[Fedora-directory-users] Re: Trying to follow the howto ssl from wiki
Edward Capriolo
edlinuxguru at gmail.com
Mon Jun 23 16:48:48 UTC 2008
Can anyone else point me to any how to on this? This process seems to
be destructive. If anything goes wrong fds will not start making it
very hard to roll back the changes to the database. I end up just
removing the entire installation and starting over.
My fall back plan is to use stunnel or some other proxy.
On Fri, Jun 20, 2008 at 3:40 PM, Edward Capriolo <edlinuxguru at gmail.com> wrote:
> I was attempting to follow...http://directory.fedoraproject.org/wiki/Howto:SSL
> I first ran the script
> http://directory.fedoraproject.org/download/setupssl2.sh After
> completing fds would not start. I rein
> I eventually ended up reading the script and running every operation
> stp by step. That was quite an ordeal. All the steps ran however no
> errors.
>
> [root at ldapslave1 slapd-ldapslave1]# /etc/init.d/dirsrv start
> Starting dirsrv:
> ldapslave1...Warning: Incorrect PIN may result in disabling the token
> Enter PIN for Internal (Software) Token:
>
> I replaced the data inside pin.txt with :
>
> Internal (Software) Token:dirserv_cert_password
>
> But I am still getting the same message. Is this just a bogus message.
> The problem could be elsewhere?
>
>
> Thanks in advance.
> (ps -ef ; w) | sha1sum > /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> (w ; ps -ef ; date ) | sha1sum | awk '{print $1}' >
> /etc/dirsrv/slapd-ldapslave1/noise.txt
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/noise.txt
> certutil -N -P new- -d /etc/dirsrv/slapd-ldapslave1 -f
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/key3.db
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/cert8.db
> chmod 600 /etc/dirsrv/slapd-ldapslave1/key3.db
> chmod 600 /etc/dirsrv/slapd-ldapslave1/cert8.db
> certutil -G -P new- -d /etc/dirsrv/slapd-ldapslave1 -z
> /etc/dirsrv/slapd-ldapslave1/noise.txt -f
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> certutil -S -P new- /etc/dirsrv/slapd-ldapslave1/ -n "CA certificate"
> -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d
> /etc/dirsrv/slapd-ldapslave1 -z /etc/dirsrv/slapd-ldapslave1/noise.txt
> -f /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> certutil -L -P new- -d /etc/dirsrv/slapd-ldapslave1 -n "CA
> certificate" -a > /etc/dirsrv/slapd-ldapslave1/cacert.asc
> pk12util -d /etc/dirsrv/slapd-ldapslave1 -P new- -o
> /etc/dirsrv/slapd-ldapslave1/cacert.p12 -n "CA certificate" -w
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> certutil -S -P new- -n "Server-Cert" -s
> "cn=ldapslave1.ops.ec.com,ou=Fedora Directory Server" -c "CA
> certificate" -t "u,u,u" -m 1001 -v 120 -d
> /etc/dirsrv/slapd-ldapslave1/ -z
> /etc/dirsrv/slapd-ldapslave1/noise.txt -f
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>
> certutil -S -P new- -n "server-cert" -s
> "cn=ldapslave1.ops.ec.com,ou=Fedora Administration Server" -c "CA
> certificate" -t "u,u,u" -m 1002 -v 120 -d
> /etc/dirsrv/slapd-ldapslave1/ -z
> /etc/dirsrv/slapd-ldapslave1/noise.txt -f
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>
> pk12util -d /etc/dirsrv/slapd-ldapslave1 -P new- -o
> /etc/dirsrv/slapd-ldapslave1/adminserver.p12 -n server-cert -w
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/adminserver.p12
> chmod 400 /etc/dirsrv/slapd-ldapslave1/adminserver.p12
>
> cat /etc/dirsrv/slapd-ldapslave1/pwdfile.txt >
> /etc/dirsrv/slapd-ldapslave1/pin.txt
>
> chmod 400 /etc/dirsrv/slapd-ldapslave1/pin.txt
>
> mv /etc/dirsrv/slapd-ldapslave1/cert8.db
> /etc/dirsrv/slapd-ldapslave1/orig-cert8.db
> mv /etc/dirsrv/slapd-ldapslave1/key3.db
> /etc/dirsrv/slapd-ldapslave1/orig-key3.db
>
>
> certutil -N -d /etc/dirsrv/slapd-ldapslave1 -P admin-serv- -f
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/admin-serv-*.db
> [root at ldapslave1 tmp]# chmod 600 /etc/dirsrv/slapd-ldapslave1/admin-serv-*.db
>
> pk12util -d /etc/dirsrv/slapd-ldapslave1/ -P admin-serv- -n
> server-cert -i /etc/dirsrv/slapd-ldapslave1/adminserver.p12 -w
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>
> certutil -A -d /etc/dirsrv/slapd-ldapslave1/ -P admin-serv- -n "CA
> certificate" -t "CT,," -a -i /etc/dirsrv/slapd-ldapslave1/cacert.asc
>
> cat /etc/dirsrv/slapd-ldapslave1/pwdfile.txt >
> /etc/dirsrv/slapd-ldapslave1/password.conf
>
> chmod 400 /etc/dirsrv/slapd-ldapslave1/password.conf
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/password.conf
>
> sed -e "s@^NSSPassPhrasDialog .*@NSSPassPhraseDialog
> file:/etc/dirsrv/slapd-ldapslave1/password/conf
>
> mv /etc/dirsrv/slapd-ldapslave1/new-key3.db
> /etc/dirsrv/slapd-ldapslave1/key3.db
> mv /etc/dirsrv/slapd-ldapslave1/new-cert8.db
> /etc/dirsrv/slapd-ldapslave1/cert8.db
>
>
> ldapmodify -x -h localhost -p 389 -D "cn=directory manager" -W <<EOF
> dn: cn=encryption,cn=config
> changetype: modify
> replace: nsSSL3
> nsSSL3: on
> -
> replace: nsSSLClientAuth
> nsSSLClientAuth: allowed
> -
> add: nsSSL3Ciphers
> nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
> +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
> +tls_rsa_export1024_with_des_cbc_sha
>
> dn: cn=config
> changetype: modify
> add: nsslapd-security
> nsslapd-security: on
> -
> replace: nsslapd-ssl-check-hostname
> nsslapd-ssl-check-hostname: off
>
> dn: cn=RSA,cn=encryption,cn=config
> changetype: add
> objectclass: top
> objectclass: nsEncryptionModule
> cn: RSA
> nsSSLPersonalitySSL: Server-Cert
> nsSSLToken: internal (software)
> nsSSLActivation: on
>
> EOF
>
>
> [root at ldapslave1 slapd-ldapslave1]# /etc/init.d/dirsrv start
> Starting dirsrv:
> ldapslave1...Warning: Incorrect PIN may result in disabling the token
> Enter PIN for Internal (Software) Token:
>
> Any hints thanks!
>
More information about the Fedora-directory-users
mailing list