[Fedora-directory-users] RE: some questions on using ssl with fds

Richard Megginson rmeggins at redhat.com
Sun Jan 15 22:03:57 UTC 2006 

Bliss, Aaron wrote:

>I would say the machines are pretty locked down; I've ran the bastille
>scripts against them, used CIS scoring tool to lock them down even more
>and they are of course behind our dmz....Normal users would never get a
>direct shell on the directory servers; the only other user that would
>have shell access to the boxes would be our security administrator.  
>  
>
Then it's probably ok, but an HSM would be better if you can afford it.

>Aaron 
>
>-----Original Message-----
>From: Richard Megginson [mailto:rmeggins at redhat.com] 
>Sent: Sunday, January 15, 2006 4:51 PM
>To: General discussion list for the Fedora Directory server project.
>Cc: Bliss, Aaron
>Subject: Re: [Fedora-directory-users] RE: some questions on using ssl
>with fds
>
>Bliss, Aaron wrote:
>
>  
>
>>I'm happy to report that I got things working.  As noted in my slapd 
>>log file,
>>
>>[15/Jan/2006:15:32:05 -0500] - Fedora-Directory/1.0.1 B2005.342.165 
>>starting up
>>[15/Jan/2006:15:32:05 -0500] - slapd started.  Listening on All 
>>Interfaces port
>>389 for LDAP requests
>>[15/Jan/2006:15:32:05 -0500] - Listening on All Interfaces port 636 for
>>    
>>
>
>  
>
>>LDAPS re Quests
>>
>>After following document listed below under section labeled starting 
>>the directory server with ssl enabled, both servers are accepting 
>>requests on 389 and 636.
>>
>>    
>>
>Excellent.
>
>  
>
>>I have a question though; how much of a security threat would it pose 
>>if I used a password file to start the directory server automatically?
>> 
>>
>>    
>>
>That depends - how secure is your machine?
>
>  
>
>>Thanks very much to the fds developers, mailing list users and the 
>>designers of documentation.
>>
>>Aaron
>>
>>-----Original Message-----
>>From: Bliss, Aaron
>>Sent: Sunday, January 15, 2006 2:26 PM
>>To: 'General discussion list for the Fedora Directory server project.'
>>Subject: RE: some questions on using ssl with fds
>>
>>I believe that I'm very close to getting this to work for me.  This is 
>>what I've done:
>>
>>1. created my own CA certificate by running this openssl req -new -x509
>>    
>>
>
>  
>
>>-keyout private/cakey.pem -out cacert.pem
>>
>>2. using the gui, I followed the steps listed here
>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091
>>under Obtaining and Installing server certificates, including the step 
>>4 marked Trust the certificate authority.  Everything to this point 
>>looks great; on each directory server the server certificates look fine
>>    
>>
>
>  
>
>>including verifying that my new CA is listed and verified under the CA 
>>certs tab.
>>
>>I believe at this point that each directory server will inherently 
>>trust each other's server certificate, as their own certificates were 
>>signed by my own CA.  Is this true?  If so, can someone tell me what 
>>the next step is to enable ssl replication between the 2 directory 
>>servers as well as secure client authentication?  Thanks very much.
>>
>>Aaron
>>
>>
>>-----Original Message-----
>>From: Bliss, Aaron
>>Sent: Friday, January 13, 2006 10:26 PM
>>To: General discussion list for the Fedora Directory server project.
>>Subject: some questions on using ssl with fds
>>
>>These are some basic questions that I'm sure you guys will know how to 
>>answer straight away.  Please forgive my ignorance, as I'm still trying
>>    
>>
>
>  
>
>>to understand how ssl works and how to get it to work in fds both for 
>>my directory servers and clients.  First some background information.  
>>I have 2 directory servers and several client servers.  My goal is to 
>>get the directory servers to replicate using an encrypted link (they 
>>are currently replicating great using standard ldap port.  My second 
>>goal is to have the client servers authenticate to the directory 
>>servers using ssl.  I currently do not have a CA in my organization, 
>>and would like to use self signed keys to achieve goals listed above.  
>>I'm trying to understand how this is supposed to work; I took a look at
>>    
>>
>
>  
>
>>the howto
>>www.redhat.com/docs/manuals/dir-sever/ag/7.1/ssl.html#1087158 and have 
>>just a few questions.
>>
>>Correct me if I'm wrong, but the way this will work is that I will 
>>first create a CA cert on directory server A (step 6), generate server 
>>certificate (step 7).  Next step will be to export the CA cert and
>>import into directory server B.   
>>
>>1. When creating the server cert at step 6, what are the appropriate 
>>values for the -n and -s switches, assuming that my company is named 
>>company.org.
>>
>>2. When creating the server certificate at step 7, what are the 
>>appropriate vaules with the -n, -s and -c switches?
>>
>>3. What are the switches to use to export the CA certificate using the 
>>certutil as well as the appropriate switches to import this certificate
>>    
>>
>
>  
>
>>on another server.
>>
>>4. Is it true that after importing the CA cert into directory server B 
>>and generating a server certificate on this server, the 2 directory 
>>servers will inherently trust each other as their server certificates 
>>were generated from the same CA certificate?  If so, I believe that I 
>>will then be able to create a replication link between the 2 directory 
>>servers over a ssl link?
>>
>>5. How do I configure the client servers to use ldaps?  Do I need to 
>>generate server certificates for each box?  If so, where are these 
>>certificates stored on the client servers.  Thanks very much for your 
>>help with this.
>>
>>Aaron
>>
>>www.preferredcare.org
>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. 
>>Power and Associates
>>
>>Confidentiality Notice:
>>The information contained in this electronic message is intended for
>>    
>>
>the exclusive use of the individual or entity named above and may
>contain privileged or confidential information.  If the reader of this
>message is not the intended recipient or the employee or agent
>responsible to deliver it to the intended recipient, you are hereby
>notified that dissemination, distribution or copying of this information
>is prohibited.  If you have received this communication in error, please
>notify the sender immediately by telephone and destroy the copies you
>received.
>  
>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users at redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> 
>>
>>    
>>
>
>www.preferredcare.org
>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates
>
>Confidentiality Notice:
>The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information.  If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited.  If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.
>
>  
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060115/005c07df/attachment.bin>

More information about the Fedora-directory-users mailing list