in order to verify a client certifcate, the administrator's guide says that the certificate needs to be installed in the ldap directory server:
http://docs.sun.com/app/docs/doc/819-2629/6n4tgd1sv?q=CLI&a=view
is there a better (i.e. more detailed) description of how to do that somewhere?
I can not recollect any.
docs.sun.com , Software category -> Web & Proxy Servers -> Web Server
is the place where you can get documentation about Web Server
http://docs.sun.com/app/docs/prod/sjs.websrv70#hic
or search in google or this forum archives.
Tell us where you are stuck, what you have done.
Which version of Sun's LDAP server you are using? You can find some documentation for the correct version in docs.sun.com.
Here is what I think ypou should do:
#Use admin console if you are not familiar with LDAP server.
#Go to Directory server installation directory and ./start-admin
#./startconsole (Launches the Directory Server Admin Console), login with "cn=Dircetory Manager" user id or "admin"
# In the left panel, expand 揝erver Group?node
# Double click on the server entry on which you want to use,
# Go to Directory tab , go to suffix (o=xyz in my case) you have created the user in.
# Right click on the use in right side panel and use on "Edit with generic editor"
# Add the binary cert in "useCertificate;binay" is the Attribute Name, attribute description is "Certificate"
You can also create file called test.ldif and import it using ldapmodify comand,here is an example :
dn: uid=alpha,ou=People, o=xyz
nsUniqueId: ...
mail: alpha@xyz.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: iplanetReversiblePasswordobject
cn: Alpha Alpha
uid: alpha
givenName: Alpha
sn: Alpha
telephoneNumber: +1 000 000 1000
userPassword: {SHA}....
iplanetReversiblePassword: {DES}...
userCertificate;binary:: BINARY CERTIFICATE DATA
thanks buddy - you got me in the ball park. i'll recount what i did - at the end i have a few small questions.
i am running directory server 6.0 - so i can't find ./start-admin and ./startconsole - instead i used:
o smcwebserver start
o https://localhost:6789
the directory server is not registered - so i cannot use the console - i use "ps -ef | grep slap" to discover 2 servers:
o /var/opt/SUNWdsee/dsins1
o /var/opt/SUNWdsee/dscc6/dcc/ads
i use the dscc console "more server actions->register existing sever", but this fails because it cannot locate the dscc agent and advises me to run cacaoadm. i use "cacaoadm list-instances" to discover i have only one instance: default. i submit; cacaoadm start -i default.
i can then register /var/opt/SUNWdsee/dsins1 taking the defaults and providing the password for the directory server.
now i can see my directory server by selecting the Directory Server tab. i can also see the entry for a registered user by:
o selecting myhost:389
o selecting suffixes
o selecting mysuffix
o selecting "Browse Data"
o selecting o=mydomain
o selecting People
o selecting myuser
just like you said - i can see:
o userCertificate
o userPKCS12
o userSMIMECertificate
my questions:
o do i need to enable cocaoadm so that it start at boot time?
o is the binary certificate the base 64 encoded pem certificate?
o do i deleted the ascci header and trailer - or does it matter?
and finally the real question:
o i couldn't find this in the manual - where should i have looked for this?
thanks for taking the time to help me - we are bff.
Q 1: do i need to enable cocaoadm so that it start at boot time?
Answer 1: I think Directory Server 6.0 has a lot of new features I have never had time to try it out. You need to ask in Directory Server alias.
http://forum.java.sun.com/forum.jspa?forumID=761
Q 2: is the binary certificate the base 64 encoded pem certificate?
Answer 2 : In my opinion, as the certificate will be sent by Directory Server to the Web Server and Web Server uses NSS and NSSDb, I think it should be pkcs12 format.
Q 3: do i deleted the ascci header and trailer - or does it matter?
Answer 3 : Yes, the example I saw didnt have this ascii header and trailer. So I think you should remove the following two lines I think.
--BEGIN CERTIFICATE-
--END CERTIFICATE-
Q 4: i couldn't find this in the manual - where should i have looked for this?
Answer 4: I haven't seen this in any docs. Haven't searched LDAP server docs though. I collected bits and pieces of information and samples from our tests area.
