self-signed certificate on DS
[81 byte] By [Linda_B] at [2007-11-26 8:34:10] 
hihow to install SSL on DS without using the console?thanks,
# 1
- The "certutil" tool is great for manipulating cert and key db files from the commandline. certutil is part of the Mozilla NSS suite, and is available in Solaris with the SUNWtlsu package.
- To enable SSL on your server, you will import some LDIF that modifies cn=config. The best way to find out what LDIF is necessary is to enable audit logging on the server, then enable SSL from the console, then review the audit log to see what attributes beneath cn=config were modified.
gtholbert at 2007-7-6 22:01:02 >
# 2
Install a SSL certificate
On Solaris 10, certutil is in /usr/sfw/bin. Add this directory to your path.
Information needed up front:
Certficate DB password: nssecret
Certificate base DN:o=certs, o=am
Certficate DB directory:/var/opt/mps/serverroot/alias
Certficate DB prefix:slapd-<host>-
Directory Server host name:<host>.<domain>
* Create the DS certificate DB
cd /var/opt/mps/serverroot/alias
certutil -N -d . -P "slapd-<host>-"
* Generate a Certificate Signing Request
certutil -R -s "cn=<host>.<domain>, o=certs, o=am" -a\
-o /tmp/certrequest.pem -d . -P "slapd-<host>-"
This will ask you to type for a while.
* Send the Certificate Signing Request to the CA, and get the signed
certificate and CA certificate back.
* Import the CA certificate into the database, and set the trust flag
certutil -A -n "ca-cert" -i /tmp/cacert.pem -a -t CT -d . \
-P "slapd-<host>-"
* Import the signed SSL server certificate
certutil -A -n "server-cert" -i /tmp/signedcert.pem -a -t Pu -d . \
-P "slapd-<host>-"
* Verify that the certificates are there
certutil -L -d . -P "slapd-<host>-"
Enabling SSL on Directory Server
Information needed:
Certificate DB password:nssecret
Certificate Name:server-cert
Root DN:cn=dmgr
Root DN password:nssecret
Certificate directory: alias
Certificate prefix: slapd-<host>
Create LDIF as follows:
dn: cn=RSA, cn=encryption, cn=config
changetype: add
objectClass: top
objectClass: nsEncryptionModule
cn: RSA
nsSSLToken: internal (software)
nsSSLPersonalitySSL: server-cert
nsSSLActivation: on
dn: cn=encryption, cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsCertFile
nsCertFile: alias/slapd-<host>-cert8.db
-
replace: nsKeyFile
nsKeyFile: alias/slapd-<host>-key3.db
dn: cn=config
changetype: modify
replace: nsslapd-security
nsslapd-security: on
Apply to directory with:
ldapmodify -D <RootDN> -w <password> -f <file>
Create the file /var/opt/mps/serverroot/alias/slapd-<host>-pin.txt with the contents:
Internal (Software) Token:<password>
Restart directory server.
Capitan_Holy_Hippie at 2007-7-6 22:01:02 >
Web & Directory Servers New Topic
Web & Directory Servers Hot Topic
Web & Directory Servers
All Classified
- Archived Forums
- Enterprise & Remote Computing
- Java Essentials
- Desktop
- Core
- Solaris Operating System
- Security
- Database Connectivity
- Java Mobility Forums
- Web & Directory Servers
- Development Tools
- Application & Integration Servers
- Java HotSpot Virtual Machine
- Other Topics
- E-Mail, Calendar, & Collaboration
- Developer Tools
- General
- Administration Tools
- Sun Hardware
- Storage Forums
- Java Enterprise System
- StarOffice
- Open Source Technologies
- BigAdmin
- Real-Time
- Java Coding