[Fedora-directory-users] Automated script for complementing SSL HowTo
Tay, Gary
Gary_Tay at platts.com
Wed Apr 12 10:20:20 UTC 2006
FDS Folks,
I wrote this script for the benefits of all.
Gary
> Content of cr_ssl_certs_fds1ldap.sh
>
> #! /bin/sh
> #
> # cr_ssl_certs_fds1ldap.sh
> #
> # 1) Make sure 'root' is used to run this script
> # 2) Make sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory
> Manager
> #
> #set -vx
> IS_ROOT_UID=`id | grep "uid=0(root)"`
> if [ ! -n "$IS_ROOT_UID" ]; then
> echo "Please run this script as root"
> exit 1
> fi
> if [ ! -f /home/ldap/dirmgr.pwd ]; then
> echo "Please setup /home/ldap/dirmgr.pwd."
> exit 1
> else
> chmod 600 /home/ldap/dirmgr.pwd
> fi
> # Pls customize the followings
> HOST="ldap1"
> DOMAIN="example.com"
> BASEDN="dc=example,dc=com"
> FQDN="$HOST.$DOMAIN"
> ORG="Example Companies"
> LOCALITY="NewYork City"
> STATE="NewYork"
> COUNTRY="US"
> SLAPD_OWNER="nobody"
> SLAPD_GROUP="nobody"
> FDS1_PATH=/opt/fedora-ds
> LD_LIBRARY_PATH=$FDS1_PATH/shared/lib:$FDS1_PATH/lib
> export LD_LIBRARY_PATH
> PATH=$FDS1_PATH/shared/bin:$PATH; export PATH
> cd $FDS1_PATH/alias
> DOW=`date | cut -d' ' -f1`
> echo "Backing up existing *.db (if any) to backup_$DOW."
> mkdir -p backup_$DOW >/dev/null 2>/dev/null
> cp -p *.db backup_$DOW >/dev/null 2>/dev/null
> /bin/rm -f *.db >/dev/null 2>/dev/null
> echo "secretpwd" >pwdfile.txt
> chmod 600 pwdfile.txt
> echo "dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk"
> >noise.txt
> echo "Creating new security key3.db/cert8.db pair."
> ../shared/bin/certutil -N -d . -f pwdfile.txt
> echo "Generating encryption key."
> ../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt
> echo "Generating self-signed CA certificate."
> ../shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x \
> -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt
> echo "Generating self-signed Server certificate."
> ../shared/bin/certutil -S -n "Server-Cert" -s \
> "cn=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -c "CA
> certificate" \
> -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt
> echo "Renaming and linking modified security DBs."
> mv -f key3.db slapd-$HOST-key3.db
> mv -f cert8.db slapd-$HOST-cert8.db
> ln -s slapd-$HOST-key3.db key3.db
> ln -s slapd-$HOST-cert8.db cert8.db
> echo "Setting the correct ownership of security DBs"
> chown $SLAPD_OWNER:$SLAPD_GROUP *.db
> echo "Self-signed CA and SSL Server certs generated."
> echo ""
> echo "The following commands are OPTIONAL."
> echo "They are for backing up CA and Server Certs in PK12 format,"
> echo "exporting the CA Cert in ASCII format or DER format, and"
> echo "importing the CA Cert into the Admin Server"
> echo ""
> echo "---Start of OPTIONAL commands---"
> cat <<EOF >optional_cmds.txt
> ../shared/bin/pk12util -d . -P slapd-$HOST- -o cacert.pfx -n "CA
> certificate"
> ../shared/bin/pk12util -d . -P slapd-$HOST- -o servercert.pfx -n
> "Server-Cert"
> ../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \
> -a > cacert.asc
> ../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \
> -r > cacert.der
> ../shared/bin/certutil -A -d . -P admin-serv-$HOST- -n "CA
> certificate" \
> -t "CT,," -a -i cacert.asc
> EOF
> cat optional_cmds.txt
> echo "---End of OPTIONAL commands---"
> echo ""
> echo "Modifying server SSL configurations."
> echo "NOTE: changes will be saved to config/dse.ldif when slapd is
> shutdown"
> cat <<EOF >/tmp/ssl_enable.ldif
> dn: cn=encryption,cn=config
> changetype: modify
> replace: nsSSL3
> nsSSL3: on
> -
> replace: nsSSLClientAuth
> nsSSLClientAuth: allowed
> -
> add: nsSSL3Ciphers
> nsSSL3Ciphers:
> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>
> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+forte
> zza,
>
> +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_s
> ha,
> +tls_rsa_export1024_with_des_cbc_sha
> -
> add: nsKeyfile
> nsKeyfile: alias/slapd-$HOST-key3.db
> -
> add: nsCertfile
> nsCertfile: alias/slapd-$HOST-cert8.db
>
> dn: cn=config
> changetype: modify
> add: nsslapd-security
> nsslapd-security: on
> -
> replace: nsslapd-ssl-check-hostname
> nsslapd-ssl-check-hostname: off
>
> EOF
> ../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat
> /home/ldap/dirmgr.pwd` -f /tmp/ssl_enable.ldif
> cat <<EOF >/tmp/delRSA.ldif
> cn=RSA,cn=encryption,cn=config
>
> EOF
> ../shared/bin/ldapdelete -c -D "cn=Directory Manager" -w `cat
> /home/ldap/dirmgr.pwd` -f /tmp/delRSA.ldif
> [ $? -eq 0 ] && echo "deleting cn=RSA,cn=encryption,cn=config"
> cat <<EOF >/tmp/addRSA.ldif
> dn: cn=RSA,cn=encryption,cn=config
> objectclass: top
> objectclass: nsEncryptionModule
> cn: RSA
> nsSSLPersonalitySSL: Server-Cert
> nsSSLToken: internal (software)
> nsSSLActivation: on
>
> EOF
> ../shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w `cat
> /home/ldap/dirmgr.pwd` -f /tmp/addRSA.ldif
> echo "Creating a pin.txt for auto-starting of slapd."
> echo "Internal (Software) Token:`cat pwdfile.txt`"
> >slapd-$HOST-pin.txt
> chown $SLAPD_OWNER:$SLAPD_GROUP slapd-$HOST-pin.txt
> chmod 400 slapd-$HOST-pin.txt
> echo ""
> echo "IMPORTANT NOTES:"
> echo ""
> echo "1. How to check if SSL Configurations are done properly?"
> echo "You may view config/dse.ldif after shutting down slapd"
> echo "to verify all the required SSL configurations are there."
> echo ""
> echo "2. How to fix slapd startup issue due to mis-configuration of
> SSL?"
> echo "If for any reason slapd fails to start due to SSL issue,"
> echo "you may edit config/dse.ldif after shutting down slapd"
> echo "and revert back to non-SSL configs."
> echo "i.e. set nsSSL3: off, nsslapd-security: off"
> echo "and then try to restart slapd."
> echo ""
>
> =======Sample run.
>
> # ./cr_ssl_certs_fds1ldap.sh
> Backing up existing *.db (if any) to backup_Wed.
> Creating new security key3.db/cert8.db pair.
> Generating encryption key.
>
>
> Generating key. This may take a few moments...
>
> Generating self-signed CA certificate.
>
>
> Generating key. This may take a few moments...
>
> Generating self-signed Server certificate.
>
>
> Generating key. This may take a few moments...
>
> Renaming and linking modified security DBs.
> Setting the correct ownership of security DBs
> Self-signed CA and SSL Server certs generated.
>
> The following commands are OPTIONAL.
> They are for backing up CA and Server Certs in PK12 format,
> exporting the CA Cert in ASCII format or DER format, and
> importing the CA Cert into the Admin Server
>
> ---Start of OPTIONAL commands---
> ../shared/bin/pk12util -d . -P slapd-nj1net200plmon- -o cacert.pfx -n
> "CA certificate"
> ../shared/bin/pk12util -d . -P slapd-nj1net200plmon- -o servercert.pfx
> -n "Server-Cert"
> ../shared/bin/certutil -L -d . -P slapd-nj1net200plmon- -n "CA
> certificate" -a > cacert.asc
> ../shared/bin/certutil -L -d . -P slapd-nj1net200plmon- -n "CA
> certificate" -r > cacert.der
> ../shared/bin/certutil -A -d . -P admin-serv-nj1net200plmon- -n "CA
> certificate" -t "CT,," -a -i cacert.asc
> ---End of OPTIONAL commands---
>
> Modifying server SSL configurations.
> NOTE: changes will be saved to config/dse.ldif when slapd is shutdown
> modifying entry cn=encryption,cn=config
> ldap_modify: Type or value exists
>
> deleting cn=RSA,cn=encryption,cn=config
> adding new entry cn=RSA,cn=encryption,cn=config
>
> Creating a pin.txt for auto-starting of slapd.
>
> IMPORTANT NOTES:
>
> 1. How to check if SSL Configurations are done properly?
> You may view config/dse.ldif after shutting down slapd
> to verify all the required SSL configurations are there.
>
> 2. How to fix slapd startup issue due to mis-configuration of SSL?
> If for any reason slapd fails to start due to SSL issue,
> you may edit config/dse.ldif after shutting down slapd
> and revert back to non-SSL configs.
> i.e. set nsSSL3: off, nsslapd-security: off
> and then try to restart slapd.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060412/bd2231c5/attachment.htm>
More information about the Fedora-directory-users
mailing list