Baban's Weblog

     
 
« Hello World | Main | Somethings about N2L »

09 Jun · Thu 2005

Steps to setup SSL for Solaris LDAP client (certutil and openssl)

Directory server side

The following shows how to setup Sun Directory Server 5.2 and Solaris LDAP client for SSL. I have tried to give openssl, certutil, PEM, DER examples (and Directory server console at some places) to achieve the same result.

Latest Info

It has been quite sometime since I wrote this entry. To keep up with the latest changes, I'm adding this section wherein I will add links to recent articles on this topic. Thanks to everyone who have given me valuable feedback.
Bigadmin article on DSEE6.0 and LDAP name service with SSL
Ludovic's blog on Sun Directory server and Advanced Certificate Management
Bigadmin article on how to configure Solaris 8, 9, 10 as LDAP client

Assumptions

myhost.test.sun.com == fully qualified hostname of the Directory server.
/var/mps/serverroot == serverroot for the Directory server.
dc=sun,dc=com == Directory server already setup with this suffix
# openssl is delivered in /usr/sfw/bin on Solaris 10
# Please refer to appropriate manpages for description of various command-line options used below.

DER and PEM

DER: a binary format
PEM: base-64 encoded DER format with header and footer
certutil: Default is DER. For PEM, use "-a"
openssl: Default is PEM. For DER, use "-inform DER" and/or "-outform DER"

Create Test CA

1. openssl
# The /usr/sfw/bin/CA.pl script will create a directory structure either under the current working directory or under /etc/sfw/openssl depending upon the version of openssl you are using. I suggest checking the value of CATOP variable in /usr/sfw/bin/CA.pl.
If you want to create CA under /CA/cacertdb :
mkdir -p /CA/cacertdb; cd /CA/cacertdb
Modify CATOP in /usr/sfw/bin/CA.pl to /CA/cacertdb
Modify dir under [ CA_default ] in /etc/sfw/openssl/openssl.cnf to /CA/cacertdb
perl /usr/sfw/bin/CA.pl -newca
# Default name for CA cert is "cacert.pem"

2. certutil
# Create CA certificate DB
mkdir -p /CA/cacertdb
certutil -N -d /CA/cacertdb -P "ca-"
# Create a self-signed CA certificate
certutil -S -x -n "ca-cert" -s "cn=CA Certificate certutil,ou=TEST,o=Sun Microsystems Inc.,l=Menlo Park,st=CA,c=US" -t CTPu -v 120 -d /CA/cacertdb -P "ca-" -5
# when prompted, select (5) SSL CA and 'y' for critical extensions
# Export the CA cert into an output file in PEM format
certutil -L -d /CA/cacertdb -P "ca-" -n "ca-cert" -a > cacert.pem

Create NSS DB for Directory server

1. Console
Use the Directory server console => Manage Certificates. The DB is created when trying to use any of the certificate functions for the first time. With the new DS6.0 directory server, the NSS DB will be created when creating the server instance so this step won't be necessary

2. certutil
certutil -N -d /var/mps/serverroot/alias -P "slapd-myhost-"
# Remember the password you have given

Generate Certificate Signing Request (CSR) for server cert

1. Console
Use the Directory server console => Manage Certificates to generate CSR and save it to a file

2. certutil
certutil -R -s "cn=myhost.test.sun.com,ou=TEST,o=Sun Microsystems Inc.,l=Menlo Park,st=CA,c=US" -o DER.csr -d /var/mps/serverroot/alias -P slapd-myhost-"

3. openssl
# Generate 2048-bit RSA private key
openssl genrsa -out privkey.pem 2048
# OR Generate 2048-bit DSA private key
openssl dsaparam -out DSAparam.pem 2048
openssl gendsa -out privkey.pem DSAparam.pem
# Generate the certificate request
openssl req -new -key privkey.pem -out PEM.csr
# Display the content and public key from the certificate request
openssl req -in PEM.csr -text -pubkey

Sign CSR using Test CA

1. certutil
# Sign DER CSR
certutil -C -c "ca-cert" -i DER.csr -o ./cert.der -v 12 -d /CA/cacertdb -P "ca-" -5
# Sign PEM CSR
certutil -C -c "ca-cert" -a -i PEM.csr -o ./cert.pem -v 12 -d /CA/cacertdb -P "ca-" -5

2. openssl
openssl ca -policy policy_anything -cert cacert.pem -in PEM.csr -out ./cert.pem

Import signed certs into NSS DB

1. Console
Use Manage Certificates tab to import pem certificates

2. certutil
# Import PEM server cert
certutil -A -a -n "server-cert" -i ./cert.pem -t Pu -d /var/mps/serverroot/alias -P "slapd-myhost-"
# Import DER server cert
certutil -A -n "server-cert" -i ./cert.der -t Pu -d /var/mps/serverroot/alias -P "slapd-myhost-"
# Import PEM CA cert
certutil -A -a -n "ca-cert" -i cacert.pem -t CT -d /var/mps/serverroot/alias -P "slapd-myhost-"
# List the contents
certutil -L -d /var/mps/serverroot/alias -P "slapd-myhost-"
# List the contents of a specific cert
certutil -L -d /var/mps/serverroot/alias -P "slapd-myhost-" -n "server-cert"

3. openssl
# Import openssl certificates/keys into NSS DB. Convert cert, key and CA cert into pkcs12 format
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -certfile cacert.pem -name "MY CERTIFICATE" -out mycert.p12
# Import it into NSS DB
pk12util -i mycert.p12 -d /var/mps/serverroot/alias -P "slapd-myhost-" -v

Enable SSL

1. Console.
# From Configuration tab, select Encryption.
# Select "Enable SSL for this server"
# Select "Use this cipher family"
# Select Certificate
# Select "Do not allow client authentication" OR "Allow client authentication" but NOT "Require client authentication"
# Save and Restart the directory server from command line. You will be prompted for "Enter PIN for Internal (Software) Token"

# For automatic startup of SSL, add NSS DB password to the following file
cd /var/mps/serverroot/alias
vi slapd-myhost-pin.txt
Internal (Software) Token:your-NSSDB-password-here
chmod 400 slapd-myhost-pin.txt
directoryserver stop
directoryserver start

Run idsconfig

/usr/lib/ldap/idsconfig
# Assume: Naming Base DN: "dc=test,dc=sun,dc=com"      Domain: "test.sun.com"
# When prompted for Authentication Methods, choose atleast one that starts with "tls:"
# Choose appropriate name for the profile (say tls-profile). The default name is "default".

Solaris Native LDAP client side

# Create NSS DB (Don't enter password. Just hit return)
certutil -N -d /var/ldap
chmod 444 /var/ldap/*
# Download the Test CA certificate on the client machine into a temporary location. Ex: /var/tmp/cacert.pem
# Add CA certificate to the NSS DB
certutil -A -n "ca-cert" -i /var/tmp/cacert.pem -a -t CT -d /var/ldap
# Verify that "myhost" is fully qualified. Else modify /etc/hosts (and if necessary /etc/nssswitch.conf)
getent hosts 11.22.33.44
11.22.33.44 myhost.test.sun.com
# Test with ldapsearch
ldapsearch -v -h myhost.test.sun.com -p 636 -Z -P /var/ldap/cert8.db -b "dc=sun,dc=com" -s base "objectclass=*"
# Initialize Native LDAP client using profile "tls-profile".
/usr/sbin/ldapclient init -a profileName=tls-profile -a domainname=test.sun.com -a proxyDN=cn=proxyagent,ou=profile,dc=test,dc=sun,dc=com -a proxyPassword=proxy 11.22.33.44
@ 12:45 AM PDT [ Comments [21] ]
 
 
 
 
Trackback URL: http://blogs.sun.com/baban/entry/steps_to_setup_ssl_using
Comments:

Thanks a million! This works great! (I did the certutil route) One note - I had to set "Do not allow client authentication" in the GUI for things to work... might want to double-check this. I could be wrong, however.

Posted by Russ on October 30, 2005 at 02:34 AM PST #

Yes. You need to set "Do not allow client authentication" in GUI. But it should also work if you set "Allow client authentication" in GUI. Did you try that option ? I know it does not work for the third GUI option which is "Require client authentication"

Posted by baban on November 02, 2005 at 11:12 AM PST #

I have a question for you. After I executed the command to create the self signed CA cert with certutil I got the following error:

Generating key. This may take a few moments...

certutil: unable to generate key(s)
: An I/O error occurred during security authorization.

Any idea what may be causing this?

Posted by Jerrod on May 03, 2006 at 06:19 AM PDT #

Is it possible to do a SSL ldapsearch using just pabkey? If so... how can I extract pubkey from key3.db? thanks

Posted by tomas on May 03, 2006 at 07:37 AM PDT #

Jerrod / Baban:
There is a small error in the certutil route. When creating the self-signed CA cert the flag -d points to cacertdb and should point to /CA/cacertdb.
One question: Is it possible to configure with trully self-signed certificate? I mean, this proc is for a normally signed certificate, but not from a commercial CA. I am trying ldap&ssl with self-signed and get stuck with an strange error message:
ldapsearch -vvv -h itrvgt01 -p 636 -D"cn=directory manager" -w <password> -P /opt/ldap/alias/slapd-itrvgt01-cert8.db -s base -b"c=es" "c=es" dn

ldapsearch: started Thu Aug 3 11:52:08 2006

LDAP Library Information -
Highest supported protocol version: 3
LDAP API revision: 2005
API vendor name: Sun Microsystems Inc.
Vendor-specific version: 5.11
LDAP API Extensions:
SERVER_SIDE_SORT (revision 1)
VIRTUAL_LIST_VIEW (revision 1)
PERSISTENT_SEARCH (revision 1)
PROXY_AUTHORIZATION (revision 1)
X_LDERRNO (revision 1)
X_MEMCACHE (revision 1)
X_IO_FUNCTIONS (revision 1)
X_EXTIO_FUNCTIONS (revision 1)
X_DNS_FUNCTIONS (revision 1)
X_MEMALLOC_FUNCTIONS (revision 1)
X_THREAD_FUNCTIONS (revision 1)
X_EXTHREAD_FUNCTIONS (revision 1)
X_GETLANGVALUES (revision 1)
X_CLIENT_SIDE_SORT (revision 1)
X_URL_FUNCTIONS (revision 1)
X_FILTER_FUNCTIONS (revision 1)

ldap_init( itrvgt01, 636 )
ldaptool_getcertpath -- /opt/ldap/alias/slapd-itrvgt01-cert8.db
ldaptool_getkeypath -- /opt/ldap/alias/slapd-itrvgt01-cert8.db
ldaptool_getdonglefilename -- (null)
ldap_simple_bind: Can't contact LDAP server
SSL error -5938 (Encountered end of file.)
Thanks!

Posted by jaume on August 08, 2006 at 04:33 AM PDT #

Thanks jaume for pointing the error in the certutil example. I have corrected the entry. To your question about using commercial CAs, I believe the same procedure should work except that you don't have to create the Test CA. I intentionally used a Test CA in the examples so that it could be replaced by commercial CA. As for self-signed certificates, you don't really need a Test CA. I don't know about the SSL error off the top of my head. If I do find any useful information I will post it here.

Posted by baban on August 16, 2006 at 04:00 PM PDT #

I just want to say Thank You for your detailed roadmap. With this, I've managed to setup Ubuntu OpenLDAP server w/ Solaris 10 client using TLS/SSL.

Kind regards,
Joerg

Posted by Joerg on December 06, 2006 at 02:37 AM PST #

I am running into a problem with idsconfig. I had my system all set, but I lost the admin password and was not able to access the console, so I re-installed the Directory Server 5.2 on Solaris 9. So, I installed it again, but now when I come to the part to run idsconfig, I get the following error message; braveheart:./idsconfig It is strongly recommended that you BACKUP the directory server before running idsconfig. Hit Ctrl-C at any time before the final confirmation to exit. Do you wish to continue with server setup (y/n/h)? [n] y Enter the iPlanet Directory Server's (iDS) hostname to setup: braveheart Enter the port number for iDS (h=help): [389] ERROR: Invalid host or port: braveheart:389, Please re-enter! Can anyone help me in trying to resolve this problem. Thanks

Posted by AJ on December 13, 2006 at 07:59 AM PST #

Excellent article, very useful information. One thing that I would suggest is to not change the mode of /var/ldap/* to 444. If you were to do so, then your ldap_client_cred file would be readable by everyone, and thus exposing the password hash and bind DN of the proxy user that is used to query the database. This file should be readable only by root. A suggestion would be to only change the cert*.db file and key*.db files to 444.

Posted by Tony on June 14, 2007 at 02:58 PM PDT #

This article totaly saved my ass!!! Best source of information what i found so far about ssl and Certificates for Sun-DS-5.2 on Solaris!! Tnx dude :)

Posted by xmc on July 28, 2007 at 08:13 PM PDT #

Baban, I just wanted to thank you for these instruction. I am conducting installation on many Sun servers using DSEE 6.2. The differences are notable but your guide is not outdated. Also I have few load balancing devices and SSL implementation. That leads me to suggest you a small addition about SSL certificates. It isn't easy to include subjectAltName within CSR. I found solution here: http://blogs.sun.com/Ludo/entry/directory_server_and_advanced_certificate If you'd include that information in here, that would complete this great article.

Posted by Ivan Arsenijevic on October 06, 2007 at 10:34 AM PDT #

Thanks Ivan. I have added the link you suggested to the Latest Info section at the start of this blog entry.

Posted by baban on October 15, 2007 at 12:07 AM PDT #

Baban, Great article. I followed your ssl route and i think it's great. For solaris 9 it seems that last section doesnt work, i followed another guide, http://www.sun.com/bigadmin/features/articles/nis_ldap_part2.jsp#P2, for that and it seems to go on about how solaris 9 wants a cert7.db. Maybe you could test it if you wanted, but if you added that as well it would be an addition to a great article. Let me know what you think.

Posted by Kyle on December 28, 2007 at 08:29 AM PST #

Thanks Kyle. I've added the link you suggested in the "Latest info" section of this article.

Posted by baban on January 02, 2008 at 02:14 PM PST #

Baban, great Information. I am unable to locate the -P option in ldapsearch on my solaris SunOS 5.8 Generic_117350-35 sun4u sparc SUNW,Sun-Fire-15000 server. Could you please throw some light on versions of ldapsearch.

Posted by Arun Sacheti on January 18, 2008 at 12:44 PM PST #

Arun, This blog entry was written using /usr/bin/ldapsearch available in a standard Solaris 10 installation which has lot of changes compared to Solaris 8. If you have Sun Directory server installed I would recommend using ldapsearch available under your directory server installation.

Posted by baban on January 31, 2008 at 11:17 AM PST #

Hi Baban, thanks a lot for the great info you posted here.

A few follow up questions:
1. Is there any way to specify a different SSL port number from the Solaris side? My LDAP server SSL service is running on a non-standard port (not 636).
2. Is there a way to configure (from Solaris OS side) to use startTLS? My LDAP server supports startTLS and one of the requirement is to use startTLS instead of SSL.

Thanks again!
- David

Posted by David on February 20, 2008 at 12:25 PM PST #

Hi David, Sorry, startTLS and TLS on non-default port is not currently supported by the Solaris LDAP client.

Posted by baban on February 27, 2008 at 04:13 PM PST #

Hi Baban, thank you for posting this information. I just have one question

In the "Sign CSR using Test CA" section you say to sign the PEM.csr with certutil. But I don't see where in the instructions to create PEM.csr by using certutil (I am trying to do it all with certutil).

Posted by mark on May 15, 2008 at 09:42 AM PDT #

I am using the following Sun Solaris Box
bash-2.05# uname -a
SunOS nutdldap01 5.9 Generic_117171-15 sun4u sparc SUNW,UltraAX-i2

I have followed the steps mentioned above and have successfully installed the certificates.

Now I want to run ldapsearch on the server itself on port 636.

I am running the command

/var/Sun/rim/shared/bin/ldapsearch -h localhost -p 636 -D "cn=directory manager" -w <password> -P /CA/cacertdb/ca-cert7.db -s base -b "cn=monitor" "objectclass=*"

But getting error as follows:

ldap_simple_bind: Can't contact LDAP server
SSL error -8101 (Certificate type not approved for application.)

How do I test the ldapsearch from the server itself?

Posted by Sumit Chakraborty on June 04, 2008 at 06:02 PM PDT #

How to find the database which contains the created users in Sun DirectoryServer

Posted by Balaji on July 04, 2008 at 04:16 AM PDT #

Post a Comment:

Name:
E-Mail:
URL:

Your Comment:

HTML Syntax: NOT allowed
 
« December 2009
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today

[RSS Newsfeed]

Valid XHTML or CSS?

[This is a Roller site]
Theme by Rowell Sotto.
 
© Baban's Weblog