Re: Using JNDI and 389DS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hey dc,

I did create a keystore, but every time I try to get it to work, I get stuck.  I will post my java code tomorrow to show you what my code looks like, and then I will mention the exact 389 DS configuration.

Thanks,

Rohit
________________________________________
From: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx [389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Chun Tat David Chu [beyonddc.storage@xxxxxxxxx]
Sent: Wednesday, March 20, 2013 9:15 PM
To: General discussion list for the 389 Directory server project.
Subject: Re:  Using JNDI and 389DS

I have written Java code that does what you described.  I think you should break up your problem.

1) Install your server certificate on the 389 DS first.  You should consult the following website
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_SSL.html

2) Write your Java application to use JNDI to talk with 389 DS via SSL.  You should follow the tutorial from the website.
http://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html

An important thing to note is you need to create a Java keystore.  The Java keystore needs to be accessible by your application.  You can pass in a Java property that specifies the Java keystore.  The JNDI Tutorial above should give you some hint.

Good luck,

dc

On Wed, Mar 20, 2013 at 5:48 PM, Chandan Kumar <chandank.kumar@xxxxxxxxx<mailto:chandank.kumar@xxxxxxxxx>> wrote:
Hi Rohit,

Months back Arpit responded to my similar query in this forum and it worked. I am just re-posting his steps here.

The only difference is just ignore the slave certificate generation and all should be good.

How about creating one CA cert & signing all RHDS server from same CA,
Then all you have to do is to import only one CA in clients.


Create a CA Cerfificate
# certutil -S -n "CA certificate" -s "cn=CA
cert,dc=directory,dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 720 -d
. -k rsa

Make sure you say yes to "Is this a CA certificate [y/N]?" and
everything else will be default.

Next we create your Server Cert.
Important - Make sure your cn is your FQDN of this server.


Create cert for ldap1.example.com<http://ldap1.example.com> on ldap1.example.com<http://ldap1.example.com>
# certutil -S -n "directory-Server-Cert-1" -s "cn=ldap1.example.com<http://ldap1.example.com>"
-c "CA certificate" -t "u,u,u" -m 1001 -v 720 -d . -k rsa


Create cert for ldap2.example.com<http://ldap2.example.com> on ldap1.example.com<http://ldap1.example.com>
# certutil -S -n "directory-Server-Cert-2" -s "cn=ldap2.example.com<http://ldap2.example.com>"
-c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d . -k rsa

Then check to make sure it looks ok
# certutil -L -n "directory-Server-Cert-2" -d .

Export keys & certs for ldap2.example.com<http://ldap2.example.com>
# pk12util -d . -o server2.p12 -n directory-Server-Cert-2
# certutil -L -d . -n "CA certificate" -a > cacert.asc

Copy the 'server2.p12' and 'cacert.asc' created above to the 2nd Red
Hat Directory Server.

Create your public ca for your clients.
# certutil -d . -L -n "CA certificate" -a  > my-public-ca.asc


While logged in to the 2nd RHDS i.e. ldap2.example.com<http://ldap2.example.com>, run the following:

# service dirsrv stop
# cd /etc/disrv/slapd-INSTANCE2/
# mv /path/to/server2.p12 /etc/dirsrv/slapd-INSTANCE2/
# mv /path/to/cacert.asc /etc/dirsrv/slapd-INSTANCE2/
# pk12util -d . -i server2.p12
# certutil -A -d . -n "CA certificate" -t "CT,," -a -i cacert.asc
# service dirsrv start


Thanks

Chandan

On Wednesday, March 20, 2013, Chaudhari, Rohit K. wrote:
Hey everyone,

I need help implementing a client-server SSL connection.  I've been researching on the web and I have no idea how to get my Java application to talk to the 389DS securely.  I have been looking into keytool and JSSE, but there is no clear cut explanation on how it should be done.  I have a self-signed CA certificate that I created using certutil, and then a server certificate generated from that self-signed CA.  Is there anyone who knows a path to a solution?

Thanks,

Rohit


--

--
http://about.me/chandank


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx<mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux