Enabling SSL Connection with Internal Database on New Instance

From Dogtag
Jump to: navigation, search

Overview

This document describes the process to enable SSL connection with the internal database on a new PKI instance.

WARNING: The NSS database does not support concurrent modification. To prevent database corruption, make sure all processes using the NSS database (e.g. DS or PKI server) are stopped before generating certificate requests, importing certificates, or removing certificates.

For existing PKI instance, see Enabling SSL Connection with Internal Database on Existing Instance.

Generating Temporary DS Certificate

If the DS has been installed] but the PKI CA has not been installed, SSL can be enabled in the DS using a temporary self-signed certificate. Once the CA has been installed, the temporary self-signed certificate can be replaced with a permanent one issued by the CA.

Initializing NSS database

Make sure the DS is stopped:

$ systemctl stop dirsrv@pki-tomcat.service

Store Directory Manager's password in password.txt:

$ echo Secret.123 > /etc/dirsrv/slapd-pki-tomcat/password.txt
$ chown nobody.nobody /etc/dirsrv/slapd-pki-tomcat/password.txt
$ chmod 400 /etc/dirsrv/slapd-pki-tomcat/password.txt

Store Directory Manager's password in pin.txt:

$ echo "Internal (Software) Token:Secret.123" > /etc/dirsrv/slapd-pki-tomcat/pin.txt
$ chown nobody.nobody /etc/dirsrv/slapd-pki-tomcat/pin.txt
$ chmod 400 /etc/dirsrv/slapd-pki-tomcat/pin.txt

Set the NSS database password:

$ certutil -W -d /etc/dirsrv/slapd-pki-tomcat -f /etc/dirsrv/slapd-pki-tomcat/password.txt

Generating DS certificate with NSS

A temporary self-signed DS certificate can be generated using NSS with the following command:

$ openssl rand -out /etc/dirsrv/slapd-pki-tomcat/noise.bin 2048
$ certutil -S \
 -x \
 -d /etc/dirsrv/slapd-pki-tomcat \
 -f /etc/dirsrv/slapd-pki-tomcat/password.txt \
 -z /etc/dirsrv/slapd-pki-tomcat/noise.bin \
 -n "DS Certificate" \
 -s "CN=server.example.com" \
 -t "CT,C,C" \
 -m $RANDOM \
 -k rsa \
 -g 2048 \
 -Z SHA256 \
 --keyUsage certSigning,keyEncipherment

Export the certificate with the following command:

$ certutil -L -d /etc/dirsrv/slapd-pki-tomcat -n "DS Certificate" -a > ds.crt

Generating DS certificate with OpenSSL

Alternatively, a self-signed DS certificate can be generated using OpenSSL with the following command:

$ openssl req -newkey rsa:2048 -keyout ds.key -nodes -x509 -out ds.crt -subj "/CN=$HOSTNAME" -days 365

Import the DS certificate and key into a PKCS #12 file:

$ openssl pkcs12 -export -in ds.crt -inkey ds.key -out ds.p12 -name "DS Certificate" 
  -passout file:/etc/dirsrv/slapd-pki-tomcat/password.txt

Import the PKCS #12 file into the NSS database:

$ pk12util -i ds.p12 -d /etc/dirsrv/slapd-pki-tomcat \
  -k /etc/dirsrv/slapd-pki-tomcat/password.txt \
  -w /etc/dirsrv/slapd-pki-tomcat/password.txt

Set the trust flags for the DS certificate:

$ certutil -M -d /etc/dirsrv/slapd-pki-tomcat -n "DS Certificate" -t "CT,C,C"

Verification

Verify the DS certificate is self-signed:

$ certutil -L -d /etc/dirsrv/slapd-pki-tomcat -n "DS Certificate"

Issuer: "CN=server.example.com"
Subject: "CN=server.example.com"

Enabling Secure Connection in DS

Configuring SSL

Make sure the DS is started:

$ systemctl start dirsrv@pki-tomcat.service

Enable secure connection with the following command:

$ ldapmodify -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: cn=config
changetype: modify
replace: nsslapd-security
nsslapd-security: on

dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: DS Certificate
nsSSLToken: internal (software)
nsSSLActivation: on
EOF

To use a different secure port:

$ ldapmodify -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: cn=config
changetype: modify
replace: nsslapd-secureport
nsslapd-secureport: 7902
EOF

Then add the SELinux policy:

$ /usr/sbin/semanage port -a -t ldap_port_t -p tcp 7902

Optionally, disable insecure connection with the following command:

$ ldapmodify -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: rootdse
-
replace: nsslapd-minssf
nsslapd-minssf: 56
-
replace: nsslapd-require-secure-binds
nsslapd-require-secure-binds: on
-
EOF

Restart the DS server:

$ systemctl restart dirsrv@pki-tomcat.service

Verification

Verify in DS error log (/var/log/dirsrv/slapd-pki-tomcat/errors) that the DS started succesfully with SSL:

[30/Jun/2016:00:23:31 +0200] - SSL alert: Security Initialization: Enabling default cipher set.
[30/Jun/2016:00:23:31 +0200] - SSL alert: Configured NSS Ciphers
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_RSA_WITH_AES_128_CBC_SHA: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_RSA_WITH_AES_256_CBC_SHA: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
[30/Jun/2016:00:23:31 +0200] - 389-Directory/1.3.4.11 B2016.166.1911 starting up

Verify SSL connection with mozldap-tools and NSS database:

$ /usr/lib64/mozldap/ldapsearch -Z -h $HOSTNAME -p 636 \
  -D "cn=Directory Manager" -w Secret.123 \
  -P /etc/dirsrv/slapd-pki-tomcat \
  -b "dc=example,dc=com" -s base "(objectClass=*)"

or with openldap-clients and DS certificate:

$ LDAPTLS_CACERT=ds.crt \
  ldapsearch -H ldaps://$HOSTNAME:636 \
  -x -D "cn=Directory Manager" -w Secret.123 \
  -b "dc=example,dc=com" -s base "(objectClass=*)"

or with openldap-clients and NSS databsae:

$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-pki-tomcat \
  ldapsearch -H ldaps://$HOSTNAME:636 \
  -x -D "cn=Directory Manager" -w Secret.123 \
  -b "dc=example,dc=com" -s base "(objectClass=*)"

Installing PKI with Secure DS Connection

See Installation with Secure Database Connection.

Replacing DS Certificate

This section describes the process to replace the DS certificate in the DS. This process can be used to replace the temporary self-signed DS certificate with a permanent DS certificate issued by the newly installed CA, or to replace an old DS certificate with a new one.

Generating new DS certificate

Make sure the DS is stopped before accessing the NSS database:

$ systemctl stop dirsrv@pki-tomcat.service

Generate a certificate request for the new DS certificate:

$ PKCS10Client -d /etc/dirsrv/slapd-pki-tomcat -p Secret.123 -a rsa -l 2048 -o ds.csr -n "CN=$HOSTNAME"

Restart the DS to allow the CA to process the request:

$ systemctl start dirsrv@pki-tomcat.service

Submit the request for a new DS certificate signed by the CA:

$ pki -d /etc/dirsrv/slapd-pki-tomcat ca-cert-request-submit --profile caServerCert --csr-file ds.csr

After approval, download the new DS certificate (this will be needed later):

$ pki cert-show <serial number> --output ds.crt

Download the CA certificate as well (this will also be needed later):

$ pki cert-show <serial number> --output ca.crt

Installing new DS certificate in DS

Make sure the DS is stopped:

$ systemctl stop dirsrv@pki-tomcat.service

Delete the old DS certificate:

$ certutil -F -d /etc/dirsrv/slapd-pki-tomcat -f /etc/dirsrv/slapd-pki-tomcat/password.txt -n "DS Certificate"

Import the CA certificate downloaded earlier:

$ pki -d /etc/dirsrv/slapd-pki-tomcat -C /etc/dirsrv/slapd-pki-tomcat/password.txt \
  client-cert-import "CA Certificate" --ca-cert ca.crt

Import the new DS certificate downloaded earlier:

$ pki -d /etc/dirsrv/slapd-pki-tomcat -C /etc/dirsrv/slapd-pki-tomcat/password.txt \
  client-cert-import "DS Certificate" --cert ds.crt

Restart DS:

$ systemctl start dirsrv@pki-tomcat.service

Removing old DS certificate from PKI

Stop PKI server:

$ systemctl stop pki-tomcatd@pki-tomcat.service

Remove the old DS certificate:

$ certutil -D -d /var/lib/pki/pki-tomcat/alias/ -n "DS Certificate"

Restart PKI server:

$ systemctl start pki-tomcatd@pki-tomcat.service

Verification

Verify the new DS certificate signed by the CA is installed in DS NSS database:

$ certutil -L -d /etc/dirsrv/slapd-pki-tomcat -n "DS Certificate"

Issuer: "CN=CA Signing Certificate,O=EXAMPLE"
Subject: "CN=server.example.com"

Verify the old DS certificate no longer exists in PKI NSS database:

$ certutil -L -d /var/lib/pki/pki-tomcat/alias

Verify PKI can connect to DS using the new DS certificate:

$ pki cert-find

See Also