment or if it was part of the attr value so I've tried it both ways. Didn't seem to change anything. dn: cn=RSA,cn=encryption,cn=config objectClass: top objectClass: nsEncryptionModule cn: RSA nsSSLToken: internal (software) nsSSLPersonalitySSL: Server-Cert creatorsName: cn=root modifiersName: cn=root createTimestamp: 20050803144438Z modifyTimestamp: 20050803144438Z dn: cn=config cn: config objectClass: top objectClass: extensibleObject objectClass: nsslapdConfig nsslapd-accesslog-logging-enabled: on nsslapd-accesslog-maxlogsperdir: 10 nsslapd-accesslog-mode: 600 nsslapd-accesslog-maxlogsize: 100 nsslapd-accesslog-logrotationtime: 1 nsslapd-accesslog-logrotationtimeunit: day nsslapd-accesslog-logrotationsync-enabled: off nsslapd-accesslog-logrotationsynchour: 0 nsslapd-accesslog-logrotationsyncmin: 0 nsslapd-accesslog: /opt/fedora-ds/slapd-birdie/logs/access nsslapd-enquote-sup-oc: off nsslapd-schemacheck: on nsslapd-rewrite-rfc1274: off nsslapd-return-exact-case: on nsslapd-ssl-check-hostname: off ... modifyTimestamp: 20050803144438Z nsslapd-security: on I think those were the three objects modified. If you need more please let me know. Thanks. - Kevin On 8/3/05, Adam Stokes <astokes(a)redhat.com&gt; wrote: >On Wed, 3 Aug 2005 16:54:09 -0400 >Kevin Kovach <kovach(a)gmail.com&gt; wrote: > > > >>I double checked my key and cert files and they are of the correct >>format. Incidentally, those then correspond to the nsCertfile and >>nsKeyfile attributes that are made in the config changes? It's not >>real clear in the wiki. The wiki suggests that the nsKeyfile and >>nsCertfile attrs include 'slapd-directory'. >> >>I ask because I originally made the config changes by just copying and >>pasting the ldif and I went back and changed them afterwards to be >>'slapd-<instance name>'. >> >> >The above is correct, again modified the wiki to resemble the changes. > > >>Regardless of that I'm still not able to get the directory to start >>up. I'm still seeing the same error in the log ... >> >>[03/Aug/2005:16:21:44 -0400] - Fedora-Directory/7.1 B2005.201.2115 >>starting up [03/Aug/2005:16:21:44 -0400] - SSL failure: None of the >>cipher are valid >> >>I'm going to continue playing with it and research it online, but any >>further advice or suggestions would be appreciated. Thanks. >> >>- Kevin >> >> >Could you post your changes as it shows in /opt/fedora-ds/slapd- ><instance>/config/dse.ldif? > >-- >....<(^_^)> adam stokes .... > > >

Well that did it. I had actually tried that before. Saw it in some Sun forum somewhere or something. However, when I tried it I got some other error so I took it back out. I suspect I had the nsKeyfile and nsCertfile set incorrectly when I tried it the first time. Thanks so much for the help. - Kevin On 8/3/05, Adam Stokes <astokes(a)redhat.com&gt; wrote: >Kevin Kovach wrote: > > > >>dn: cn=encryption,cn=config >>objectClass: top >>objectClass: nsEncryptionConfig >>cn: encryption >>nsSSLSessionTimeout: 0 >>nsSSLClientAuth: allowed >>nsSSL2: off >>nsSSL3: on >>creatorsName: cn=server,cn=plugins,cn=config >>modifiersName: cn=root >>createTimestamp: 20050726153224Z >>modifyTimestamp: 20050803144437Z >>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des\ >>_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha >>nsKeyfile: alias/slapd-birdie-key3.db >>nsCertfile: alias/slapd-birdie-cert8.db >>numSubordinates: 1 >> >>In the following entry I wasn't sure if '(software)' was a comment or >>if it was part of the attr value so I've tried it both ways. Didn't >>seem to change anything. >> >>dn: cn=RSA,cn=encryption,cn=config >>objectClass: top >>objectClass: nsEncryptionModule >>cn: RSA >>nsSSLToken: internal (software) >>nsSSLPersonalitySSL: Server-Cert >>creatorsName: cn=root >>modifiersName: cn=root >>createTimestamp: 20050803144438Z >>modifyTimestamp: 20050803144438Z >> >> >>dn: cn=config >>cn: config >>objectClass: top >>objectClass: extensibleObject >>objectClass: nsslapdConfig >>nsslapd-accesslog-logging-enabled: on >>nsslapd-accesslog-maxlogsperdir: 10 >>nsslapd-accesslog-mode: 600 >>nsslapd-accesslog-maxlogsize: 100 >>nsslapd-accesslog-logrotationtime: 1 >>nsslapd-accesslog-logrotationtimeunit: day >>nsslapd-accesslog-logrotationsync-enabled: off >>nsslapd-accesslog-logrotationsynchour: 0 >>nsslapd-accesslog-logrotationsyncmin: 0 >>nsslapd-accesslog: /opt/fedora-ds/slapd-birdie/logs/access >>nsslapd-enquote-sup-oc: off >>nsslapd-schemacheck: on >>nsslapd-rewrite-rfc1274: off >>nsslapd-return-exact-case: on >>nsslapd-ssl-check-hostname: off >> >>... >> >>modifyTimestamp: 20050803144438Z >>nsslapd-security: on >> >> >>I think those were the three objects modified. If you need more >>please let me know. Thanks. >> >>- Kevin >> >>On 8/3/05, Adam Stokes <astokes(a)redhat.com&gt; wrote: >> >> >> >> >>>On Wed, 3 Aug 2005 16:54:09 -0400 >>>Kevin Kovach <kovach(a)gmail.com&gt; wrote: >>> >>> >>> >>> >>> >>>>I double checked my key and cert files and they are of the correct >>>>format. Incidentally, those then correspond to the nsCertfile and >>>>nsKeyfile attributes that are made in the config changes? It's not >>>>real clear in the wiki. The wiki suggests that the nsKeyfile and >>>>nsCertfile attrs include 'slapd-directory'. >>>> >>>>I ask because I originally made the config changes by just copying and >>>>pasting the ldif and I went back and changed them afterwards to be >>>>'slapd-<instance name>'. >>>> >>>> >>>> >>>> >>>The above is correct, again modified the wiki to resemble the changes. >>> >>> >>> >>> >>>>Regardless of that I'm still not able to get the directory to start >>>>up. I'm still seeing the same error in the log ... >>>> >>>>[03/Aug/2005:16:21:44 -0400] - Fedora-Directory/7.1 B2005.201.2115 >>>>starting up [03/Aug/2005:16:21:44 -0400] - SSL failure: None of the >>>>cipher are valid >>>> >>>>I'm going to continue playing with it and research it online, but any >>>>further advice or suggestions would be appreciated. Thanks. >>>> >>>>- Kevin >>>> >>>> >>>> >>>> >>>Could you post your changes as it shows in /opt/fedora-ds/slapd- >>><instance>/config/dse.ldif? >>> >>>-- >>>....<(^_^)> adam stokes .... >>> >>> >>> >>> >>> >> >> >> >> >In the dn: cn=RSA,cn=encryption,cn=config add the following line > >nsSSLActivation: on > >Sorry for the confusion let me know if this works and ill modify the >wiki accordingly > >-- >Fedora-directory-users mailing list &gt;Fedora-directory-users(a)redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >