[389-users] TinyCA2 & 389-DS

Rich Megginson rmeggins at redhat.com
Thu Feb 25 22:37:42 UTC 2010 

Jeff Moody wrote:
> I'm trying to set up two 389 Directory Services servers in a replication scenario. I can do this quite easily without any SSL/TLS setup.
>
> In an effort to improve the security of our environment, I would like to get TLS configured so that this replication (and all LDAP authentication attempts) are encrypted.
>
> Using the scripts provided at http://directory.fedoraproject.org/wiki/Howto:SSL I can get one server using SSL; however when I try and establish the cross-server communication, the SSL/TLS keys appear to fall apart.
> My understanding from the logs on the systems is that the reason why the two servers (FDSMEM1 and FDSMEM2) do not have a common CA and so their server-certs do not trust each other.
>
> So, I have set up TinyCA and created a CA cert from a third server. I have generated manual cert requests on the two LDAP servers (after registering the CA cert) and generated the certificates. Replication appears to be working through TLS.
>
> Now, the problem I am having.
>
> When I run the 'certutil -L -d . -n "CA certificate" -a > cacert.asc' command I get a cacert.asc. When I deploy this cacert.asc to my LDAP clients as the key for TLS to start, though, it appears that something isn't handshaking well and I am never able to query the LDAP server from a client.
>
> Has anyone gotten a 389DS system (or pair of systems) fully working with certs managed & created by TinyCA2? If so, what are the gotchas that I must be missing to get this working? Would anyone be willing to help me write a HOWTO on getting this working so that it would be outlined more effectively for newer users?
>   
I'm not sure what's going on with your setup.  I do know that, in order 
for an SSL client to talk to an SSL server, the SSL client needs the CA 
cert of the CA that issued the SSL server's cert.
There is some information about TinyCA2 here - 
http://directory.fedoraproject.org/wiki/Howto:WindowsSync#With_TinyCA2 - 
don't know how accurate it is, or how applicable it is to your situation.
> Thanks.
>
> --
> Jeff Moody
> Senior Systems Engineer
> Electronic Vaulting Services
> 5050 Poplar Ave., Suite 1600
> Memphis, TN 38157
> (901) 259-2387 - 24x7 Helpdesk
> (901) 213-5146 - Office
> (901) 497-1444 - Mobile
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

More information about the 389-users mailing list