Re: solaris 10 SSL connections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




i've renamed cert8 to cert7, same thing.  Everything goes clear text for some reason....?
yah, I wouldn't expect this to help. The file contents have more significance than the file name, and cert8 files aren't identical to cert7. However, I'm not sure this is the problem, since Solaris 10 might be able to use (or even require) cert8 files.

All you need in the Solaris client cert db files is the CA certificate of the CA which signed your FDS server's certificate.

I'd suggest using the certutil command, rather than Mozilla, to generate the cert db files.

The following recipe has worked well for me:

****|# Create new cert and key DB files.|**|
certutil -N -d /var/ldap|**
*|# Add your ascii CA certificate to the cert DB.
certutil -A -n "Susan's CA" -t "C,," -a -i ./susans-cacert.pem -d /var/ldap
# List the contents of your cert DB.
|***|certutil -L -d /var/ldap|**


Try this first using certutil as included with Solaris 10 (/usr/sfw/bin/certutil). I think this will create a cert8 file. If cert8 doesn't seem to work, try generating a cert7 file with an older version of the certutil command. I've found that 3.3.2 is the latest version that will work for the Solaris 8 and 9 ldap name service client:
http://www.mozilla.org/projects/security/pki/nss/release_notes_332.html

Again, I'm not sure if the cert7/8 version problem is even an issue in Solaris 10, but it certainly is with 8 and 9.


-- George


Susan wrote:
--- George Holbert <gholbert@xxxxxxxxxxxx> wrote:

The ldapsearch command doesn't look in /var/ldap for the cert db. It uses the current directory as the default cert db path. You can run ldapsearch from /var/ldap, or give it a "-P /var/ldap" argument to use the cert db in /var/ldap.

yea, I tried that also, same result.  It just doesn't encrypt the connection.

Also, the -v arg might help you narrow down what's happening.

that doesn't add any more info.

by earlier versions of the NSS tools. Solaris 10 might be able to use cert8.db.

i've renamed cert8 to cert7, same thing.  Everything goes clear text for some reason....?

Now, if I take this exact same command, copy/paste into a linux box (I've to append -x for simple
auth) then voila! it all get scrambled and ethereal says "invalid LDAP header," because it can't
parse SSL on LDAP port.

So, it looks like FDS is OK but the solaris is no good here...  NO IDEA why..

George, do you have ssl-enabled solaris ldap auth working with FDS?

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux