HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Re: SSL certs in RedHat Directory Server and multi...
Operating System - Linux
1825810
Members
2467
Online
109688
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-09-2006 07:17 PM
04-09-2006 07:17 PM
Hi all,
I am setting up RedHat (aka Netscape) Directory Server for use with LDAP-UX for client authentication. I have used the certutil program supplied to create the SSL certificates on a server. Then copied the db files to a test HP-UX client and configured LDAP-UX to use SSL, and it does so as expected.
I am now trying to set up "Mulit-Master Replication" for the RH Directory Server with another RH Directory Server. However, I also need to do this over SSL. But I have no idea how to manage the certificates/keys on the two servers, nor how to configure the various HP-UX clients? Eg how do I import certificates/keys onto the various HP-UX servers, and how do I import the keys/certs for the two RH directory servers?
NB that I have used the certutil tool to create what I think is called a "self-signed certificate", whatever that means. So I'm assuming I will need to use the certutil tool to do what I am hoping to achieve above.
So can anyone shed some light on SSL certificates and if possible, specificly mention how to manage them for the LDAP-UX clients and especially the RH Directory Servers so I can set up Multi-Master Replication over an SSL connection (using simple bind authentication).
Thank you very much.
- Andrew G
PS I have read the documentation and that is how I managed to get the LDAP-UX client working with SSL using certutil to create the certs. However, the documentation is vague and sketchy when it comes to addressing this particular topic, and my knowledge of how SSL works is sketchy to begin with. Ta
I am setting up RedHat (aka Netscape) Directory Server for use with LDAP-UX for client authentication. I have used the certutil program supplied to create the SSL certificates on a server. Then copied the db files to a test HP-UX client and configured LDAP-UX to use SSL, and it does so as expected.
I am now trying to set up "Mulit-Master Replication" for the RH Directory Server with another RH Directory Server. However, I also need to do this over SSL. But I have no idea how to manage the certificates/keys on the two servers, nor how to configure the various HP-UX clients? Eg how do I import certificates/keys onto the various HP-UX servers, and how do I import the keys/certs for the two RH directory servers?
NB that I have used the certutil tool to create what I think is called a "self-signed certificate", whatever that means. So I'm assuming I will need to use the certutil tool to do what I am hoping to achieve above.
So can anyone shed some light on SSL certificates and if possible, specificly mention how to manage them for the LDAP-UX clients and especially the RH Directory Servers so I can set up Multi-Master Replication over an SSL connection (using simple bind authentication).
Thank you very much.
- Andrew G
PS I have read the documentation and that is how I managed to get the LDAP-UX client working with SSL using certutil to create the certs. However, the documentation is vague and sketchy when it comes to addressing this particular topic, and my knowledge of how SSL works is sketchy to begin with. Ta
Solved! Go to Solution.
5 REPLIES 5
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-10-2006 10:41 AM
04-10-2006 10:41 AM
Re: SSL certs in RedHat Directory Server and multi-master replication
Have you downloaded the Administratorâ s Guide - Red Hat Directory Server from the Red Hat documentation page? The document has the following sections:
Managing replication - Replication over SSL
Managing SSL and SASL
BTW, a self signed certificate is a certificate that was signed by the server that issues the certificate. Normally certificates are signed by a third party entity like VeriSign and ensures that the certificate is from the entity that claims to issue the certificate, increasing security because the clients that accepts the certificate, knows that it was signed by another organization that ensures the authenticity of the certificate.
Managing replication - Replication over SSL
Managing SSL and SASL
BTW, a self signed certificate is a certificate that was signed by the server that issues the certificate. Normally certificates are signed by a third party entity like VeriSign and ensures that the certificate is from the entity that claims to issue the certificate, increasing security because the clients that accepts the certificate, knows that it was signed by another organization that ensures the authenticity of the certificate.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-10-2006 12:00 PM
04-10-2006 12:00 PM
Re: SSL certs in RedHat Directory Server and multi-master replication
Hi,
Yes, I have read those chapters, that's how I got SSL working with LDAP-UX, however, like I said above, those chapters dont really give specifics on how to set up replication over SSL. All it says is:
To use replication over SSL, you must first do the following:
â ¢ Configure both your supplier and consumer servers to use SSL.
â ¢ Configure your consumer server to recognize your supplier serverâ s
certificate as the supplier DN. You do this only if you want to use SSL client
authentication rather than simple authentication.
However, the specifics on actually HOW to do this with certutil is not covered. That's why I'm asking if anyone here knows.
I know that typically you get a certificate from an authority so that you can verify the authenticity of the server, but you see I dont care about that. It's in a closed network, and all I care about is encrypted traffic. Plus, I don't want to pay for certificates, nor do I want to wait for them to arrive once ordered.
So if anyone knows about certutil, and how to import and export keys or anything like that, well, any help would be much appreciated.
Thanks.
- Andrew G
Yes, I have read those chapters, that's how I got SSL working with LDAP-UX, however, like I said above, those chapters dont really give specifics on how to set up replication over SSL. All it says is:
To use replication over SSL, you must first do the following:
â ¢ Configure both your supplier and consumer servers to use SSL.
â ¢ Configure your consumer server to recognize your supplier serverâ s
certificate as the supplier DN. You do this only if you want to use SSL client
authentication rather than simple authentication.
However, the specifics on actually HOW to do this with certutil is not covered. That's why I'm asking if anyone here knows.
I know that typically you get a certificate from an authority so that you can verify the authenticity of the server, but you see I dont care about that. It's in a closed network, and all I care about is encrypted traffic. Plus, I don't want to pay for certificates, nor do I want to wait for them to arrive once ordered.
So if anyone knows about certutil, and how to import and export keys or anything like that, well, any help would be much appreciated.
Thanks.
- Andrew G
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-10-2006 12:08 PM
04-10-2006 12:08 PM
Re: SSL certs in RedHat Directory Server and multi-master replication
IE, how do I get the two master servers to recognise each others certificate, and how do I get the LDAP-UX clients to recognise the two certificates for each server?
Do I run certutil on both servers, or do I run it twice on one server to generate the certs, then how do I transfer them etc?
These are the sorts of things I would be interested to see if anyone knows the answer to.
Thanks again all.
- Andrew G
Do I run certutil on both servers, or do I run it twice on one server to generate the certs, then how do I transfer them etc?
These are the sorts of things I would be interested to see if anyone knows the answer to.
Thanks again all.
- Andrew G
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2006 06:22 AM
04-11-2006 06:22 AM
Solution
Hello Andrew. For the RHDS master to recognize the server certificate of the RHDS consumer, it needs to trust its issuer. With certutil the easiest way is to first generate a self-signed CA ("Issuer") certificate and then generate the server certificates from it. But first, generate a new empty cert/key db pair:
certutil -N -P "CA-" -d /tmp -f keypassword.txt
That will leave you with /tmp/CA-cert8.db and /tmp/CA-key3.db. keypassword.txt should be a simple text file created before hand containing the password that you want to lock your private key database with.
Next create the self-signed CA cert in the same db pair:
certutil -S -P "CA-" -d /tmp -n "CA Cert" -s "CN=CA Cert,O=Example Corp" -x -v 120 -t "CT,," -z noisefile.txt -f keypassword.txt
noisefile.txt should be created beforehand, it might contain random stuff from just typing randomly on the keyboard and is used to prime the random generator.
Now prepare to create the server certificates. Let's say you're creating for slapd-master and slapd-consumer.
cp /tmp/CA-cert8.db /tmp/slapd-master-cert8.db
cp /tmp/CA-cert8.db /tmp/slapd-consumer-cert8.db
cp /tmp/CA-key3.db /tmp/slapd-master-key3.db
cp /tmp/CA-key3.db /tmp/slapd-consumer-key3.db
Now create the server certificates, issued from the CA cert:
certutil -S -P "slapd-master-" -d /tmp -n "Server-Cert" -s "CN=host1.example.com,O=Example Corp" -c "CA Cert" -v 120 -t "u,u,u" -z noisefile.txt -f keypassword.txt
certutil -S -P "slapd-consumer-" -d /tmp -n "Server-Cert" -s "CN=host2.example.com,O=Example Corp" -c "CA Cert" -v 120 -t "u,u,u" -z noisefile.txt -f keypassword.txt
Then copy the server cert/key dbs to the right places:
cp /tmp/slapd-master-*.db /var/opt/netscape/servers/slapd-master/../alias/
cp /tmp/slapd-consumer-*.db /var/opt/netscape/servers/slapd-consumer/../alias/
The "-s" argument in the above certutil commands is important when creating server certificates, the CN component should match the exact hostname the clients will use. In this example the consumer hostname in the master's replication agreement would be "host2.example.com". If it doesn't match then the SSL client (replication master) will complain and refuse to complete the connection to the SSL server (replication consumer). You can disable that behavior with the nsslapd-ssl-check-hostname parameter in the DSE, but if you have full control over your environment you might as well use the right names.
