[Fedora-directory-users] question about SSL configuration with IP takeover HA setup

Richard Megginson rmeggins at redhat.com
Fri Sep 21 16:37:10 UTC 2007 

Ryan Braun wrote:
> On Thursday 20 September 2007 21:36, George Holbert wrote:
>
> Ok so I managed to create a new certificate using subjectAltName extenstions,  
> and it works as advertised.  I can run ldapsearchs on eastldap on both 
> eastldap0.
>
> Now my question is for generating certs for the other servers.  Now that I 
> have the CA cert on eastldap0,  I would assume I need to install the CA on 
> each additional server.  Can I just copy and paste the cacert.asc into the 
> manage certificate wizard?
>   
You cannot use the CA cert to generate server certs.  You need the CA 
cert and key.  This CA key was created when you created your initial CA 
cert.  The CA key is stored in the key3.db in which you initially 
created in steps 5 and 6 here - 
http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps

I would suggest you create all of your server certs using this initial 
CA cert and key.
cd /opt/fedora-ds/alias
serialnumber=1002
for server in serverFQDN ; do
  ../shared/bin/certutil -d . -S -n "Server-Cert-$server" -s 
"cn=$server,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" 
-m $serialnumber -v 120 -d . -z noise.txt -f pwdfile.txt
  # each cert must have a unique serial number
  serialnumber=`expr $serialnumber + 1`
  # export the new server cert+key
  ../shared/bin/pk12util -d . -o $server.p12 -n "Server-Cert-$server" -k 
pwdfile.txt -w pwdfile.txt
done

For all of the commands listed above, you may have to specify -P 
slapd-instance- if you are not using cert8.db and key3.db.

Then, copy each file $server.p12 to that $server, along with the 
cacert.asc file
Then, on each server:
cd /opt/fedora-ds/alias
../shared/bin/pk12util -d . -P slapd-instance- -i $server.p12 -w 
pwdfile.txt -k pwdfile.txt
# the -w argument is the file containing the password used to encrypt 
the .p12 file
# the -k argument is the file containing the password for the new key 
database
# you may use a different password for -k here - this is the same 
password used
# in your slapd-instance-pin.txt file

../shared/bin/certutil -A -d . -P slapd-instance- -n "CA certificate" -t "CT,," -a -i cacert.asc

# this imports your CA cert
> Then I would generate new certs for each server.  Now do I need to generate 
> the certs all from eastldap0?  or once the CA cert is installed on the rest 
> of the boxes,  am I able to generate the required certs on each box?  Is it 
> generally a good idea to keep all the cert creation in a central location?
>
> And for the clients,  all they need is the one cacert.asc to be able to 
> encrypt comms with each server?
>   
Yes.
> Thanks
>
> Ryan
>
>
>   
>> Each running FDS server instance will have just one SSL certificate.
>> If you want your server to identify with multiple names, you can either:
>> - Do a cert with subjectAltName extensions.
>> - Do a cert with a wildcard in the subject's CN (e.g., cn=*.test.com).
>>
>> LDAP / SSL client support for these varies, so you will probably want to
>> test both ways and see what works with better with your clients.
>> If it works for you, the subjectAltName method is probably preferable,
>> because you can precisely list the valid names for your server.
>>
>> Also, consider keeping it simple and just doing certs with single names
>> (e.g.,  one cert each for 'westldap.test.com' and 'eastldap.test.com'),
>> and installing that same cert on each server which should have that SSL
>> identity.  This is actually a pretty common way to do it, though it will
>> limit your ability to make SSL connections to individual nodenames, like
>> eastldap0.test.com (as you noticed).
>>
>> Ryan Braun wrote:
>>     
>>> Hey guys,  installed FDS on a couple debian servers this week and am
>>> liking it so far.  I have a couple questions regarding SSL/TLS setup with
>>> servers setup for  IP takeover type HA setup.  Keep in mind I have some
>>> experience with the LDAP side of things,  it's the ssl and all the
>>> different certs and whatnot that keeps me up at night.
>>>
>>> Essentially what I'm looking at is a 4 way multimaster setup,  ending up
>>> with 2 HA pairs of servers.  call them eastldap and westldap.   I've
>>> implemented the east side in my test lab and have it replicating and can
>>> pull any user info I need off the directory no problem.
>>>
>>> so
>>> eastldap0.test.com ip 192.168.0.11
>>> eastldap1.test.com ip 192.168.0.12
>>> and the virtual interface on whichever machine is master would be
>>> eastldap.test.com ip 192.168.0.10
>>>
>>> and then the exact same setup with the last 2
>>>
>>> westldap0.test.com ip 192.168.1.11
>>> westldap1.test.com ip 192.168.1.12
>>> westldap.test.com ip 192.168.1.10
>>>
>>> Once everything is setup and running clients would be primarily only
>>> connecting to either virtual interface west/eastldap using TLS over port
>>> 389 and the 4 masters replicating with encryption (not sure but I imagine
>>> this takes place on ldaps port).
>>>
>>> I followed the instructions on the howto:ssl page and created a cert
>>> located on eastldap0.  But instead of using the eastldap0.test.com as the
>>> cn,  I used eastldap.test.com.  Cert installed ok, made sure eastldap0
>>> was the HA master and restarted fds.
>>>
>>> When I copied over the cacert to a linux client,  I can run searches
>>> using ldapsearch -ZZ -h eastldap.test.com.  Server logs and wire sniffs
>>> confirm everything is coming back encrypted.  It seems to be behaving as
>>> expected, when I try ldapsearch -ZZ -h eastldap0.test.com,  it pukes with
>>> error 11 additional info: TLS: hostname does not match CN in peer
>>> certificate,  which is right as the name in the cert is
>>> eastldap.test.com.
>>>
>>> So it would appear I'm on my way,  I just am not sure about what certs I
>>> need now, and how to add them properly.  I would think I need at the very
>>> least
>>>
>>> eastldap0
>>> - eastldap0.test.com cert
>>> - eastldap.test.com cert
>>> eastldap1
>>> - eastldap1.test.com cert
>>> - eastldap.test.com cert
>>> westldap0
>>> - westldap0.test.com cert
>>> - westldap.test.com cert
>>> westldap1
>>> - westldap1.test.com cert
>>> - westldap.test.com cert
>>>
>>> I'm just not sure if that is the proper way to go about it.  Also,  I
>>> would like to have the clients to be able to have all the cacerts to be
>>> able to communicate with all virtual and physical address' if need be. 
>>> Later on,  I would be adding probably 5 or 6 consumer read only replicas
>>> inbetween the suppliers and the clients,  but one must walk before they
>>> run I guess :)
>>>
>>> Long post I know,  just trying to make sure I get all the important stuff
>>> out there.  Be kind if I was using the incorrect terminology for the
>>> certs/cacerts :)
>>>
>>> Ryan
>>>
>>> PS.  anyone have a good SSL for dummies reference that lays out what the
>>> heck is going on with SSL (pems,keys,certs,cacerts etc)
>>>
>>> --
>>>       
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>     
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20070921/f47473dc/attachment.bin>

More information about the Fedora-directory-users mailing list