Tay, Gary wrote: >I couldn't find setupssl.sh anywhere on the HowTo SSL link. > > It's http://directory.fedora.redhat.com/wiki/Howto:SSL#Script under http://directory.fedora.redhat.com/wiki/Howto:SSL When I get a chance, I'm going to merge some of the features from your script into that one. >Anyway, I have written cr_ssl_certs.sh which works for both FDS and >SUN-ONE DS, and this script will create also the Admin Server SSL Cert >(the same as slapd), once you have used Admin Console to enable SSL for >Admin Server at "Encryption" TAB, you would see a few .conf files >including console.conf get updated at $SERVER_ROOT/admin-serv/config, >the rest is history. > >Note that it is not a MUST to create different CA Certs for different >FDS Servers, they are so for testing purposes only, for production >usage, you would most likely purchase signed SSL Server Certs for your >different FDS Servers > > Or purchase a CA product and assign your own. >HTH. > >Gary > >Content of cr_ssl_certs.sh > >#! /bin/sh ># ># cr_ssl_certs.sh - This script works for either Fedora or SUN-ONE DS ># ># Gary Tay ># ># 1) Make sure 'root' is used to run this script ># 2) Make sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory >Manager ># >#set -vx >IS_ROOT_UID=`id | grep "uid=0(root)"` >if [ ! -n "$IS_ROOT_UID" ]; then > echo "Please run this script as root" > exit 1 >fi >chmod 700 $0 >if [ ! -f /home/ldap/dirmgr.pwd ]; then > echo "Please setup /home/ldap/dirmgr.pwd." > exit 1 >else > chmod 600 /home/ldap/dirmgr.pwd >fi ># Pls customize the followings >HOST=`hostname` >DOMAIN="example.com" >BASEDN="dc=example,dc=com" >FQDN="$HOST.$DOMAIN" >ORG="Example Companies" >LOCALITY="NewYork City" >STATE="NewYork" >COUNTRY="US" ># Uncomment for Fedora/RedHat Directory Server >SERVER_ROOT="/opt/fedora-ds" ># Uncomment for SUN-ONE/Java System Directory Server >#SERVER_ROOT="/var/Sun/mps" >if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then > LD_LIBRARY_PATH=$SERVER_ROOT/lib:$SERVER_ROOT/shared/lib > SLAPD_OWNER="ldap" > SLAPD_GROUP="ldap" > TAR_CVF="tar -Pcvf" > TAR_XVF="tar -Pxvf" >fi >if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then > LD_LIBRARY_PATH=$SERVER_ROOT/lib > SLAPD_OWNER="root" > SLAPD_GROUP="root" > TAR_CVF="tar -cvf" > TAR_XVF="tar -xvf" >fi >export LD_LIBRARY_PATH >PATH=$SERVER_ROOT/shared/bin:$PATH; export PATH >echo "Please shutdown slapd and Admin Server and perform a tar backup" >echo "and db2ldif backup of currently working system, and restart them >again." >echo "Example of tar command: $TAR_CVF /var/tmp/ds_backup.tar >$SERVER_ROOT" >echo "When you are ready, answer Yes and press Enter to continue." >echo "Press Ctrl-C to cancel." >read READY >[ "$READY" != "Yes" ] && exit 1 >echo "Enter an UNIQUE SERIAL NUMBER for CA Cert." >echo "Eg: 1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc..." >read UNIQUE_SN_CA >echo "Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert." >echo "Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3." >read UNIQUE_SN_LDAP >cd $SERVER_ROOT/alias >echo "Backing up existing *.db (if any) to backup_$$." >mkdir -p backup_$$ >/dev/null 2>/dev/null >cp -p *.db backup_$$ >/dev/null 2>/dev/null >/bin/rm -f *.db >/dev/null 2>/dev/null >echo "secretpwd" >pwdfile.txt >chmod 600 pwdfile.txt >echo "dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk" > > >>noise.txt >> >> >echo "Creating new security key3.db/cert8.db pair." >../shared/bin/certutil -N -d . -f pwdfile.txt >echo "Generating encryption key." >../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt >echo "Generating self-signed CA certificate." >../shared/bin/certutil -S -n "CA certificate" \ > -s "cn=CAcert $HOST" -x \ > -t "CT,," -m $UNIQUE_SN_CA -v 120 -d . -z noise.txt -f pwdfile.txt >echo "Generating self-signed Server certificate." >../shared/bin/certutil -S -n "Server-Cert" \ > -s "cn=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -c "CA >certificate" \ > -t "u,u,u" -m $UNIQUE_SN_LDAP -v 120 -d . -z noise.txt -f pwdfile.txt >echo "Renaming and linking modified security DBs." >mv -f key3.db slapd-$HOST-key3.db >mv -f cert8.db slapd-$HOST-cert8.db >ln -s slapd-$HOST-key3.db key3.db >ln -s slapd-$HOST-cert8.db cert8.db >echo "Setting the correct ownership of security DBs" >chown $SLAPD_OWNER:$SLAPD_GROUP *.db >echo "Self-signed CA and SSL Server certs generated." >echo "" >echo "The following commands are OPTIONAL." >echo "They are for backing up CA and Server Certs in PK12 format." >echo "" >echo "---Start of OPTIONAL commands---" >cat <<EOF >optional_cmds.txt >../shared/bin/pk12util -d . -P slapd-$HOST- -o cacert.pfx -n "CA >certificate" >../shared/bin/pk12util -d . -P slapd-$HOST- -o servercert.pfx -n >"Server-Cert" >EOF >cat optional_cmds.txt >echo "---End of OPTIONAL commands---" >echo "" ># >echo "Enabling SSL." >echo "NOTE: changes will be saved to config/dse.ldif when slapd is >shutdown" >cat <<EOF >/tmp/ssl_enable.ldif >dn: cn=encryption,cn=config >changetype: modify >replace: nsSSL3 >nsSSL3: on >- >replace: nsSSLClientAuth >nsSSLClientAuth: allowed > >dn: cn=config >changetype: modify >add: nsslapd-security >nsslapd-security: on > >EOF >if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then >cat <<EOF >>/tmp/ssl_enable.ldif >dn: cn=config >replace: nsslapd-ssl-check-hostname >nsslapd-ssl-check-hostname: off > >EOF >fi >../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat >/home/ldap/dirmgr.pwd` -f /tmp/ssl_enable.ldif >[ $? -eq 0 ] && \ > echo "Enabling SSL in cn=encryption,cn=config and cn=config done." >[ $? -ne 0 ] && \ > echo "Enabling SSL in cn=encryption,cn=config and cn=config failed." ># >cat <<EOF >/tmp/add_ssl_configs.ldif >dn: cn=encryption,cn=config >changetype: modify >add: nsSSL3Ciphers >nsSSL3Ciphers: >-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, > >+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezz >a, > >+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha >, > +tls_rsa_export1024_with_des_cbc_sha >- >add: nsKeyfile >nsKeyfile: alias/slapd-$HOST-key3.db >- >add: nsCertfile >nsCertfile: alias/slapd-$HOST-cert8.db > >EOF >../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat >/home/ldap/dirmgr.pwd` -f /tmp/add_ssl_configs.ldif >[ $? -eq 0 ] && echo "Adding SSL configs in cn=encryption,cn=config >done." >[ $? -ne 0 ] && echo "Adding SSL configs in cn=encryption,cn=config >failed." ># >cat <<EOF >/tmp/addRSA.ldif >dn: cn=RSA,cn=encryption,cn=config >objectclass: top >objectclass: nsEncryptionModule >cn: RSA >nsSSLPersonalitySSL: Server-Cert >nsSSLToken: internal (software) >nsSSLActivation: on > >EOF >../shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w `cat >/home/ldap/dirmgr.pwd` -f /tmp/addRSA.ldif >[ $? -eq 0 ] && echo "Adding cn=RSA,cn=encryption,cn=config done." >[ $? -ne 0 ] && echo "Adding cn=RSA,cn=encryption,cn=config failed." ># >echo "Creating a pin.txt for auto-starting of slapd." >echo "Internal (Software) Token:`cat pwdfile.txt`" >slapd-$HOST-pin.txt >chown $SLAPD_OWNER:$SLAPD_GROUP slapd-$HOST-pin.txt >chmod 400 slapd-$HOST-pin.txt >echo "Exporting the CA Cert in ASCII format or DER format" >../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ > -a > cacert.asc >../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \ > -r > cacert.der >echo "Copying Server-Cert to Admin Server for Admin Server SSL >connection." >cp slapd-$HOST-key3.db admin-serv-$HOST-key3.db >cp slapd-$HOST-cert8.db admin-serv-$HOST-cert8.db >echo "Setting the correct ownership of Admin Server security DBs" >chown $SLAPD_OWNER:$SLAPD_GROUP admin-serv-$HOST-*.db >echo "Remember to enable SSL in Admin Server later." >echo "Remember to select 'Server-Cert' as the Certificate and click OK." >echo "Remember to restart Admin Server after that." >echo "Creating a pin.txt for auto-starting of Admin Server." >echo "`cat pwdfile.txt`" >admin-serv-$HOST-pin.txt >chown $SLAPD_OWNER:$SLAPD_GROUP admin-serv-$HOST-pin.txt >chmod 400 admin-serv-$HOST-pin.txt >echo "Patching start-admin and creating start-admin.auto." >if [ "$SERVER_ROOT" = "/opt/fedora-ds" ]; then > sed -e \ > '/^\$HTTPD/s/$/ >\<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/' \ > $SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto >fi >if [ "$SERVER_ROOT" = "/var/Sun/mps" ]; then > sed -e \ > '/uxwdog/s/$/ >\<"$SERVER_ROOT"\/alias\/admin-serv-`hostname`-pin.txt/' \ > $SERVER_ROOT/start-admin >$SERVER_ROOT/start-admin.auto >fi >chmod 755 $SERVER_ROOT/start-admin.auto >echo "Please use $SERVER_ROOT/start-admin.auto in rc3.d as autostart >script." >echo "" >echo "IMPORTANT NOTES:" >echo "" >echo "1. How to check if SSL Configurations are done properly?" >echo "You may view config/dse.ldif after shutting down slapd" >echo "to verify all the required SSL configurations are there." >echo "" >echo "2. How to fix slapd startup issue due to mis-configuration of >SSL?" >echo "If for any reason slapd fails to start due to SSL issue," >echo "you may edit config/dse.ldif after shutting down slapd" >echo "and revert back to non-SSL configs." >echo "i.e. set nsSSL3: off, nsSSLActivation: off and nsslapd-security: >off" >echo "and then try to restart slapd." >echo "" >echo "3. How to fix Admin Server login issue due to mis-configuration of >SSL?" >echo "If for any reason Admin Server login fails and you wish to give >up," >echo "simply stop slapd and admin-serv and restore using the tar backup" >echo "i.e. rm -f $SERVER_ROOT/alias/*.db;$TAR_XVF >/var/tmp/ds_backup.tar" >echo "" > >===Sample Run=== > ># ./cr_ssl_certs.sh >Please shutdown slapd and Admin Server and perform a tar backup >and db2ldif backup of currently working system, and restart them again. >Example of tar command: tar -cvf /var/tmp/ds_backup.tar /var/Sun/mps >When you are ready, answer Yes and press Enter to continue. >Press Ctrl-C to cancel. >Yes >Enter an UNIQUE SERIAL NUMBER for CA Cert. >Eg: 1000 for ldap1, 2000 for ldap2, 3000 for ldap3, etc... >1000 >Enter an UNIQUE SERIAL NUMBER for LDAP Server Cert. >Eg: 1001 for ldap1, 1002 for ldap2, 1003 for ldap3. >1001 >Backing up existing *.db (if any) to backup_24872. >Creating new security key3.db/cert8.db pair. >Generating encryption key. > > >Generating key. This may take a few moments... > >Generating self-signed CA certificate. > > >Generating key. This may take a few moments... > >Generating self-signed Server certificate. > > >Generating key. This may take a few moments... > >Renaming and linking modified security DBs. >Setting the correct ownership of security DBs >Self-signed CA and SSL Server certs generated. > >The following commands are OPTIONAL. >They are for backing up CA and Server Certs in PK12 format. > >---Start of OPTIONAL commands--- >../shared/bin/pk12util -d . -P slapd-ldap1- -o cacert.pfx -n "CA >certificate" >../shared/bin/pk12util -d . -P slapd-ldap1- -o servercert.pfx -n >"Server-Cert" >---End of OPTIONAL commands--- > >Enabling SSL. >NOTE: changes will be saved to config/dse.ldif when slapd is shutdown >modifying entry cn=encryption,cn=config > >modifying entry cn=config > >Enabling SSL in cn=encryption,cn=config and cn=config done. >modifying entry cn=encryption,cn=config > >Adding SSL configs in cn=encryption,cn=config done. >adding new entry cn=RSA,cn=encryption,cn=config > >Adding cn=RSA,cn=encryption,cn=config done. >Creating a pin.txt for auto-starting of slapd. >Exporting the CA Cert in ASCII format or DER format >Copying Server-Cert to Admin Server for Admin Server SSL connection. >Setting the correct ownership of Admin Server security DBs >Remember to enable SSL in Admin Server later. >Remember to select 'Server-Cert' as the Certificate and click OK. >Remember to restart Admin Server after that. >Creating a pin.txt for auto-starting of Admin Server. >Patching start-admin and creating start-admin.auto. >Please use /var/Sun/mps/start-admin.auto in rc3.d as autostart script. > >IMPORTANT NOTES: > >1. How to check if SSL Configurations are done properly? >You may view config/dse.ldif after shutting down slapd >to verify all the required SSL configurations are there. > >2. How to fix slapd startup issue due to mis-configuration of SSL? >If for any reason slapd fails to start due to SSL issue, >you may edit config/dse.ldif after shutting down slapd >and revert back to non-SSL configs. >i.e. set nsSSL3: off, nsSSLActivation: off and nsslapd-security: off >and then try to restart slapd. > >3. How to fix Admin Server login issue due to mis-configuration of SSL? >If for any reason Admin Server login fails and you wish to give up, >simply stop slapd and admin-serv and restore using the tar backup >i.e. rm -f /var/Sun/mps/alias/*.db;tar -xvf /var/tmp/ds_backup.tar > > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Jason >Russler >Sent: Thursday, April 20, 2006 4:15 AM >To: General discussion list for the Fedora Directory server project. >Subject: SSL directory server gateway > > >Hi all, >I'm pretty uncertain about the best way to go about configuring the >admin server to use SSL (FDS1.0.2) . All of the docs I'm finding are >pretty shaky. Ultimately, I want users to manage their passwords and >info via the web-based Directory Server Gateway over SSL. This would >appear to be the same thing as enabling SSL for the admin server. The >setupssl.sh script provided by the SSL howto, generates the keys/certs >for the admin server and imports them into the appropriate cert db (I >guess, I've performed the process by hand as well, based on RedHat's >docs and the script itself). This would imply to me that the admin >console would find the generated certs and present them in the admin >server's console (under the Configuration -> Encryption tab) in much the > >same way that it does in the directory server's console. I can't tell >if something that's suppose to work isn't or if I'm misunderstanding >something. I'd like to know before I try to generate new SSL >certificates and import them. >Thanks much, >Jason > >-- >Fedora-directory-users mailing list Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060420/17f71bd6/attachment.bin
