TinyCA2 & 389-DS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Jeff Moody wrote:
> I'm trying to set up two 389 Directory Services servers in a replication scenario. I can do this quite easily without any SSL/TLS setup.
>
> In an effort to improve the security of our environment, I would like to get TLS configured so that this replication (and all LDAP authentication attempts) are encrypted.
>
> Using the scripts provided at http://directory.fedoraproject.org/wiki/Howto:SSL I can get one server using SSL; however when I try and establish the cross-server communication, the SSL/TLS keys appear to fall apart.
> My understanding from the logs on the systems is that the reason why the two servers (FDSMEM1 and FDSMEM2) do not have a common CA and so their server-certs do not trust each other.
>
> So, I have set up TinyCA and created a CA cert from a third server. I have generated manual cert requests on the two LDAP servers (after registering the CA cert) and generated the certificates. Replication appears to be working through TLS.
>
> Now, the problem I am having.
>
> When I run the 'certutil -L -d . -n "CA certificate" -a > cacert.asc' command I get a cacert.asc. When I deploy this cacert.asc to my LDAP clients as the key for TLS to start, though, it appears that something isn't handshaking well and I am never able to query the LDAP server from a client.
>
> Has anyone gotten a 389DS system (or pair of systems) fully working with certs managed & created by TinyCA2? If so, what are the gotchas that I must be missing to get this working? Would anyone be willing to help me write a HOWTO on getting this working so that it would be outlined more effectively for newer users?
>   
I'm not sure what's going on with your setup.  I do know that, in order 
for an SSL client to talk to an SSL server, the SSL client needs the CA 
cert of the CA that issued the SSL server's cert.
There is some information about TinyCA2 here - 
http://directory.fedoraproject.org/wiki/Howto:WindowsSync#With_TinyCA2 - 
don't know how accurate it is, or how applicable it is to your situation.
> Thanks.
>
> --
> Jeff Moody
> Senior Systems Engineer
> Electronic Vaulting Services
> 5050 Poplar Ave., Suite 1600
> Memphis, TN 38157
> (901) 259-2387 - 24x7 Helpdesk
> (901) 213-5146 - Office
> (901) 497-1444 - Mobile
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux