Skip to content

Configuring SSL Connection in DS 1.3

Jump to bottom
Endi S. Dewata edited this page Sep 14, 2023 · 1 revision

Table of Contents

Overview

This document describes the process to enable SSL on a DS 1.3 instance or earlier.

Generating SSL Certificate

Initializing NSS database in DS

Make sure the DS is stopped: 

$ systemctl stop dirsrv@pki-tomcat.service

Store Directory Manager's password in password.txt: 

$ echo Secret.123 > /etc/dirsrv/slapd-pki-tomcat/password.txt
$ chown nobody.nobody /etc/dirsrv/slapd-pki-tomcat/password.txt
$ chmod 400 /etc/dirsrv/slapd-pki-tomcat/password.txt

Store Directory Manager's password in pin.txt: 

$ echo "Internal (Software) Token:Secret.123" > /etc/dirsrv/slapd-pki-tomcat/pin.txt
$ chown nobody.nobody /etc/dirsrv/slapd-pki-tomcat/pin.txt
$ chmod 400 /etc/dirsrv/slapd-pki-tomcat/pin.txt

Set the NSS database password: 

$ certutil -W -d /etc/dirsrv/slapd-pki-tomcat -f /etc/dirsrv/slapd-pki-tomcat/password.txt

Generating DS certificate with NSS

A temporary self-signed DS certificate can be generated using NSS with the following command: 

$ openssl rand -out noise.bin 2048
$ echo -e "0\n1\n2\n3\n9\ny\n" | \
  certutil -S -x \
  -d /etc/dirsrv/slapd-pki-tomcat \
  -f /etc/dirsrv/slapd-pki-tomcat/password.txt \
  -z noise.bin \
  -n "DS Certificate" \
  -s "CN=$HOSTNAME" \
  -t "CT,C,C" \
  -m $RANDOM\
  -1

Export the certificate with the following command: 

$ certutil -L -d /etc/dirsrv/slapd-pki-tomcat -n "DS Certificate" -a > ds.crt

Generating DS certificate with OpenSSL

Alternatively, a temporary self-signed DS certificate can be generated using OpenSSL with the following command: 

$ openssl req -newkey rsa:2048 -keyout ds.key -nodes -x509 -out ds.crt -subj "/CN=$HOSTNAME" -days 365

Import the DS certificate and key into a PKCS #12 file: 

$ openssl pkcs12 -export -in ds.crt -inkey ds.key -out ds.p12 -name "DS Certificate" 
  -passout file:/etc/dirsrv/slapd-pki-tomcat/password.txt

Import the PKCS #12 file into the NSS database: 

$ pk12util -i ds.p12 -d /etc/dirsrv/slapd-pki-tomcat \
  -k /etc/dirsrv/slapd-pki-tomcat/password.txt \
  -w /etc/dirsrv/slapd-pki-tomcat/password.txt

Set the trust flags for the DS certificate: 

$ certutil -M -d /etc/dirsrv/slapd-pki-tomcat -n "DS Certificate" -t "CT,C,C"

Generating DS certificate with PKI CA

Alternatively, a permanent DS certificate can be generated by the CA running on top of the DS itself.

Generate a certificate request with the following command: 

$ PKCS10Client -d /etc/dirsrv/slapd-pki-tomcat -p Secret.123 -a rsa -l 2048 -o ds.csr -n "CN=$HOSTNAME"

Restart the DS to allow the CA to process the request: 

$ systemctl start dirsrv@pki-tomcat.service

Submit the request for a new DS certificate signed by the CA: 

$ pki -d /etc/dirsrv/slapd-pki-tomcat ca-cert-request-submit --profile caServerCert --csr-file ds.csr

After approval, download the new DS certificate (this will be needed later): 

$ pki cert-show <serial number> --output ds.crt

Download the CA certificate as well (this will also be needed later): 

$ pki cert-show <serial number> --output ca.crt

Importing SSL certificate into DS

Make sure the DS is stopped: 

$ systemctl stop dirsrv@pki-tomcat.service

Import the CA certificate downloaded earlier: 

$ pki -d /etc/dirsrv/slapd-pki-tomcat -C /etc/dirsrv/slapd-pki-tomcat/password.txt \
  client-cert-import "CA Certificate" --ca-cert ca.crt

Import the new DS certificate downloaded earlier: 

$ pki -d /etc/dirsrv/slapd-pki-tomcat -C /etc/dirsrv/slapd-pki-tomcat/password.txt \
  client-cert-import "DS Certificate" --cert ds.crt

Verify the import: 

$ certutil -L -d /etc/dirsrv/slapd-pki-tomcat

Enabling SSL

Configuration

Make sure the DS is started: 

$ systemctl start dirsrv@pki-tomcat.service

Enable secure connection with the following command: 

$ ldapmodify -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: cn=config
changetype: modify
replace: nsslapd-security
nsslapd-security: on

dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: DS Certificate
nsSSLToken: internal (software)
nsSSLActivation: on
EOF

Optionally, disable insecure connection with the following command: 

$ ldapmodify -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: rootdse
-
replace: nsslapd-minssf
nsslapd-minssf: 56
-
replace: nsslapd-require-secure-binds
nsslapd-require-secure-binds: on
-
EOF

Restart the DS server: 

$ systemctl restart dirsrv@pki-tomcat.service

Verification

Verify in DS error log (/var/log/dirsrv/slapd-pki-tomcat/errors) that the DS started succesfully with SSL: 

[30/Jun/2016:00:23:31 +0200] - SSL alert: Security Initialization: Enabling default cipher set.
[30/Jun/2016:00:23:31 +0200] - SSL alert: Configured NSS Ciphers
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_RSA_WITH_AES_128_CBC_SHA: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_RSA_WITH_AES_256_CBC_SHA: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
[30/Jun/2016:00:23:31 +0200] - 389-Directory/1.3.4.11 B2016.166.1911 starting up

Verify SSL connection with mozldap-tools and NSS database: 

$ /usr/lib64/mozldap/ldapsearch -Z -h $HOSTNAME -p 636 \
  -D "cn=Directory Manager" -w Secret.123 \
  -P /etc/dirsrv/slapd-pki-tomcat \
  -b "dc=example,dc=com" -s base "(objectClass=*)"

or with openldap-clients and DS certificate: 

$ LDAPTLS_CACERT=ca.crt \
  ldapsearch -H ldaps://$HOSTNAME:636 \
  -x -D "cn=Directory Manager" -w Secret.123 \
  -b "dc=example,dc=com" -s base "(objectClass=*)"

or with openldap-clients and NSS databsae: 

$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-pki-tomcat \
  ldapsearch -H ldaps://$HOSTNAME:636 \
  -x -D "cn=Directory Manager" -w Secret.123 \
  -b "dc=example,dc=com" -s base "(objectClass=*)"

See Also

Clone this wiki locally