Version 2 of this script has been renamed cr_ssl_certs.sh and works for both FDS and SUN-ONE DS, check it out at: https://www.redhat.com/archives/fedora-directory-users/2006-April/msg001 45.html -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Tay, Gary Sent: Wednesday, April 12, 2006 6:20 PM To: fedora-directory-users at redhat.com Subject: **Caution-External**: [Fedora-directory-users] Automated script for complementing SSLHowTo FDS Folks, I wrote this script for the benefits of all. Gary Content of cr_ssl_certs_fds1ldap.sh #! /bin/sh # # cr_ssl_certs_fds1ldap.sh # # 1) Make sure 'root' is used to run this script # 2) Make sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory Manager # #set -vx IS_ROOT_UID=`id | grep "uid=0(root)"` if [ ! -n "$IS_ROOT_UID" ]; then echo "Please run this script as root" exit 1 fi if [ ! -f /home/ldap/dirmgr.pwd ]; then echo "Please setup /home/ldap/dirmgr.pwd." exit 1 else chmod 600 /home/ldap/dirmgr.pwd fi # Pls customize the followings HOST="ldap1" DOMAIN="example.com" BASEDN="dc=example,dc=com" FQDN="$HOST.$DOMAIN" ORG="Example Companies" LOCALITY="NewYork City" STATE="NewYork" COUNTRY="US" SLAPD_OWNER="nobody" SLAPD_GROUP="nobody" FDS1_PATH=/opt/fedora-ds LD_LIBRARY_PATH=$FDS1_PATH/shared/lib:$FDS1_PATH/lib export LD_LIBRARY_PATH PATH=$FDS1_PATH/shared/bin:$PATH; export PATH cd $FDS1_PATH/alias DOW=`date | cut -d' ' -f1` echo "Backing up existing *.db (if any) to backup_$DOW." mkdir -p backup_$DOW >/dev/null 2>/dev/null cp -p *.db backup_$DOW >/dev/null 2>/dev/null /bin/rm -f *.db >/dev/null 2>/dev/null echo "secretpwd" >pwdfile.txt chmod 600 pwdfile.txt echo "dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk" >noise.txt echo "Creating new security key3.db/cert8.db pair." ../shared/bin/certutil -N -d . -f pwdfile.txt echo "Generating encryption key." ../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt echo "Generating self-signed CA certificate." ../shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x \ -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt echo "Generating self-signed Server certificate." ../shared/bin/certutil -S -n "Server-Cert" -s \ "cn=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -c "CA certificate" \ -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt echo "Renaming and linking modified security DBs." mv -f key3.db slapd-$HOST-key3.db mv -f cert8.db slapd-$HOST-cert8.db ln -s slapd-$HOST-key3.db key3.db ln -s slapd-$HOST-cert8.db cert8.db echo "Setting the correct ownership of security DBs" chown $SLAPD_OWNER:$SLAPD_GROUP *.db echo "Self-signed CA and SSL Server certs generated." echo "" echo "The following commands are OPTIONAL." echo "They are for backing up CA and Server Certs in PK12 format," echo "exporting the CA Cert in ASCII format or DER format, and" echo "importing the CA Cert into the Admin Server" echo "" echo "---Start of OPTIONAL commands---" cat <<EOF >optional_cmds.txt ../shared/bin/pk12util -d . -P slapd-$HOST- -o cacert.pfx -n "CA certificate" ../shared/bin/pk12util -d . -P slapd-$HOST- -o servercert.pfx -n "Server-Cert" ../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ -a > cacert.asc ../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ -r > cacert.der ../shared/bin/certutil -A -d . -P admin-serv-$HOST- -n "CA certificate" \ -t "CT,," -a -i cacert.asc EOF cat optional_cmds.txt echo "---End of OPTIONAL commands---" echo "" echo "Modifying server SSL configurations." echo "NOTE: changes will be saved to config/dse.ldif when slapd is shutdown" cat <<EOF >/tmp/ssl_enable.ldif dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: on - replace: nsSSLClientAuth nsSSLClientAuth: allowed - add: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezz a, +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha , +tls_rsa_export1024_with_des_cbc_sha - add: nsKeyfile nsKeyfile: alias/slapd-$HOST-key3.db - add: nsCertfile nsCertfile: alias/slapd-$HOST-cert8.db dn: cn=config changetype: modify add: nsslapd-security nsslapd-security: on - replace: nsslapd-ssl-check-hostname nsslapd-ssl-check-hostname: off EOF ../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/ssl_enable.ldif cat <<EOF >/tmp/delRSA.ldif cn=RSA,cn=encryption,cn=config EOF ../shared/bin/ldapdelete -c -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/delRSA.ldif [ $? -eq 0 ] && echo "deleting cn=RSA,cn=encryption,cn=config" cat <<EOF >/tmp/addRSA.ldif dn: cn=RSA,cn=encryption,cn=config objectclass: top objectclass: nsEncryptionModule cn: RSA nsSSLPersonalitySSL: Server-Cert nsSSLToken: internal (software) nsSSLActivation: on EOF ../shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f /tmp/addRSA.ldif echo "Creating a pin.txt for auto-starting of slapd." echo "Internal (Software) Token:`cat pwdfile.txt`" >slapd-$HOST-pin.txt chown $SLAPD_OWNER:$SLAPD_GROUP slapd-$HOST-pin.txt chmod 400 slapd-$HOST-pin.txt echo "" echo "IMPORTANT NOTES:" echo "" echo "1. How to check if SSL Configurations are done properly?" echo "You may view config/dse.ldif after shutting down slapd" echo "to verify all the required SSL configurations are there." echo "" echo "2. How to fix slapd startup issue due to mis-configuration of SSL?" echo "If for any reason slapd fails to start due to SSL issue," echo "you may edit config/dse.ldif after shutting down slapd" echo "and revert back to non-SSL configs." echo "i.e. set nsSSL3: off, nsslapd-security: off" echo "and then try to restart slapd." echo "" =======Sample run. # ./cr_ssl_certs_fds1ldap.sh Backing up existing *.db (if any) to backup_Wed. Creating new security key3.db/cert8.db pair. Generating encryption key. Generating key. This may take a few moments... Generating self-signed CA certificate. Generating key. This may take a few moments... Generating self-signed Server certificate. Generating key. This may take a few moments... Renaming and linking modified security DBs. Setting the correct ownership of security DBs Self-signed CA and SSL Server certs generated. The following commands are OPTIONAL. They are for backing up CA and Server Certs in PK12 format, exporting the CA Cert in ASCII format or DER format, and importing the CA Cert into the Admin Server ---Start of OPTIONAL commands--- ../shared/bin/pk12util -d . -P slapd-nj1net200plmon- -o cacert.pfx -n "CA certificate" ../shared/bin/pk12util -d . -P slapd-nj1net200plmon- -o servercert.pfx -n "Server-Cert" ../shared/bin/certutil -L -d . -P slapd-nj1net200plmon- -n "CA certificate" -a > cacert.asc ../shared/bin/certutil -L -d . -P slapd-nj1net200plmon- -n "CA certificate" -r > cacert.der ../shared/bin/certutil -A -d . -P admin-serv-nj1net200plmon- -n "CA certificate" -t "CT,," -a -i cacert.asc ---End of OPTIONAL commands--- Modifying server SSL configurations. NOTE: changes will be saved to config/dse.ldif when slapd is shutdown modifying entry cn=encryption,cn=config ldap_modify: Type or value exists deleting cn=RSA,cn=encryption,cn=config adding new entry cn=RSA,cn=encryption,cn=config Creating a pin.txt for auto-starting of slapd. IMPORTANT NOTES: 1. How to check if SSL Configurations are done properly? You may view config/dse.ldif after shutting down slapd to verify all the required SSL configurations are there. 2. How to fix slapd startup issue due to mis-configuration of SSL? If for any reason slapd fails to start due to SSL issue, you may edit config/dse.ldif after shutting down slapd and revert back to non-SSL configs. i.e. set nsSSL3: off, nsslapd-security: off and then try to restart slapd. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20060420/b442dcc7/attachment.html
