[389-users] SSL

Justin Edmands shockwavecs at gmail.com
Thu Apr 17 19:55:25 UTC 2014 

>
>  I am having an issue with securing Directory Server communication using
> SSL which I need guidance on how to solve. I am setting up a master and
> slave which will use SSL to secure communication between the two servers
> and to all other clients.
>
>
>
> I used openssl to create a CA cert and sign the Manager server certificate
> as follows:
>
> -          CA cert created by  *openssl req -config openssl.cnf -new
> -x509 -extensions v3_ca -keyout private/ca.key* *-out certs/ca.crt -days
> 3650*
>
> -          Manager server csr signed - *openssl ca -config openssl.cnf
> -policy policy_anything -out certs/**xxx.crt -infiles* *xxx.csr*
>
> -          Checked both certs using before installing on Manager
>
> -          Both certs were installed using root.
>
> -          Enabled encryption via the console and restarted dirsrv. Note
> coms remain of port 389 after the reboot. E.g. xxx.com:389
>
>  -
>
> o   certutil -L -d . output show that both a CA cert and server cert are
> installed as follows:
>
> server-cert                                                  u,u,u
>
> xxxx-ca.crt                                                  CT,,
>
> -          I checked that the server is listening on port 636. Logs also
> confirmed that the Manager is listening on port 636
>
> -          I tested that the Manager can receive connection on port 636,
> by connecting using telnet from another server – telnet <server name> 636.
> The connect was also visible on netstat output.
>
> -          I can’t see any errors in
> /var/log/dirsrv/slpad-<server>/errors
>
> Can you help so that I can setup secure communication correctly?
>
> Kind regards
>
> Andy
>
> 1 - Do you have a replication agreement setup?
1a - In your replication agreement did you specify the Replication Manager
account with correct password? (mine is cn=Replication Manager,cn=config)?
2 - Did you make sure you specify the "Supplier" as coming from port 389
and the "Consumer" using port 636?
2a - Did you select the following for the Connection:
"Use TLS/SSL (TLS/SSL Encryption with LDAPS)"
"Simple (Bind DN/Password)"
Bind as: cn=Replication Manager(or whatever you have),cn=config
Password: (password)

Note: To check for Replication Manager account, browse to Directory Tab.
Click config. Replication Manager will appear. Edit password here. This
needs to exist on both directory servers.

3. Did you assign them different unique IDs when creating the client
certificates? Note the "m" option.

certutil -S -n "Server-Cert-dirsrv2-hq" -s
"cn=dirsrv2.example.com,cn=Directory Server" -c "CA certificate" -t
"u,u,u" -m 1002 -v 120 -d . -z noise.txt -f pwdfile.txt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20140417/8cde2dab/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 5330 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20140417/8cde2dab/attachment.jpe>

More information about the 389-users mailing list