Subject: Re: solaris 10 SSL connections - msg#00189

Previous Message by Date: click to view message preview

Re: self-signed certificates

This is a cryptographically signed message in MIME format. Susan wrote: --- Nathan Kinder <nkinder@xxxxxxxxxx> wrote: Dan Lipsitt wrote: Yea. I had to do it so often, that I've scripted it: Put your cert DB password in pwdfile.txt, put some noise in the noise file and run this. I think these may be a little different from the manual, I got the syntax from Rich M. It works though. One thing I don't understand still is the purpose of the pk12util... I run it because the wiki says to run it. No idea what it's for, however. It's really just for backup purposes. You can backup your key and cert db files instead. ____________________contents of cert gen script______________ [root@cnyldap01 alias]# cat certs.sh #!/bin/sh ../shared/bin/certutil -N -d . -f pwdfile.txt ../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt ../shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt ../shared/bin/certutil -S -n "Server-Cert" -s "cn=server-cert" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt echo moving key.. mv key3.db slapd-`-hostname -s`-key3.db mv cert8.db slapd-`hostname -s`-cert8.db ln -s slapd-`hostname -s`-key3.db key3.db ln -s slapd-`hostname -s`-cert8.db cert8.db echo pk.. ../shared/bin/pk12util -d . -P slapd-`hostname -s`- -o servercert.pfx -n Server-Cert ____________________end of contents of cert gen script______________ __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature

Next Message by Date: click to view message preview

Re: Looking for expanded upgrade to 1.0 procedure

Richard Megginson wrote: > Darren Fulton wrote: > >> We've been running FDS beta in production for a while now. I'd like >> to upgrade to 1.0 and then get current, especially because after the >> last reboot, the admin-serv won't run anymore. >> > What's the problem? Note that ns-slapd must be up and running and > accepting connections before admin-serv will start. > >> The only upgrade instructions that I've been able to find are at the >> bottom of the 1.0 Release Notes: >> >> Unfortunately, rpm -U (rpm upgrade install) is not supported. You >> must perform a migration from the old version. Steps: >> >> 1. Backup your data, using the console or the db2bak command >> line (or Export to LDIF) >> 2. Make a copy of your server configuration - the >> slapd-instance/config/dse.ldif file >> 3. Backup your key/cert/module information - the >> /opt/fedora-ds/alias .db files (you can ignore the .so file) >> 4. Uninstall the previous version (e.g. rpm -e fedora-ds) >> 5. Install the new version (e.g. rpm -ivh >> fedora-ds-1.0-2.platform.i386.opt.rpm) >> 6. Add back your configuration to the new instance e.g. do a >> diff between your saved dse.ldif and the new one >> 7. Add back your saved key/cert/module .db files to >> /opt/fedora-ds/alias >> 8. Restore your saved data (or import from LDIF) >> >> These notes aren't enough detail for me to get the job done. Is >> there a detailed procedure somewhere or can one of you good people >> help me? I've looked through the mailing list archives, FDS docs, >> RHDS docs, and googled. I'd like something like this: >> >> mkdir /var/backup/fds >> cd /opt/fedora-ds/slapd-host2 >> ./db2bak /var/backup/fds >> blah blah >> rpm -e fedora-ds >> etc etc >> >> >> Specific things in the upgrade steps from the release notes that I >> don't feel good about are: >> Step 1 - I don't know how to do that, but I think I might have done >> it correctly. >> >> > Yes, you are correct. > >> Step 4 - after rpm -e, it says some files may not have been removed >> and to remove them manually. Do you do rm -Rf /opt/fedora-ds? >> >> > Yes. > >> Step 6 - I don't know how to do that >> >> > cd /opt/fedora-ds/slapd-host2 > ./stop-slapd > diff -U 8 dse.ldif.saved config/dse.ldif > diffs > # where dse.ldif.saved is the one you saved in step 2 above > # now, take a look at the file diffs, and edit your config/dse.ldif > with any pertinent changes in diffs > ./start-slapd > >> Step 8 - I don't know how to do that >> >> > cd /opt/fedora-ds/slapd-host2 > ./stop-slapd > ./bak2db /var/backup/fds > ./start-slapd > >> Thanks in advance! >> >> >> > > Here is what I remember about the upgrade: I got the upgrade done but it wasn't smooth. No fault of the software I'm sure, just my lack of LDAP experience. # now, take a look at the file diffs, and edit your config/dse.ldif with any pertinent changes in diffs ./start-slapd It wouldn't restart at this point. I think it was due to having, prior to the upgrade, performed the steps in the SSL and Samba How-to's. I removed my changes to the new dse.ldif and started slapd. I think I also had to remove the files that I restored to the alias directory. cd /opt/fedora-ds/slapd-host2 ./stop-slapd ./bak2db /var/backup/fds ./start-slapd This part went well. I then restored the old 61samba.ldif to the schema directory and at that point stuff was mostly working properly, except for logging into the web admin wouldn't work. I had to loosen up the permissions on the directory /opt/fedora-ds/bin/slapd/authck to get that working. One remaining weird thing that I've found. To run the Java "Console" tool I change directory to /opt/fedora-ds and run ./startconsole and login. When I do that, the console is empty. There is nothing at all listed in "Servers and Applications". It is just bare. However, when I cd into /opt/fedora-ds/$fedora-ds_some_backup_that_I_made_prior_to_the_upgrade, run the ./startconsole command and connect to the same host on the same port with the same credentials, it looks as I expect it to look, listing my domain name, host name, server group, etc. So for now I'm just running startconsole from the old backup folder. Thanks for the help. -- Best Regards, Darren Fulton

Previous Message by Thread: click to view message preview

Re: solaris 10 SSL connections

Thank you, Michael. I've just about given up on solaris 10 ssl and the utilities that come with it. It simply DOES. NOT. WORK. I will give your directions a try. Thanks again in advance. --- Michael Montgomery <mmontgomery@xxxxxxxxxxxxx> wrote: > I'm really not sure if this will help, but here are the full > instructions I used to get this working on a clean solaris 9 install (I > haven't given it a shot on solaris 10 yet) > > Download the nspr, and nss packages for Solaris 9 here > (http://sourceforge.net/project/showfiles.php?group_id=19386) > and install them. > > Get Sun one Resource Kit here: > http://www.sun.com/download/products.xml?id=3f74a0db > And install it. > > Next run this command to setup your certificate database: > > # LD_LIBRARY_PATH=/usr/lib:/usr/local/lib ; export LD_LIBRARY_PATH > # /opt/sunone/lib/nss/bin/certutil -N -d /var/ldap > > Add hosts entry to /etc/hosts for Ldap server, ** matching the > certificate name ** (in my case, server-cert). > You'll get this error, which will let you know the name you need to put > in /etc/hosts: (I couldn't 'pull' it from the cert in any way) > > Feb 15 13:31:28 unknown sendmail[2061]: libldap: CERT_VerifyCertName: > cert server name 'server-cert' does not match 'corporate-ds': SSL > connection denied > > Get CA cert from directory using these commands: > > [root@corporate-ds alias]# pwd > /opt/fedora-ds/alias > [root@corporate-ds alias]# ../shared/bin/certutil -L -d . -n "CA > certificate" -r > /root/cert.der > > Copy it to the solaris server, and import it with this: > > # /opt/sunone/lib/nss/bin/certutil -A -n "CA certificate" -i > /export/home/mmont/cert.der -t "CTu,u,u" -d /var/ldap/ > Run this command to set ldap client settings on the machine: > > # ldapclient -v manual -a authenticationMethod=tls:simple -a > credentialLevel=proxy \ > -a defaultSearchBase="dc=inside,dc=yourdomain,dc=com" \ > -a domainName=yourdomain.com -a followReferrals=false \ > -a serviceSearchDescriptor="netgroup: > ou=netgroup,dc=inside,dc=yourdomain,dc=com" \ > -a preferredServerList=10.5.1.18 -a > serviceAuthenticationMethod=pam_ldap:tls:simple \ > -a proxyPassword=blahblahblah -a > proxyDn=cn=proxyagent,ou=profile,dc=inside,dc=yourdomain,dc=com > > Restart ldap.client: > > # /etc/init.d/ldap.client stop ; sleep 2 ; /etc/init.d/ldap.client start > > That should do it. Test settings with id, getent, or ldaplist: (You must > be root, or sudo to use ldaplist) > > # ldaplist -l passwd yournamehere > (This should list your entry in the ldap dir) > > I hope this helps someone, and I'm sure I'll attempt to get solaris 10 > working at some point soon. > > -- > Fedora-directory-users mailing list > Fedora-directory-users@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

Next Message by Thread: click to view message preview

Build error

Hi! I have downloaded dsbuild-fds101-1.tar.gz, but I'm unable to build Netscape SDK. It always fails with the same error, which seems to be the build process is unable to find file "nspr.h". I have attached a dump of the build process. Any ideas? Thanks! output.bz2 Description: BZip2 compressed data