FDS Folks, I wrote this script for the benefits of all. Gary > Content of cr_ssl_certs_fds1ldap.sh > > #! /bin/sh > # > # cr_ssl_certs_fds1ldap.sh > # > # 1) Make sure 'root' is used to run this script > # 2) Make sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory > Manager > # > #set -vx > IS_ROOT_UID=`id | grep "uid=0(root)"` > if [ ! -n "$IS_ROOT_UID" ]; then > echo "Please run this script as root" > exit 1 > fi > if [ ! -f /home/ldap/dirmgr.pwd ]; then > echo "Please setup /home/ldap/dirmgr.pwd." > exit 1 > else > chmod 600 /home/ldap/dirmgr.pwd > fi > # Pls customize the followings > HOST="ldap1" > DOMAIN="example.com" > BASEDN="dc=example,dc=com" > FQDN="$HOST.$DOMAIN" > ORG="Example Companies" > LOCALITY="NewYork City" > STATE="NewYork" > COUNTRY="US" > SLAPD_OWNER="nobody" > SLAPD_GROUP="nobody" > FDS1_PATH=/opt/fedora-ds > LD_LIBRARY_PATH=$FDS1_PATH/shared/lib:$FDS1_PATH/lib > export LD_LIBRARY_PATH > PATH=$FDS1_PATH/shared/bin:$PATH; export PATH > cd $FDS1_PATH/alias > DOW=`date | cut -d' ' -f1` > echo "Backing up existing *.db (if any) to backup_$DOW." > mkdir -p backup_$DOW >/dev/null 2>/dev/null > cp -p *.db backup_$DOW >/dev/null 2>/dev/null > /bin/rm -f *.db >/dev/null 2>/dev/null > echo "secretpwd" >pwdfile.txt > chmod 600 pwdfile.txt > echo "dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk" > >noise.txt > echo "Creating new security key3.db/cert8.db pair." > ../shared/bin/certutil -N -d . -f pwdfile.txt > echo "Generating encryption key." > ../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt > echo "Generating self-signed CA certificate." > ../shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x \ > -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt > echo "Generating self-signed Server certificate." > ../shared/bin/certutil -S -n "Server-Cert" -s \ > "cn=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -c "CA > certificate" \ > -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt > echo "Renaming and linking modified security DBs." > mv -f key3.db slapd-$HOST-key3.db > mv -f cert8.db slapd-$HOST-cert8.db > ln -s slapd-$HOST-key3.db key3.db > ln -s slapd-$HOST-cert8.db cert8.db > echo "Setting the correct ownership of security DBs" > chown $SLAPD_OWNER:$SLAPD_GROUP *.db > echo "Self-signed CA and SSL Server certs generated." > echo "" > echo "The following commands are OPTIONAL." > echo "They are for backing up CA and Server Certs in PK12 format," > echo "exporting the CA Cert in ASCII format or DER format, and" > echo "importing the CA Cert into the Admin Server" > echo "" > echo "---Start of OPTIONAL commands---" > cat <<EOF >optional_cmds.txt > ../shared/bin/pk12util -d . -P slapd-$HOST- -o cacert.pfx -n "CA > certificate" > ../shared/bin/pk12util -d . -P slapd-$HOST- -o servercert.pfx -n > "Server-Cert" > ../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ > -a > cacert.asc > ../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ > -r > cacert.der > ../shared/bin/certutil -A -d . -P admin-serv-$HOST- -n "CA > certificate" \ > -t "CT,," -a -i cacert.asc > EOF > cat optional_cmds.txt > echo "---End of OPTIONAL commands---" > echo "" > echo "Modifying server SSL configurations." > echo "NOTE: changes will be saved to config/dse.ldif when slapd is > shutdown" > cat <<EOF >/tmp/ssl_enable.ldif > dn: cn=encryption,cn=config > changetype: modify > replace: nsSSL3 > nsSSL3: on > - > replace: nsSSLClientAuth > nsSSLClientAuth: allowed > - > add: nsSSL3Ciphers > nsSSL3Ciphers: > -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, > > +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+forte > zza, > > +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_s > ha, > +tls_rsa_export1024_with_des_cbc_sha > - > add: nsKeyfile > nsKeyfile: alias/slapd-$HOST-key3.db > - > add: nsCertfile > nsCertfile: alias/slapd-$HOST-cert8.db > > dn: cn=config > changetype: modify > add: nsslapd-security > nsslapd-security: on > - > replace: nsslapd-ssl-check-hostname > nsslapd-ssl-check-hostname: off > > EOF > ../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat > /home/ldap/dirmgr.pwd` -f /tmp/ssl_enable.ldif > cat <<EOF >/tmp/delRSA.ldif > cn=RSA,cn=encryption,cn=config > > EOF > ../shared/bin/ldapdelete -c -D "cn=Directory Manager" -w `cat > /home/ldap/dirmgr.pwd` -f /tmp/delRSA.ldif > [ $? -eq 0 ] && echo "deleting cn=RSA,cn=encryption,cn=config" > cat <<EOF >/tmp/addRSA.ldif > dn: cn=RSA,cn=encryption,cn=config > objectclass: top > objectclass: nsEncryptionModule > cn: RSA > nsSSLPersonalitySSL: Server-Cert > nsSSLToken: internal (software) > nsSSLActivation: on > > EOF > ../shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w `cat > /home/ldap/dirmgr.pwd` -f /tmp/addRSA.ldif > echo "Creating a pin.txt for auto-starting of slapd." > echo "Internal (Software) Token:`cat pwdfile.txt`" > >slapd-$HOST-pin.txt > chown $SLAPD_OWNER:$SLAPD_GROUP slapd-$HOST-pin.txt > chmod 400 slapd-$HOST-pin.txt > echo "" > echo "IMPORTANT NOTES:" > echo "" > echo "1. How to check if SSL Configurations are done properly?" > echo "You may view config/dse.ldif after shutting down slapd" > echo "to verify all the required SSL configurations are there." > echo "" > echo "2. How to fix slapd startup issue due to mis-configuration of > SSL?" > echo "If for any reason slapd fails to start due to SSL issue," > echo "you may edit config/dse.ldif after shutting down slapd" > echo "and revert back to non-SSL configs." > echo "i.e. set nsSSL3: off, nsslapd-security: off" > echo "and then try to restart slapd." > echo "" > > =======Sample run. > > # ./cr_ssl_certs_fds1ldap.sh > Backing up existing *.db (if any) to backup_Wed. > Creating new security key3.db/cert8.db pair. > Generating encryption key. > > > Generating key. This may take a few moments... > > Generating self-signed CA certificate. > > > Generating key. This may take a few moments... > > Generating self-signed Server certificate. > > > Generating key. This may take a few moments... > > Renaming and linking modified security DBs. > Setting the correct ownership of security DBs > Self-signed CA and SSL Server certs generated. > > The following commands are OPTIONAL. > They are for backing up CA and Server Certs in PK12 format, > exporting the CA Cert in ASCII format or DER format, and > importing the CA Cert into the Admin Server > > ---Start of OPTIONAL commands--- > ../shared/bin/pk12util -d . -P slapd-nj1net200plmon- -o cacert.pfx -n > "CA certificate" > ../shared/bin/pk12util -d . -P slapd-nj1net200plmon- -o servercert.pfx > -n "Server-Cert" > ../shared/bin/certutil -L -d . -P slapd-nj1net200plmon- -n "CA > certificate" -a > cacert.asc > ../shared/bin/certutil -L -d . -P slapd-nj1net200plmon- -n "CA > certificate" -r > cacert.der > ../shared/bin/certutil -A -d . -P admin-serv-nj1net200plmon- -n "CA > certificate" -t "CT,," -a -i cacert.asc > ---End of OPTIONAL commands--- > > Modifying server SSL configurations. > NOTE: changes will be saved to config/dse.ldif when slapd is shutdown > modifying entry cn=encryption,cn=config > ldap_modify: Type or value exists > > deleting cn=RSA,cn=encryption,cn=config > adding new entry cn=RSA,cn=encryption,cn=config > > Creating a pin.txt for auto-starting of slapd. > > IMPORTANT NOTES: > > 1. How to check if SSL Configurations are done properly? > You may view config/dse.ldif after shutting down slapd > to verify all the required SSL configurations are there. > > 2. How to fix slapd startup issue due to mis-configuration of SSL? > If for any reason slapd fails to start due to SSL issue, > you may edit config/dse.ldif after shutting down slapd > and revert back to non-SSL configs. > i.e. set nsSSL3: off, nsslapd-security: off > and then try to restart slapd. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20060412/bd2231c5/attachment.html
