[Fedora-directory-users] MMR over SSL

Mon Dec 8 03:24:00 UTC 2008

George,
I have the clients Solaris 8 and 10, Suse, and Fedora connecting over
SSL properly to my FDS server using TLS:simple. Works great thank you.

For MMR over SSL I have read the FDS Walkthrough MultimasterSSL. I want
to use simple authentication over SSL for MMR.
I still have a few questions.

For the secondary MMR server running Fedora Core 9 do I use the Mozilla
certutil tool to create the certificate database or is it necessary? 

Do I need to import the CA cert with certutil or openssl?

And I believe I must generate the server certificate for this second MMR
server on the root CA correct? And from there export it from the root CA
and import it on the second server. Where do I import that certificate
into? /etc/openldap/cacerts or /etc/dirsrv/slapd-hostname? 

Thank you
James

On Fri, 2008-12-05 at 11:56 -0800, George Holbert wrote:
> Chavez, James R. wrote:
> > Hello again, Thanks for the reply. 
> > My Solaris 10 and 8 clients are working against SSL now, thanks!
> > For my Linx clients clients I am trying to follow the FDS wiki: How
> > to:SSL.
> >
> > I am having a problem importing the root CA certificate on my Fedora
> > boxes. 
> > The Howto SSL link says to run this command to import the cacert.asc
> > file.
> >
> > "cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noot -hash -in
> > cacert.asc`.0"
> >
> > However that responds with the below error. Anybody familiar with this
> > error?
> > Also I see Fedora has the certutil utility, can I use this to import the
> > ca root certificate like I did for the Solaris clients?
> >   
> 
> I believe the nss_ldap and pam_ldap libraries on Fedora use OpenSSL, not 
> Mozilla's NSS (of which certutil is a component).
> So certutil won't do you any good in this area.
> 
> > 'Error opening Certificate cacert.asc
> > 2312:error:02001002:system library:fopen:No such file or
> > directory:bss_file.c:352:fopen('cacert.asc','r')
> > 2312:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
> >   
> 
> Try giving an absolute path to cacert.asc... looks like it's just not 
> finding that file.
> e.g.
> 
> "cp /path/to/cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in
> /path/to/cacert.asc`.0"
> 
> 
> > Many Thanks
> > James
> >
> > -----Original Message-----
> > From: fedora-directory-users-bounces at redhat.com
> > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of George
> > Holbert
> > Sent: Friday, December 05, 2008 12:03 AM
> > To: General discussion list for the Fedora Directory server project.
> > Subject: Re: [Fedora-directory-users] Create client SSL certificates
> > forSolaris boxes.
> >
> > James Chavez wrote:
> >   
> >> George,
> >> Thank you much for the help with this. I read up on the links you sent
> >>     
> >
> >   
> >> and they seem to have helped. I have been struggling with a Solaris 8 
> >> box for the past few hours. It would not work at first, I was getting 
> >> an end of file error in the access log. Then it just started working 
> >> after I restarted the client services a few times and readded the box 
> >> using the same profile.
> >>
> >> I have another question in regards to SSL for replication.
> >> I had MMR going between two servers, this one and another prior to 
> >> enabling SSL on this server. I removed all the replication agreements 
> >> because as I understand it they need to be recreated with SSL. I would
> >>     
> >
> >   
> >> appreciate the lists opinions on the following. The Admin guide states
> >>     
> >
> >   
> >> that there are 2 ways of replicating over SSL, I pasted them below. I 
> >> would like to know the pros and cons of each and if a DNS PTR record 
> >> is an absolute necessity on each MMR member.
> >>   
> >>     
> >
> > The end result with both SSL replication flavors is the same.
> > Both encrypt the replication traffic between your directory servers.
> > The client cert method, when properly implemented, will make life more
> > challenging for a prospective attacker who would like to impersonate
> > your replication manager identity.  In that sense, it is more secure
> > than simple auth with SSL.
> >

> > Fedora-directory-users mailing list
> > Fedora-directory-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >   
> 
> 
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.