Sorry for being "blind", I found the script at the very first "This" word. May be "This" should be changed to "This setupssl.sh", just to help people like me. Gary -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Tay, Gary Sent: Thursday, April 20, 2006 4:46 PM To: General discussion list for the Fedora Directory server project. Subject: **Caution-External**: RE: [Fedora-directory-users]: SSL directory server gateway,one-button SSL Certs (slapd + Admin Server) generation script I couldn't find setupssl.sh anywhere on the HowTo SSL link. Anyway, I have written cr_ssl_certs.sh which works for both FDS and SUN-ONE DS, and this script will create also the Admin Server SSL Cert (the same as slapd), once you have used Admin Console to enable SSL for Admin Server at "Encryption" TAB, you would see a few .conf files including console.conf get updated at $SERVER_ROOT/admin-serv/config, the rest is history. Note that it is not a MUST to create different CA Certs for different FDS Servers, they are so for testing purposes only, for production usage, you would most likely purchase signed SSL Server Certs for your different FDS Servers HTH. Gary Content of cr_ssl_certs.sh #! /bin/sh # # cr_ssl_certs.sh - This script works for either Fedora or SUN-ONE DS # # Gary Tay # # 1) Make sure 'root' is used to run this script # 2) Make sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory Manager # #set -vx IS_ROOT_UID=`id | grep "uid=0(root)"` if [ ! -n "$IS_ROOT_UID" ]; then echo "Please run this script as root" exit 1 fi chmod 700 $0 if [ ! -f /home/ldap/dirmgr.pwd ]; then echo "Please setup /home/ldap/dirmgr.pwd." exit 1 else chmod 600 /home/ldap/dirmgr.pwd fi # Pls customize the followings HOST=`hostname` DOMAIN="example.com" BASEDN="dc=example,dc=com" FQDN="$HOST.$DOMAIN" ORG="Example Companies" LOCALITY="NewYork City" STATE="NewYork" COUNTRY="US" # Uncomment for Fedora/RedHat Directory Server SERVER_ROOT="/opt/fedora-ds" # Uncomment for SUN-ONE/Java System Directory Server #SERVER_ROOT="/var/Sun/mps" if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then LD_LIBRARY_PATH=$SERVER_ROOT/lib:$SERVER_ROOT/shared/lib SLAPD_OWNER="ldap" SLAPD_GROUP="ldap" TAR_CVF="tar -Pcvf" TAR_XVF="tar -Pxvf" fi if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then LD_LIBRARY_PATH=$SERVER_ROOT/lib SLAPD_OWNER="root" SLAPD_GROUP="root" TAR_CVF="tar -cvf" TAR_XVF="tar -xvf" fi export LD_LIBRARY_PATH PATH=$SERVER_ROOT/shared/bin:$PATH; export PATH echo "Please shutdown slapd and Admin Server and perform a tar backup" echo "and db2ldif backup of currently working system, and restart them again." echo "Example of tar command: $TAR_CVF /var/tmp/ds_backup.tar $SERVER_ROOT" echo "When you are ready, answer Yes and press Enter to continue." echo "Press Ctrl-C to cancel." read READY [ "$READY" != "Yes" ] && exit 1 echo "Enter an UNIQUE SERIAL NUMBER for CA Cert." echo "Eg: 1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc..." read UNIQUE_SN_CA echo "Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert." echo "Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3." read UNIQUE_SN_LDAP cd $SERVER_ROOT/alias echo "Backing up existing *.db (if any) to backup_$$." mkdir -p backup_$$ >/dev/null 2>/dev/null cp -p *.db backup_$$ >/dev/null 2>/dev/null /bin/rm -f *.db >/dev/null 2>/dev/null echo "secretpwd" >pwdfile.txt chmod 600 pwdfile.txt echo "dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk" >noise.txt echo "Creating new security key3.db/cert8.db pair." ../shared/bin/certutil -N -d . -f pwdfile.txt echo "Generating encryption key." ../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt echo "Generating self-signed CA certificate." ../shared/bin/certutil -S -n "CA certificate" \ -s "cn=CAcert $HOST" -x \ -t "CT,," -m $UNIQUE_SN_CA -v 120 -d . -z noise.txt -f pwdfile.txt echo "Generating self-signed Server certificate." ../shared/bin/certutil -S -n "Server-Cert" \ -s "cn=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -c "CA certificate" \ -t "u,u,u" -m $UNIQUE_SN_LDAP -v 120 -d . -z noise.txt -f pwdfile.txt echo "Renaming and linking modified security DBs." mv -f key3.db slapd-$HOST-key3.db mv -f cert8.db slapd-$HOST-cert8.db ln -s slapd-$HOST-key3.db key3.db ln -s slapd-$HOST-cert8.db cert8.db echo "Setting the correct ownership of security DBs" chown $SLAPD_OWNER:$SLAPD_GROUP *.db echo "Self-signed CA and SSL Server certs generated." echo "" echo "The following commands are OPTIONAL." echo "They are for backing up CA and Server Certs in PK12 format." echo "" echo "---Start of OPTIONAL commands---" cat <<EOF >optional_cmds.txt ../shared/bin/pk12util -d . -P slapd-$HOST- -o cacert.pfx -n "CA certificate" ../shared/bin/pk12util -d . -P slapd-$HOST- -o servercert.pfx -n "Server-Cert" EOF cat optional_cmds.txt echo "---End of OPTIONAL commands---" echo "" # echo "Enabling SSL." echo "NOTE: changes will be saved to config/dse.ldif when slapd is shutdown" cat <<EOF >/tmp/ssl_enable.ldif dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: on - replace: nsSSLClientAuth nsSSLClientAuth: allowed dn: cn=config changetype: modify add: nsslapd-security nsslapd-security: on EOF if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then cat <<EOF >>/tmp/ssl_enable.ldif dn: cn=config replace: nsslapd-ssl-check-hostname nsslapd-ssl-check-hostname: off EOF fi ../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/ssl_enable.ldif [ $? -eq 0 ] && \ echo "Enabling SSL in cn=encryption,cn=config and cn=config done." [ $? -ne 0 ] && \ echo "Enabling SSL in cn=encryption,cn=config and cn=config failed." # cat <<EOF >/tmp/add_ssl_configs.ldif dn: cn=encryption,cn=config changetype: modify add: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezz a, +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha , +tls_rsa_export1024_with_des_cbc_sha - add: nsKeyfile nsKeyfile: alias/slapd-$HOST-key3.db - add: nsCertfile nsCertfile: alias/slapd-$HOST-cert8.db EOF ../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/add_ssl_configs.ldif [ $? -eq 0 ] && echo "Adding SSL configs in cn=encryption,cn=config done." [ $? -ne 0 ] && echo "Adding SSL configs in cn=encryption,cn=config failed." # cat <<EOF >/tmp/addRSA.ldif dn: cn=RSA,cn=encryption,cn=config objectclass: top objectclass: nsEncryptionModule cn: RSA nsSSLPersonalitySSL: Server-Cert nsSSLToken: internal (software) nsSSLActivation: on EOF ../shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/addRSA.ldif [ $? -eq 0 ] && echo "Adding cn=RSA,cn=encryption,cn=config done." [ $? -ne 0 ] && echo "Adding cn=RSA,cn=encryption,cn=config failed." # echo "Creating a pin.txt for auto-starting of slapd." echo "Internal (Software) Token:`cat pwdfile.txt`" >slapd-$HOST-pin.txt chown $SLAPD_OWNER:$SLAPD_GROUP slapd-$HOST-pin.txt chmod 400 slapd-$HOST-pin.txt echo "Exporting the CA Cert in ASCII format or DER format" ../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ -a > cacert.asc ../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ -r > cacert.der echo "Copying Server-Cert to Admin Server for Admin Server SSL connection." cp slapd-$HOST-key3.db admin-serv-$HOST-key3.db cp slapd-$HOST-cert8.db admin-serv-$HOST-cert8.db echo "Setting the correct ownership of Admin Server security DBs" chown $SLAPD_OWNER:$SLAPD_GROUP admin-serv-$HOST-*.db echo "Remember to enable SSL in Admin Server later." echo "Remember to select 'Server-Cert' as the Certificate and click OK." echo "Remember to restart Admin Server after that." echo "Creating a pin.txt for auto-starting of Admin Server." echo "`cat pwdfile.txt`" >admin-serv-$HOST-pin.txt chown $SLAPD_OWNER:$SLAPD_GROUP admin-serv-$HOST-pin.txt chmod 400 admin-serv-$HOST-pin.txt echo "Patching start-admin and creating start-admin.auto." if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then sed -e \ '/^\$HTTPD/s/$/ \<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/' \ $SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto fi if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then sed -e \ '/uxwdog/s/$/ \<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/' \ $SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto fi chmod 755 $SERVER_ROOT/start-admin.auto echo "Please use $SERVER_ROOT/start-admin.auto in rc3.d as autostart script." echo "" echo "IMPORTANT NOTES:" echo "" echo "1. How to check if SSL Configurations are done properly?" echo "You may view config/dse.ldif after shutting down slapd" echo "to verify all the required SSL configurations are there." echo "" echo "2. How to fix slapd startup issue due to mis-configuration of SSL?" echo "If for any reason slapd fails to start due to SSL issue," echo "you may edit config/dse.ldif after shutting down slapd" echo "and revert back to non-SSL configs." echo "i.e. set nsSSL3: off, nsSSLActivation: off and nsslapd-security: off" echo "and then try to restart slapd." echo "" echo "3. How to fix Admin Server login issue due to mis-configuration of SSL?" echo "If for any reason Admin Server login fails and you wish to give up," echo "simply stop slapd and admin-serv and restore using the tar backup" echo "i.e. rm -f $SERVER_ROOT/alias/*.db;$TAR_XVF /var/tmp/ds_backup.tar" echo "" ===Sample Run=== # ./cr_ssl_certs.sh Please shutdown slapd and Admin Server and perform a tar backup and db2ldif backup of currently working system, and restart them again. Example of tar command: tar -cvf /var/tmp/ds_backup.tar /var/Sun/mps When you are ready, answer Yes and press Enter to continue. Press Ctrl-C to cancel. Yes Enter an UNIQUE SERIAL NUMBER for CA Cert. Eg: 1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc... 1000 Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert. Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3. 1001 Backing up existing *.db (if any) to backup_24872. Creating new security key3.db/cert8.db pair. Generating encryption key. Generating key. This may take a few moments... Generating self-signed CA certificate. Generating key. This may take a few moments... Generating self-signed Server certificate. Generating key. This may take a few moments... Renaming and linking modified security DBs. Setting the correct ownership of security DBs Self-signed CA and SSL Server certs generated. The following commands are OPTIONAL. They are for backing up CA and Server Certs in PK12 format. ---Start of OPTIONAL commands--- ../shared/bin/pk12util -d . -P slapd-ldap1- -o cacert.pfx -n "CA certificate" ../shared/bin/pk12util -d . -P slapd-ldap1- -o servercert.pfx -n "Server-Cert" ---End of OPTIONAL commands--- Enabling SSL. NOTE: changes will be saved to config/dse.ldif when slapd is shutdown modifying entry cn=encryption,cn=config modifying entry cn=config Enabling SSL in cn=encryption,cn=config and cn=config done. modifying entry cn=encryption,cn=config Adding SSL configs in cn=encryption,cn=config done. adding new entry cn=RSA,cn=encryption,cn=config Adding cn=RSA,cn=encryption,cn=config done. Creating a pin.txt for auto-starting of slapd. Exporting the CA Cert in ASCII format or DER format Copying Server-Cert to Admin Server for Admin Server SSL connection. Setting the correct ownership of Admin Server security DBs Remember to enable SSL in Admin Server later. Remember to select 'Server-Cert' as the Certificate and click OK. Remember to restart Admin Server after that. Creating a pin.txt for auto-starting of Admin Server. Patching start-admin and creating start-admin.auto. Please use /var/Sun/mps/start-admin.auto in rc3.d as autostart script. IMPORTANT NOTES: 1. How to check if SSL Configurations are done properly? You may view config/dse.ldif after shutting down slapd to verify all the required SSL configurations are there. 2. How to fix slapd startup issue due to mis-configuration of SSL? If for any reason slapd fails to start due to SSL issue, you may edit config/dse.ldif after shutting down slapd and revert back to non-SSL configs. i.e. set nsSSL3: off, nsSSLActivation: off and nsslapd-security: off and then try to restart slapd. 3. How to fix Admin Server login issue due to mis-configuration of SSL? If for any reason Admin Server login fails and you wish to give up, simply stop slapd and admin-serv and restore using the tar backup i.e. rm -f /var/Sun/mps/alias/*.db;tar -xvf /var/tmp/ds_backup.tar -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Jason Russler Sent: Thursday, April 20, 2006 4:15 AM To: General discussion list for the Fedora Directory server project. Subject: SSL directory server gateway Hi all, I'm pretty uncertain about the best way to go about configuring the admin server to use SSL (FDS1.0.2) . All of the docs I'm finding are pretty shaky. Ultimately, I want users to manage their passwords and info via the web-based Directory Server Gateway over SSL. This would appear to be the same thing as enabling SSL for the admin server. The setupssl.sh script provided by the SSL howto, generates the keys/certs for the admin server and imports them into the appropriate cert db (I guess, I've performed the process by hand as well, based on RedHat's docs and the script itself). This would imply to me that the admin console would find the generated certs and present them in the admin server's console (under the Configuration -> Encryption tab) in much the same way that it does in the directory server's console. I can't tell if something that's suppose to work isn't or if I'm misunderstanding something. I'd like to know before I try to generate new SSL certificates and import them. Thanks much, Jason -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
