Difference between revisions of "Enabling SSL Connection with Internal Database"

From Dogtag
Jump to: navigation, search
(Generating DS Server Certificate)
(Configuring SSL Connection in PKI Server)
Line 168: Line 168:
 
internaldb.ldapconn.secureConn=true
 
internaldb.ldapconn.secureConn=true
 
</pre>
 
</pre>
 +
<ul>
 +
<font color=RED>NOTE:  Replace <b>server.example.com</b> with the appropriate value!</font>
 +
</ul>
  
 
Restart PKI server:
 
Restart PKI server:

Revision as of 23:15, 18 September 2015

Overview

This document describes the procedure to enable SSL connection between PKI server and the internal database.

Assumptions:

  • a DS server is already created with instance name pki-tomcat
  • a PKI server is already created with instance name pki-tomcat

Preparing Certificates

Preparing NSS Database

Store Directory Manager's password in pin.txt:

$ echo "Internal (Software) Token:<Directory Manager's password>" > /etc/dirsrv/slapd-pki-tomcat/pin.txt
$ chown nobody.nobody /etc/dirsrv/slapd-pki-tomcat/pin.txt
$ chmod 400 /etc/dirsrv/slapd-pki-tomcat/pin.txt
    NOTE: Replace <Directory Manager's password> with the appropriate value!

Generating DS CA Certificate

Generate a self-signed CA certificate for the DS:

$ openssl req -newkey rsa:2048 -keyout dsca.key -nodes -x509 -out dsca.pem -subj "/CN=CAcert" -days 365

Import the DS CA certificate into a PKCS #12 file:

$ openssl pkcs12 -export -in dsca.pem -inkey dsca.key -out dsca.p12 -name "CA certificate" -passout pass:Secret123

Import the PKCS #12 file into the DS server's NSS database:

$ pk12util -i dsca.p12 -d /etc/dirsrv/slapd-pki-tomcat -K <Directory Manager's password> -W Secret123
    NOTE: Replace <Directory Manager's password> with the appropriate value!

Set the trust flags for the CA certificate:

$ certutil -M -d /etc/dirsrv/slapd-pki-tomcat -n "CA certificate" -t "CTu,u,u"

Verify with the following command:

$ certutil -L -d /etc/dirsrv/slapd-pki-tomcat

Generating DS Server Certificate

Generate a certificate request for the DS server certificate:

$ openssl req -newkey rsa:2048 -keyout ds.key -nodes -new -out ds.csr -subj "/CN=$HOSTNAME" -days 365

Sign the request with the DS CA certificate:

$ openssl x509 -req -in ds.csr -CA dsca.pem -CAkey dsca.key -CAcreateserial -out ds.pem

Import the server certificate into a PKCS #12 file:

$ openssl pkcs12 -export -in ds.pem -inkey ds.key -out ds.p12 -name "Server-Cert" -passout pass:Secret123

Import the PKCS #12 file into the DS server's NSS database:

$ pk12util -i ds.p12 -d /etc/dirsrv/slapd-pki-tomcat -K <Directory Manager's password> -W Secret123
    NOTE: Replace <Directory Manager's password> with the appropriate value!

Verify with the following command:

$ certutil -L -d /etc/dirsrv/slapd-pki-tomcat

Configuring SSL Connection in DS

Configure DS to enable the LDAPS connection using the specified server certificate:

$ ldapmodify -x -D "cn=Directory Manager" -w Secret123 << EOF
dn: cn=config
changetype: modify
replace: nsslapd-security
nsslapd-security: on

dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)
nsSSLActivation: on
EOF

Restart the DS server:

$ systemctl restart dirsrv@pki-tomcat.service

On Fedora, verify with mozldap-tools:

$ /usr/lib64/mozldap/ldapsearch -Z -h $HOSTNAME -p 636 -D "cn=Directory Manager" -w Secret123 \
    -P /etc/dirsrv/slapd-pki-tomcat -b "dc=example,dc=com" "(objectClass=*)"
    NOTE: Replace "dc=example,dc=com" with the appropriate value!

or openldap-clients compiled with OpenSSL:

$ echo TLS_CACERT dsca.pem > ldaprc
$ ldapsearch -H ldaps://$HOSTNAME:636 -x -D "cn=Directory Manager" -w Secret123 \
    -b "dc=example,dc=com" "(objectClass=*)"
    NOTE: Replace "dc=example,dc=com" with the appropriate value!

On RHEL, verify with openldap-clients compiled with NSS:

$ LDAPTLS_CACERTDIR=/var/lib/pki/pki-tomcat/alias \
    ldapsearch -H ldaps://$HOSTNAME:636 -x -D "cn=Directory Manager" -w Secret123 \
    -b "dc=example,dc=com" "(objectClass=*)"
    NOTE: Replace "dc=example,dc=com" with the appropriate value!

Configuring SSL Connection in PKI Server

Import DS CA certificate into PKI server's NSS database:

$ certutil -A -d /etc/pki/pki-tomcat/alias -n "Directory Server CA certificate" -t "CTu,u,u" -i dsca.pem

Verify with the following command:

$ certutil -L -d /etc/pki/pki-tomcat/alias

Configure PKI server to use SSL by editing /var/lib/pki/pki-tomcat/<subsystem>/conf/CS.cfg:

internaldb.ldapconn.host=server.example.com
internaldb.ldapconn.port=636
internaldb.ldapconn.secureConn=true
    NOTE: Replace server.example.com with the appropriate value!

Restart PKI server:

$ systemctl restart pki-tomcatd@pki-tomcat.service

Verify with the following command:

$ pki cert-find

References