Configure TLS SSL 389 Directory Server CentOS

389 Directory server is an amazing MultiMaster LDAP solution. Out of the box 389 is not configured to use TLS/SSL, so we are going to walk through the setup process. Please note, that we are using this as a test, so we are using a self-signed certificate, but the directions should work for both scenarios.
login, and su to root

Generate the Self-Signed Certificate:
change to the necessary directory, and setup a few files for the CA

now generate the key/certificate

setup your certificate as appropriate

set permissions on the cert key

now we need to make sure certificate matching is disabled (unless you are using a full cert)

modify lines 85-88 as follows:

Generate and Self-Sign Certificate
launch the 389-console
open the directory server you were just working on, and click "Manage Certificates"
Servername –> Directory Server –> Manage Certificates

set, and REMEMBER the 1st time password

Under Server Certs, click "Request"
This step, select request manually

fill out the request wizard as follows:

enter a "token password" for the certificate

now save to file
/tmp/test389.domain.local.csr

click save, and then done.
now move the CSR to a usable directory within the CA

Authorize the Cert with the CA
 openssl ca -in /etc/pki/CA/crl/test389.domain.local.csr -out /etc/pki/CA/newcerts/test389.domain.local.crt  -keyfile /etc/pki/CA/private/ca-cert.key -cert /etc/pki/CA/certs/ca-cert.crt
you should see the following, if not double-check your steps

Install/Enable Certificate 389 Directory Server
launch the 389-console
Login to Directory Server –> Manage Certificates
The first thing you want to do is install the CA Cert from the CA Cert Tab

hit next


now our CA Cert is installed

now we need to install our Server Cert from the Server Cert Tab

next

enter the password from earlier when you were creating the CSR

Bam! Installed

Enable Server Encryption
Directory Server –> Encryption

** MAKE SURE TO SAVE YOUR CONFIGURATION!!! **
Enable PIN For Directory Service Restarts
389 requires a "pin" or password for the certificate in order to start encryption when the server restarts, here's what we need to do to configure that:
create a PIN File

enter the certificate password into the PIN file

change permissions on the PIN file so only root can read it

now restart the directory service to be sure, if there's an error, the service will not start

That's it! You have configured TLS/SSL On 389 directory Server

Comments

  1. Unknown24 August 2017 at 11:32

    When I run this he asked for password, "/etc/pki/CA/newcerts/test389.domain.local.crt" is blank when i check.
    openssl ca -in /etc/pki/CA/crl/test389.domain.local.csr -out /etc/pki/CA/newcerts/test389.domain.local.crt -keyfile /etc/pki/CA/private/ca-cert.key -cert /etc/pki/CA/certs/ca-cert.crt

    ReplyDelete
  2. Anonymous30 March 2018 at 03:42

    This comment has been removed by the author.

    ReplyDelete
  3. Anonymous19 September 2018 at 11:01

    I get private key not found when I run the Wizard

    ReplyDelete

Post a Comment

Popular posts from this blog

How to configure apache server in linux

Image
Apache is the most popular, secure, robust, reliable and powerful web server. Apache is used by more websites than all other web servers combined. RHEL6 includes Apache version 2.2 RHCE6 Exam objectives covered in this article HTTP/HTTPS Configure a virtual host. Configure private directories. Deploy a basic CGI application. Configure group-managed content. In this tutorial I will use three systems Server, linuxclient and windowclient from our LAB environment. I will configure Apache Web Server on Server system and test from inuxclient and windowclient system. If you want to check the network topology used in this article please check following article. Lab set up for RHCE 6 practice Installation of Apache Two packages are required for Apache server httpd mod_ssl elinks httpd package install Apache web server. mod_ssl is the additional package which required to create secure websites elinks is the additional package for text based we
Read more

A Guide to Buying a Motherboard

we have so many question about Motherboard. So first start with LGA. What is LGA   land grid array  ( LGA ) is a type of  surface-mount  packaging for  integrated circuits  (ICs) that is notable for having the pins on the  socket  (when a socket is used) rather than the integrated circuit. [1]  An LGA can be electrically connected to a  printed circuit board  (PCB) either by the use of a socket or by  soldering  directly to the board. LGA is used as a physical interface for microprocessors of the  Intel   Pentium 4  (Prescott), Intel  Xeon ,  Intel Core 2 ,  Intel Core  ( Bloomfield  and  Lynnfield ) and  AMD   Opteron  families. Unlike the  pin grid array  (PGA) interface found on most  AMD  and older  Intel  processors, there are no pins on the chip; in place of the pins are pads of bare gold-plated copper that touch protruding pins on the microprocessor's connector on the  motherboard . The most common Intel desktop LGA socket is dubbed  LGA 1150  (Socket H3), which is
Read more

RHEL 7

RHEL 7 ..... ************************RHCSA Version 7 **************** Initial configuration.txt: *you have been provided a virtual box named as serverX.example.com (hint:where X is your domain number) * password for both virtual machine should be "Postroll" *serverX.example.com provided with ip=172.25.X.10/255.255.255.0 *serverX.example.com are provided with gateway 172.25.254.254 & example.com dns domain with the IP: 172.25.254.254 gateway 172.25.0.1 netmask 255.255.255.0 nameserver 172.25.254.250 1) configure your systems that should be running Enforcing 2) create a new 100MB Physical partition mounted under /Gluster (Note because partition sizes are seldom exactly what is specified when they are created, any thing within the range of 70MB to 120MB is acceptable) 3) create a new 150MB swap partition f/s. (Note because partition sizes are seldom exactly what is specified when they are created, any thing within the range of 13
Read more