(no subject)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Chavez, James R. wrote:
> Hello again, Thanks for the reply. 
> My Solaris 10 and 8 clients are working against SSL now, thanks!
> For my Linx clients clients I am trying to follow the FDS wiki: How
> to:SSL.
>
> I am having a problem importing the root CA certificate on my Fedora
> boxes. 
> The Howto SSL link says to run this command to import the cacert.asc
> file.
>
> "cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noot -hash -in
> cacert.asc`.0"
>
> However that responds with the below error. Anybody familiar with this
> error?
> Also I see Fedora has the certutil utility, can I use this to import the
> ca root certificate like I did for the Solaris clients?
>   

I believe the nss_ldap and pam_ldap libraries on Fedora use OpenSSL, not 
Mozilla's NSS (of which certutil is a component).
So certutil won't do you any good in this area.

> 'Error opening Certificate cacert.asc
> 2312:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:352:fopen('cacert.asc','r')
> 2312:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
>   

Try giving an absolute path to cacert.asc... looks like it's just not 
finding that file.
e.g.

"cp /path/to/cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in
/path/to/cacert.asc`.0"


> Many Thanks
> James
>
> -----Original Message-----
> From: fedora-directory-users-bounces at redhat.com
> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of George
> Holbert
> Sent: Friday, December 05, 2008 12:03 AM
> To: General discussion list for the Fedora Directory server project.
> Subject: Re: Create client SSL certificates
> forSolaris boxes.
>
> James Chavez wrote:
>   
>> George,
>> Thank you much for the help with this. I read up on the links you sent
>>     
>
>   
>> and they seem to have helped. I have been struggling with a Solaris 8 
>> box for the past few hours. It would not work at first, I was getting 
>> an end of file error in the access log. Then it just started working 
>> after I restarted the client services a few times and readded the box 
>> using the same profile.
>>
>> I have another question in regards to SSL for replication.
>> I had MMR going between two servers, this one and another prior to 
>> enabling SSL on this server. I removed all the replication agreements 
>> because as I understand it they need to be recreated with SSL. I would
>>     
>
>   
>> appreciate the lists opinions on the following. The Admin guide states
>>     
>
>   
>> that there are 2 ways of replicating over SSL, I pasted them below. I 
>> would like to know the pros and cons of each and if a DNS PTR record 
>> is an absolute necessity on each MMR member.
>>   
>>     
>
> The end result with both SSL replication flavors is the same.
> Both encrypt the replication traffic between your directory servers.
> The client cert method, when properly implemented, will make life more
> challenging for a prospective attacker who would like to impersonate
> your replication manager identity.  In that sense, it is more secure
> than simple auth with SSL.
>
>
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux