FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 06-23-2008, 04:48 PM
"Edward Capriolo"
 
Default Trying to follow the howto ssl from wiki

Can anyone else point me to any how to on this? This process seems to
be destructive. If anything goes wrong fds will not start making it
very hard to roll back the changes to the database. I end up just
removing the entire installation and starting over.

My fall back plan is to use stunnel or some other proxy.

On Fri, Jun 20, 2008 at 3:40 PM, Edward Capriolo <edlinuxguru@gmail.com> wrote:
> I was attempting to follow...http://directory.fedoraproject.org/wiki/Howto:SSL
> I first ran the script
> http://directory.fedoraproject.org/download/setupssl2.sh After
> completing fds would not start. I rein
> I eventually ended up reading the script and running every operation
> stp by step. That was quite an ordeal. All the steps ran however no
> errors.
>
> [root@ldapslave1 slapd-ldapslave1]# /etc/init.d/dirsrv start
> Starting dirsrv:
> ldapslave1...Warning: Incorrect PIN may result in disabling the token
> Enter PIN for Internal (Software) Token:
>
> I replaced the data inside pin.txt with :
>
> Internal (Software) Token:dirserv_cert_password
>
> But I am still getting the same message. Is this just a bogus message.
> The problem could be elsewhere?
>
>
> Thanks in advance.
> (ps -ef ; w) | sha1sum > /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> (w ; ps -ef ; date ) | sha1sum | awk '{print $1}' >
> /etc/dirsrv/slapd-ldapslave1/noise.txt
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/noise.txt
> certutil -N -P new- -d /etc/dirsrv/slapd-ldapslave1 -f
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/key3.db
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/cert8.db
> chmod 600 /etc/dirsrv/slapd-ldapslave1/key3.db
> chmod 600 /etc/dirsrv/slapd-ldapslave1/cert8.db
> certutil -G -P new- -d /etc/dirsrv/slapd-ldapslave1 -z
> /etc/dirsrv/slapd-ldapslave1/noise.txt -f
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> certutil -S -P new- /etc/dirsrv/slapd-ldapslave1/ -n "CA certificate"
> -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d
> /etc/dirsrv/slapd-ldapslave1 -z /etc/dirsrv/slapd-ldapslave1/noise.txt
> -f /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> certutil -L -P new- -d /etc/dirsrv/slapd-ldapslave1 -n "CA
> certificate" -a > /etc/dirsrv/slapd-ldapslave1/cacert.asc
> pk12util -d /etc/dirsrv/slapd-ldapslave1 -P new- -o
> /etc/dirsrv/slapd-ldapslave1/cacert.p12 -n "CA certificate" -w
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> certutil -S -P new- -n "Server-Cert" -s
> "cn=ldapslave1.ops.ec.com,ou=Fedora Directory Server" -c "CA
> certificate" -t "u,u,u" -m 1001 -v 120 -d
> /etc/dirsrv/slapd-ldapslave1/ -z
> /etc/dirsrv/slapd-ldapslave1/noise.txt -f
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>
> certutil -S -P new- -n "server-cert" -s
> "cn=ldapslave1.ops.ec.com,ou=Fedora Administration Server" -c "CA
> certificate" -t "u,u,u" -m 1002 -v 120 -d
> /etc/dirsrv/slapd-ldapslave1/ -z
> /etc/dirsrv/slapd-ldapslave1/noise.txt -f
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>
> pk12util -d /etc/dirsrv/slapd-ldapslave1 -P new- -o
> /etc/dirsrv/slapd-ldapslave1/adminserver.p12 -n server-cert -w
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/adminserver.p12
> chmod 400 /etc/dirsrv/slapd-ldapslave1/adminserver.p12
>
> cat /etc/dirsrv/slapd-ldapslave1/pwdfile.txt >
> /etc/dirsrv/slapd-ldapslave1/pin.txt
>
> chmod 400 /etc/dirsrv/slapd-ldapslave1/pin.txt
>
> mv /etc/dirsrv/slapd-ldapslave1/cert8.db
> /etc/dirsrv/slapd-ldapslave1/orig-cert8.db
> mv /etc/dirsrv/slapd-ldapslave1/key3.db
> /etc/dirsrv/slapd-ldapslave1/orig-key3.db
>
>
> certutil -N -d /etc/dirsrv/slapd-ldapslave1 -P admin-serv- -f
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/admin-serv-*.db
> [root@ldapslave1 tmp]# chmod 600 /etc/dirsrv/slapd-ldapslave1/admin-serv-*.db
>
> pk12util -d /etc/dirsrv/slapd-ldapslave1/ -P admin-serv- -n
> server-cert -i /etc/dirsrv/slapd-ldapslave1/adminserver.p12 -w
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>
> certutil -A -d /etc/dirsrv/slapd-ldapslave1/ -P admin-serv- -n "CA
> certificate" -t "CT,," -a -i /etc/dirsrv/slapd-ldapslave1/cacert.asc
>
> cat /etc/dirsrv/slapd-ldapslave1/pwdfile.txt >
> /etc/dirsrv/slapd-ldapslave1/password.conf
>
> chmod 400 /etc/dirsrv/slapd-ldapslave1/password.conf
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/password.conf
>
> sed -e "s@^NSSPassPhrasDialog .*@NSSPassPhraseDialog
> file:/etc/dirsrv/slapd-ldapslave1/password/conf
>
> mv /etc/dirsrv/slapd-ldapslave1/new-key3.db
> /etc/dirsrv/slapd-ldapslave1/key3.db
> mv /etc/dirsrv/slapd-ldapslave1/new-cert8.db
> /etc/dirsrv/slapd-ldapslave1/cert8.db
>
>
> ldapmodify -x -h localhost -p 389 -D "cn=directory manager" -W <<EOF
> dn: cn=encryption,cn=config
> changetype: modify
> replace: nsSSL3
> nsSSL3: on
> -
> replace: nsSSLClientAuth
> nsSSLClientAuth: allowed
> -
> add: nsSSL3Ciphers
> nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa _rc2_40_md5,
> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_ fips_3des_sha,+fortezza,
> +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_expo rt1024_with_rc4_56_sha,
> +tls_rsa_export1024_with_des_cbc_sha
>
> dn: cn=config
> changetype: modify
> add: nsslapd-security
> nsslapd-security: on
> -
> replace: nsslapd-ssl-check-hostname
> nsslapd-ssl-check-hostname: off
>
> dn: cn=RSA,cn=encryption,cn=config
> changetype: add
> objectclass: top
> objectclass: nsEncryptionModule
> cn: RSA
> nsSSLPersonalitySSL: Server-Cert
> nsSSLToken: internal (software)
> nsSSLActivation: on
>
> EOF
>
>
> [root@ldapslave1 slapd-ldapslave1]# /etc/init.d/dirsrv start
> Starting dirsrv:
> ldapslave1...Warning: Incorrect PIN may result in disabling the token
> Enter PIN for Internal (Software) Token:
>
> Any hints thanks!
>

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 

Thread Tools




All times are GMT. The time now is 10:05 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org