FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 11-09-2010, 01:58 PM
Daniel Maher
 
Default duplicate existing ssl crenentials on another server ?

Hello,

After having read through the Howto:SSL document on the 389 wiki, i went
ahead and set up SSL for my master instance - it works great, and i
couldn't be happier.

I have a slave set up to do read-only replication from the master ; now,
the wiki document has information on how to integrate the certificate
into a slave so that the replication can occur over SSL, which i'll no
doubt do, but that's not what i'm looking for advice on now.

What i'm interested in is actually duplicating the new SSL setup that
currently exists on the master. I realise that this sounds funny, but
the reason is simple : in our environment, all of the clients and
LDAP-aware applications are configured to send requests to a given
hostname (which is not the base FQDN of the LDAP server - it's another,
separate hostname entirely). If the master goes down, the slave
automatically has this separate hostname assigned to it.

(Put another way, it's a sort of poor-man's failover. It's far from
perfect, and everybody knows it, but that's what's there, so for now we
live with it. :P )

What i would appear to need, therefore, is to have the slave be able to
respond to incoming SSL requests with exactly the same credentials as
the master. Is this even possible, and if so, how would i got about
doing it ?

Thank you, all.


--
Daniel Maher <dma + 389users AT witbe DOT net>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 11-09-2010, 02:11 PM
Angel Bosch Mora
 
Default duplicate existing ssl crenentials on another server ?

you must create a certificate with additional hostnames with -8 option.

you can view an example here:

http://docs.sun.com/app/docs/doc/819-5899/6n7uuth9p?l=en&n=1&a=view


----- Missatge original -----
> Hello,
>
> After having read through the Howto:SSL document on the 389 wiki, i
> went ahead and set up SSL for my master instance - it works great, and
> i couldn't be happier.
>
> I have a slave set up to do read-only replication from the master ;
> now, the wiki document has information on how to integrate the
> certificate into a slave so that the replication can occur over SSL,
> which i'll no
> doubt do, but that's not what i'm looking for advice on now.
>
> What i'm interested in is actually duplicating the new SSL setup that
> currently exists on the master. I realise that this sounds funny, but
> the reason is simple : in our environment, all of the clients and
> LDAP-aware applications are configured to send requests to a given
> hostname (which is not the base FQDN of the LDAP server - it's
> another, separate hostname entirely). If the master goes down, the
> slave automatically has this separate hostname assigned to it.
>
> (Put another way, it's a sort of poor-man's failover. It's far from
> perfect, and everybody knows it, but that's what's there, so for now
> we live with it. :P )
>
> What i would appear to need, therefore, is to have the slave be able
> to respond to incoming SSL requests with exactly the same credentials
> as the master. Is this even possible, and if so, how would i got about
> doing it ?
>
> Thank you, all.
>
>
> -- Daniel Maher <dma + 389users AT witbe DOT net>
> -- 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 11-09-2010, 02:27 PM
Gerrard Geldenhuis
 
Default duplicate existing ssl crenentials on another server ?

>________________________________________
>From: 389-users-bounces@lists.fedoraproject.org [389-users-bounces@lists.fedoraproject.org] on behalf of Daniel Maher [dma+389users@witbe.net]
>Sent: 09 November 2010 14:58
>To: General discussion list for the 389 Directory server project.
>Subject: [389-users] duplicate existing ssl crenentials on another server ?
>
>Hello,
>
>After having read through the Howto:SSL document on the 389 wiki, i went
>ahead and set up SSL for my master instance - it works great, and i
>couldn't be happier.

There is another document on the wiki which describes how to setup certificates for a vip.... that is similar to what you want to do. I can't find it at the moment but might be worth trolling through the wiki again.

Regards

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 11-09-2010, 03:06 PM
Daniel Maher
 
Default duplicate existing ssl crenentials on another server ?

On 11/09/2010 04:27 PM, Gerrard Geldenhuis wrote:

> There is another document on the wiki which describes how to setup certificates for a vip.... that is similar to what you want to do. I can't find it at the moment but might be worth trolling through the wiki again.

Actually, the SSL howto has a section on VIPs (the only hit on a search,
in fact) :
http://directory.fedoraproject.org/wiki/Howto:SSL#Using_Subject_Alt_Name

I gave it a second read-through, and it would seem to indicate that alt
names can be IPs as well as hostnames (i thought it was only the latter
that was possible).

It would therefore appear to be possible to create a certificate that
with a series of alt names - in my scenario, there would literally be
one hostname and two IP addresses.

Has anybody on the list done something similar ? Any advice ? Should
this just work outright ?

(p.s. Angel Bosch Mora - turns out you may have been right the first
time ! ).


--
Daniel Maher <dma + 389users AT witbe DOT net>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 11-09-2010, 03:19 PM
Gerrard Geldenhuis
 
Default duplicate existing ssl crenentials on another server ?

>________________________________________
>From: 389-users-bounces@lists.fedoraproject.org [389-users-bounces@lists.fedoraproject.org] on behalf of Daniel Maher [dma+389users@witbe.net]
>Sent: 09 November 2010 16:06
>To: 389-users@lists.fedoraproject.org
>Subject: Re: [389-users] duplicate existing ssl crenentials on another server ?
>
>On 11/09/2010 04:27 PM, Gerrard Geldenhuis wrote:
>
>> There is another document on the wiki which describes how to setup certificates for a vip.... that is similar to what you want to do. I can't find it at the moment but might be worth >trolling through the wiki again.
>
>Actually, the SSL howto has a section on VIPs (the only hit on a search,
>in fact) :
>http://directory.fedoraproject.org/wiki/Howto:SSL#Using_Subject_Alt_Name
>
>I gave it a second read-through, and it would seem to indicate that alt
>names can be IPs as well as hostnames (i thought it was only the latter
>that was possible).
>
>It would therefore appear to be possible to create a certificate that
>with a series of alt names - in my scenario, there would literally be
>one hostname and two IP addresses.
>
>Has anybody on the list done something similar ? Any advice ? Should
>this just work outright ?
>
>(p.s. Angel Bosch Mora - turns out you may have been right the first
>time ! ).

I have not done it before... good luck and may the force be with you. :-)

In all seriousness I don't know, if you get it working then steps and pointers back to the list would be great.

Regards

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 11-09-2010, 03:41 PM
Nathan Kinder
 
Default duplicate existing ssl crenentials on another server ?

On 11/09/2010 08:06 AM, Daniel Maher wrote:
> On 11/09/2010 04:27 PM, Gerrard Geldenhuis wrote:
>
>
>> There is another document on the wiki which describes how to setup certificates for a vip.... that is similar to what you want to do. I can't find it at the moment but might be worth trolling through the wiki again.
>>
> Actually, the SSL howto has a section on VIPs (the only hit on a search,
> in fact) :
> http://directory.fedoraproject.org/wiki/Howto:SSL#Using_Subject_Alt_Name
>
> I gave it a second read-through, and it would seem to indicate that alt
> names can be IPs as well as hostnames (i thought it was only the latter
> that was possible).
>
> It would therefore appear to be possible to create a certificate that
> with a series of alt names - in my scenario, there would literally be
> one hostname and two IP addresses.
>
> Has anybody on the list done something similar ? Any advice ? Should
> this just work outright ?
>
If you are using the same exact hostname for the second system, you
could just use the same certificate as the first system (or copy your
entire cert db). You then just need to enable SSL in "cn=config" on the
second system.
> (p.s. Angel Bosch Mora - turns out you may have been right the first
> time ! ).
>
>
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 12:43 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org