Now for LDAP-UX, it doesn't need a server certificate because it doesn't listen on LDAPS. In SSL terms it acts as a client so it only needs to trust the issuer of the RHDS server certificate. You can use the CA-cert8.db and CA-key3.db:
cp /tmp/CA-cert8.db /tmp/cert8.db
cp /tmp/CA-key3.db /tmp/key3.db
A final note... This procedure leaves you with the CA private signing key in your server certificate databases. Everything is also using the same key database password. In a highly secure environment you would want to put your signing database somewhere for safe keeping somewhere, and your server key databases would only hold the server's private key, and the LDAP-UX pair should hold only the public CA certificate.
certutil -N -P "CA-" -d /tmp -f keypassword.txt
That will leave you with /tmp/CA-cert8.db and /tmp/CA-key3.db. keypassword.txt should be a simple text file created before hand containing the password that you want to lock your private key database with.
Next create the self-signed CA cert in the same db pair:
certutil -S -P "CA-" -d /tmp -n "CA Cert" -s "CN=CA Cert,O=Example Corp" -x -v 120 -t "CT,," -z noisefile.txt -f keypassword.txt
noisefile.txt should be created beforehand, it might contain random stuff from just typing randomly on the keyboard and is used to prime the random generator.
Now prepare to create the server certificates. Let's say you're creating for slapd-master and slapd-consumer.
cp /tmp/CA-cert8.db /tmp/slapd-master-cert8.db
cp /tmp/CA-cert8.db /tmp/slapd-consumer-cert8.db
cp /tmp/CA-key3.db /tmp/slapd-master-key3.db
cp /tmp/CA-key3.db /tmp/slapd-consumer-key3.db
Now create the server certificates, issued from the CA cert:
certutil -S -P "slapd-master-" -d /tmp -n "Server-Cert" -s "CN=host1.example.com,O=Example Corp" -c "CA Cert" -v 120 -t "u,u,u" -z noisefile.txt -f keypassword.txt
certutil -S -P "slapd-consumer-" -d /tmp -n "Server-Cert" -s "CN=host2.example.com,O=Example Corp" -c "CA Cert" -v 120 -t "u,u,u" -z noisefile.txt -f keypassword.txt
Then copy the server cert/key dbs to the right places:
cp /tmp/slapd-master-*.db /var/opt/netscape/servers/slapd-master/../alias/
cp /tmp/slapd-consumer-*.db /var/opt/netscape/servers/slapd-consumer/../alias/
The "-s" argument in the above certutil commands is important when creating server certificates, the CN component should match the exact hostname the clients will use. In this example the consumer hostname in the master's replication agreement would be "host2.example.com". If it doesn't match then the SSL client (replication master) will complain and refuse to complete the connection to the SSL server (replication consumer). You can disable that behavior with the nsslapd-ssl-check-hostname parameter in the DSE, but if you have full control over your environment you might as well use the right names.
Now for LDAP-UX, it doesn't need a server certificate because it doesn't listen on LDAPS. In SSL terms it acts as a client so it only needs to trust the issuer of the RHDS server certificate. You can use the CA-cert8.db and CA-key3.db:
cp /tmp/CA-cert8.db /tmp/cert8.db
cp /tmp/CA-key3.db /tmp/key3.db
A final note... This procedure leaves you with the CA private signing key in your server certificate databases. Everything is also using the same key database password. In a highly secure environment you would want to put your signing database somewhere for safe keeping somewhere, and your server key databases would only hold the server's private key, and the LDAP-UX pair should hold only the public CA certificate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2006 12:31 PM
04-11-2006 12:31 PM
Re: SSL certs in RedHat Directory Server and multi-master replication
Wow, thank you so much for that excellent detailed response! I must confess I don't understand everything you mentioned, but enough to get the gist of it.
I have followed what you said and played around with it and have managed to get the replication working over SSL.
Thank you so much for your help! I think this will do it.
- Andrew G
I have followed what you said and played around with it and have managed to get the replication working over SSL.
Thank you so much for your help! I think this will do it.
- Andrew G
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Support
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP