Installation of Sun Directory Server Enterprise Edition (DSEE)

Installation of Sun Directory Server Enterprise Edition (DSEE) on Windows:-

Here are the complete steps :-

1. through command line
D:\Softwares\LDAP\DSEE.6.3.Windows-X86-full\DSEE_ZIP_Distribution>dsee_deploy.exe install -i C:\DSEE =============================================================================================================================================================
=============================================================================================================================================================
2. accept the license
Do you accept the license terms ? : yesCheck availability of port 11162Checking running Directory Server instancesChecking running Directory Proxy Server instancesUnzipping sun-ldap-base.zip ...Unzipping sun-ldap-perl.zip ...Unzipping sun-ldap-dsrk6.zip ...Unzipping sun-ldapcsdk-tools.zip ...Unzipping sun-ldapcsdk-dev.zip ...Unzipping sun-ldap-ljdk.zip ...Unzipping sun-ldap-jre.zip ...Unzipping sun-ldap-shared.zip ...Unzipping sun-ldap-shared-l10n.zip ...Unzipping sun-ldap-directory.zip ...Unzipping sun-ldap-directory-l10n.zip ...Unzipping sun-ldap-directory-config.zip ...Unzipping sun-ldap-directory-dev.zip ...Unzipping sun-ldap-mfwk.zip ...Unzipping sun-ldap-cacao.zip ...Unzipping sun-ldap-console-agent.zip ...Unzipping sun-ldap-console-cli.zip ...Unzipping sun-ldap-console-common.zip ...Unzipping sun-ldap-console-var.zip ...Unzipping sun-ldap-jdmk.zip ...Unzipping sun-ldap-directory-client.zip ...Unzipping sun-ldap-directory-client-l10n.zip ...Unzipping sun-ldap-proxy.zip ...Unzipping sun-ldap-proxy-l10n.zip ...Unzipping sun-ldap-proxy-client.zip ...Unzipping sun-ldap-proxy-client-l10n.zip ...Unzipping sun-ldap-console-gui.zip ...Unzipping sun-ldap-console-gui-help.zip ...Unzipping sun-ldap-console-gui-l10n.zip ...Unzipping sun-ldap-console-gui-help-l10n.zip ...Creating WAR file for Console
Configuring Cacao at D:/DSEE/dsee6/cacao_2Setting Cacao parameter jdmk-home with default value [D:\DSEE\dsee6\private]Setting Cacao parameter java-home with default value [D:\DSEE\jre]Setting Cacao parameter nss-lib-home with default value [D:\DSEE\dsee6\private\lib]Setting Cacao parameter nss-tools-home with default value [D:\DSEE\dsee6\bin]Registering DSCC agent into cacaoStarting Cacao if necessaryRegistering JESMF agent into CacaoInitializing JESMF...Registering DS in JESMF...Checking Cacao status...Deploying JESMF in Cacao...Deploying DS in JESMF...DS has been successfully registered in JESMF.Making a copy of dsee_deploy.exeMaking a copy of listrunnings.exeYou can now start your Directory Server InstancesYou can now start your Directory Proxy Server Instances
=============================================================================================================================================================
=============================================================================================================================================================
3. Create a Instance.

D:\DSEE\ds6\bin>dsadm create -p 1389 -P 636 D:\DSEE\instance

Warning: 636 is a privileged port ; make sure that user 'Raghuvir Kamath' has right to use it before running start subcommand

Choose the Directory Manager password:adminadmin

Confirm the Directory Manager password:adminadmin

Use 'dsadm start 'C:\DSEE\instance'' tado start the instance
=============================================================================================================================================================
=============================================================================================================================================================
4. Start the instance.

D:\DSEE\ds6\bin>dsadm start D:\DSEE\instance

Waiting for Directory Server instance 'D:/DSEE/instance' to start...Directory Server instance 'D:/DSEE/instance' started: pid=2816
=============================================================================================================================================================
=============================================================================================================================================================

5. Create a suffix

D:\DSEE\ds6\bin>dsconf create-suffix -e -h localhost -p 1389 dc=example,dc=comEnter "cn=Directory Manager" password:adminadmin =============================================================================================================================================================
=============================================================================================================================================================

6. Import the Example.ldif to the directory.

D:\DSEE\ds6\bin>dsconf import -e -h localhost -p 1389 D:\DSEE\ds6\ldif\Example.ldif dc=example,dc=comEnter "cn=Directory Manager" password:New data will override existing data of the suffix "dc=example,dc=com".Initialization will have to be performed on replicated suffixes.Do you want to continue [y/n] ? y## Index buffering enabled with bucket size 40## Beginning import job...## Processing file "D:\DSEE\ds6\ldif\Example.ldif"## Finished scanning file "D:\DSEE\ds6\ldif\Example.ldif" (160 entries)## Workers finished; cleaning up...## Workers cleaned up.## Cleaning up producer thread...## Indexing complete.## Starting numsubordinates attribute generation. This may take a while, please wait for further activity reports.## Numsubordinates attribute generation complete. Flushing caches...## Closing files...## Import complete. Processed 160 entries in 5 seconds. (32.00 entries/sec)
Task completed (slapd exit code: 0).
=============================================================================================================================================================
=============================================================================================================================================================

D:\DSEE\dsrk6\bin>dir

Volume in drive D has no label.

Volume Serial Number is 6C13-6887
Directory of D:\DSEE\dsrk6\bin
08/07/2008 03:41 PM

.08/07/2008 03:41 PM ..03/11/2008 03:53 PM 54,431 authrate.exe03/11/2008 03:53 PM 2,263 cities03/11/2008 03:53 PM 54,449 dsmlmodify.exe03/11/2008 03:53 PM 54,449 dsmlsearch.exe03/11/2008 03:53 PM 3,636 example.template08/07/2008 03:32 PM example_files03/11/2008 03:53 PM 60,238 first.names03/11/2008 03:53 PM 106,146 last.names03/11/2008 03:30 PM 54,431 ldapcmp.exe03/11/2008 03:30 PM 54,431 ldapcompare.exe03/11/2008 03:30 PM 54,431 ldapdelete.exe03/11/2008 03:30 PM 54,431 ldapmodify.exe03/11/2008 03:30 PM 54,431 ldappasswd.exe03/11/2008 03:30 PM 54,431 ldapsearch.exe03/11/2008 03:53 PM 54,449 ldapsubtdel.exe03/11/2008 03:53 PM 54,431 ldifxform.exe03/11/2008 03:53 PM 107,868 logconv03/11/2008 03:53 PM 54,449 makeldif.exe03/11/2008 03:53 PM 54,431 modrate.exe03/11/2008 03:53 PM 54,431 searchrate.exe03/11/2008 03:53 PM 3,259 solaris.template03/11/2008 03:53 PM 153 states03/11/2008 03:53 PM 525 streets08/07/2008 03:41 PM 37,854 test.ldif08/07/2008 03:31 PM 554 test.template 24 File(s) 1,084,602 bytes 3 Dir(s) 36,942,323,712 bytes free D:\DSEE\dsrk6\bin>makeldif -t test.template -o test.ldif

Processing complete.101 total entries written. =============================================================================================================================================================
=============================================================================================================================================================

D:\DSEE\dscc6\bin>dsccsetup ads-create

Choose password for Directory Service Manager:adminadmin

Confirm password for Directory Service Manager:adminadmin

Creating DSCC registry...

DSCC Registry has been created successfully

=============================================================================================================================================================
=============================================================================================================================================================
To Deploy WAR File with Tomcat

just copy the war file from D:\DSEE\var\dscc6 to C:\apache-tomcat-6.0.13\webapps.

Add the emphasized text in the ${CATALINA_BASE}/conf/web.xml file as shown below:

... jsp org.apache.jasper.servlet.JspServlet fork false xpoweredBy false ... enablePooling false 3

Add the following entries in System variables

CATALINA_HOME C:\apache-tomcat-6.0.13

CATALINA_BASE C:\apache-tomcat-6.0.13
Start the tomcat app server from C:\apache-tomcat-6.0.13\bin\startserver.bat
in the console u will see

INFO: Deploying web application archive dscc.warAug 13, 2008 12:30:03 PM org.apache.coyote.http11.Http11Protocol startINFO: Starting Coyote HTTP/1.1 on http-8080Aug 13, 2008 12:30:03 PM org.apache.jk.common.ChannelSocket initINFO: JK: ajp13 listening on /0.0.0.0:8009Aug 13, 2008 12:30:03 PM org.apache.jk.server.JkMain startINFO: Jk running ID=0 time=0/47 config=nullAug 13, 2008 12:30:03 PM org.apache.catalina.startup.Catalina startINFO: Server startup in 9208 ms

Steps to configure Open DS with SSL

Step 1 :- Create keystore

C:\Documents and Settings\Raghuvir Kamath> keytool -genkey -alias server-cert -keyalg rsa -dname "CN=compapps.india.sun.com,O=SMI,C=IN" -keystore keystore -storetype JKS
Enter keystore password:adminadmin
Re-enter new password:adminadmin

Enter key password for (RETURN if same as keystore password):

This will create "keystore" in the location C:\Documents and Settings\Raghuvir Kamath

Step 2:- Self sign the keystore

Self Sign the certificate using keytool

D:\LDAP\openDS>keytool -selfcert -alias server-cert -validity 1825 -keystore keystore -storetype JKS

Enter keystore password:adminadmin

Step 3 :-Export the public key

D:\LDAP\openDS>keytool -export -alias server-cert -file server-cert.txt -rfc -keystore keystore
Enter keystore password:
Certificate stored in file

Step 4:- Create a new truststore

keytool -import -alias server-cert -file server-cert.txt -keystore truststore -storetype JKS

Type yes when you are prompted about whether you want to trust the certificate.

This step is needed only if the SSL and StartTLS settings were not specified during installation or if you want to change those settings

Step 5:- Install Open DS

Install Open DS 1.0.0 from the web as webinstaller https://opends.dev.java.net/

Step 6:- Configure SSL during installation

While installing , configure OpenDS for SSL , use existing keystore , the one created in step 2. give the keystore as input. Refer screenshots for this.To Check if SSL and TLS is enabled on your LDAP server is use the statuspanel.bat from your LDAP server installation folder.

Configuring Open LDAP with SSL

Steps to configure Open LDAP with SSL

1. Install Open ssl on unix machine. ( here i have used a solaris sparc machine )

Get the software from http://www.sunfreeware.com/indexsparc10.html
" openssl-0.9.8j-sol10-sparc-local.gz "

Now login to your solaris sparc box as "root" , root access has to be there ,else it wont install.

run pkgadd command , to check if it working. then unzip the files using "gunzip filename"

run pkgadd -d openssl-0.9.8j-sol10-sparc-local and similarly install all the packages

This will get installed in /usr/local/ssl/ by default.

==========================================================================

2. Set the path on the unix machine to use this open ssl .

bash-3.00# PATH=$PATH:/usr/local/ssl/bin:.

bash-3.00# export PATH

bash-3.00# which openssl
/usr/local/ssl/bin/openssl

bash-3.00# echo $PATH
/usr/local/ssl/bin:.

======================================================================

3. Create a CA root certificate

bash-3.00# mkdir openldapcerts


bash-3.00# cd openldapcerts


bash-3.00$ pwd
/home/rk208995/openldapcerts

run the below command , enter the password as "adminadmin" , then enter country , state , city , for Common name , enter the FQDN of the local machine. here it is iecsoa1
At the end it asks for password again , enter "adminadmin"

bash-3.00$ /usr/local/ssl/misc/CA.sh -newca

CA certificate filename (or enter to create)


Making CA certificate ...

Generating a 1024 bit RSA private key

.............++++++

................++++++

writing new private key to './demoCA/private/./cakey.pem'

Enter PEM pass phrase:adminadmin

Verifying - Enter PEM pass phrase:adminadmin

-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----


Country Name (2 letter code) [AU]:IN

State or Province Name (full name) [Some-State]:Karnataka

Locality Name (eg, city) []:Bangalore

Organization Name (eg, company) [Internet Widgits Pty Ltd]:SMI

Organizational Unit Name (eg, section) []:SMI

Common Name (eg, YOUR name) []:iecsoa1.india.sun.com

Email Address []:


Please enter the following 'extra' attributes to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /usr/local/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/./cakey.pem:adminadmin

Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Apr 20 03:47:43 2009 GMT
Not After : Apr 19 03:47:43 2012 GMT
Subject:
countryName = IN
stateOrProvinceName = Karnataka
organizationName = SMI
organizationalUnitName = SMI
commonName = iecsoa1.india.sun.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F7:77:14:1C:86:D3:F3:4E:9A:EE:7C:D1:E3:80:27:66:56:4B:0F:D2
X509v3 Authority Key Identifier:
keyid:F7:77:14:1C:86:D3:F3:4E:9A:EE:7C:D1:E3:80:27:66:56:4B:0F:D2


Certificate is to be certified until Apr 19 03:47:43 2012 GMT (1095 days)


Write out database with 1 new entries

Data Base Updated

======================================================================
4. Create a CSR for the ldap server

Note: When asked for a 'Common Name', you must enter the ldap url in the following format,
ldaps://:
e.g. ldaps://ldapserver.com:636

This will create a csr “newreq.pem”

bash-3.00$ openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem

Generating a 1024 bit RSA private key

.............................++++++

..................++++++

writing new private key to 'newreq.pem'

-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

Country Name (2 letter code) [AU]:IN

State or Province Name (full name) [Some-State]:Karnataka

Locality Name (eg, city) []:Bangalore

Organization Name (eg, company) [Internet Widgits Pty Ltd]:SMI

Organizational Unit Name (eg, section) []:SMI

Common Name (eg, YOUR name) []:ldaps://iecsoa1.india.sun.com:636

Email Address []:


Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:

An optional company name []:


bash-3.00$ ls

demoCA newreq.pem

=======================================================================

5.Use the CA to sign the CSR , enter password as "adminadmin"

bash-3.00$ /usr/local/ssl/misc/CA.sh -sign

Using configuration from /usr/local/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem:adminadmin

Check that the request matches the signature

Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 20 03:54:29 2009 GMT
Not After : Apr 20 03:54:29 2010 GMT
Subject:
countryName = IN
stateOrProvinceName = Karnataka
localityName = Bangalore
organizationName = SMI
organizationalUnitName = SMI
commonName = ldaps://iecsoa1.india.sun.com:636
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C3:4B:3E:75:0C:2F:CB:23:79:BB:3B:F2:61:61:63:F9:E9:F2:D9:91
X509v3 Authority Key Identifier:
keyid:F7:77:14:1C:86:D3:F3:4E:9A:EE:7C:D1:E3:80:27:66:56:4B:0F:D2


Certificate is to be certified until Apr 20 03:54:29 2010 GMT (365 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

Certificate:

Data:

Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IN, ST=Karnataka, O=SMI, OU=SMI, CN=iecsoa1.india.sun.com
Validity
Not Before: Apr 20 03:54:29 2009 GMT
Not After : Apr 20 03:54:29 2010 GMT
Subject: C=IN, ST=Karnataka, L=Bangalore, O=SMI, OU=SMI, CN=ldaps://iecsoa1.india.sun.com:636
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c4:26:62:b3:3a:50:cb:0a:5d:c6:e0:b6:e6:72:
6a:6e:ba:a5:7f:6d:4e:e5:54:36:95:db:72:87:19:
8e:64:f3:07:81:f8:59:51:ef:03:0a:72:13:eb:dc:
8d:38:14:39:cc:ad:cb:16:db:f9:12:44:24:a7:c0:
c8:1e:8a:b6:b3:b3:b4:9e:aa:7f:b2:3e:76:80:8a:
19:70:02:2b:4d:c5:5f:e8:f3:83:71:51:05:61:37:
a1:1b:fd:85:91:6f:74:22:1b:01:e8:5e:e8:4d:15:
b2:9c:2e:f3:0e:c9:b6:a0:5b:8f:1c:4b:b9:ee:77:
bd:ea:69:5b:f9:83:1c:db:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C3:4B:3E:75:0C:2F:CB:23:79:BB:3B:F2:61:61:63:F9:E9:F2:D9:91
X509v3 Authority Key Identifier:
keyid:F7:77:14:1C:86:D3:F3:4E:9A:EE:7C:D1:E3:80:27:66:56:4B:0F:D2

Signature Algorithm: sha1WithRSAEncryption
15:fd:e0:f4:06:92:3d:57:72:1d:9e:43:53:b6:bd:c8:0e:35:
fa:7c:24:6a:c3:d9:f5:63:4d:00:74:de:80:86:4c:9e:7d:6f:
09:f7:cb:de:6c:6b:70:1f:d9:7c:62:98:79:5a:fa:68:96:a0:
a4:45:de:84:43:db:a8:01:d8:f8:45:33:dd:e8:ca:18:5d:51:
28:b2:51:28:45:07:c8:41:e5:72:1b:fd:6c:f3:df:0e:61:47:
e5:7f:ea:6d:ed:a8:15:91:bc:90:be:c8:00:1c:50:1a:ce:50:
be:ac:65:d5:23:96:12:f6:62:2f:9e:7f:24:38:1f:74:32:7d:
a9:0a

-----BEGIN CERTIFICATE-----
MIICyzCCAjSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBdMQswCQYDVQQGEwJJTjES
MBAGA1UECBMJS2FybmF0YWthMQwwCgYDVQQKEwNTTUkxDDAKBgNVBAsTA1NNSTEe
MBwGA1UEAxMVaWVjc29hMS5pbmRpYS5zdW4uY29tMB4XDTA5MDQyMDAzNTQyOVoX
DTEwMDQyMDAzNTQyOVowfTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUthcm5hdGFr
YTESMBAGA1UEBxMJQmFuZ2Fsb3JlMQwwCgYDVQQKEwNTTUkxDDAKBgNVBAsTA1NN
STEqMCgGA1UEAxMhbGRhcHM6Ly9pZWNzb2ExLmluZGlhLnN1bi5jb206NjM2MIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEJmKzOlDLCl3G4LbmcmpuuqV/bU7l
VDaV23KHGY5k8weB+FlR7wMKchPr3I04FDnMrcsW2/kSRCSnwMgeirazs7Seqn+y
PnaAihlwAitNxV/o84NxUQVhN6Eb/YWRb3QiGwHoXuhNFbKcLvMOybagW48cS7nu
d73qaVv5gxzb/wIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1P
cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUw0s+dQwvyyN5
uzvyYWFj+eny2ZEwHwYDVR0jBBgwFoAU93cUHIbT806a7nzR44AnZlZLD9IwDQYJ
KoZIhvcNAQEFBQADgYEAFf3g9AaSPVdyHZ5DU7a9yA41+nwkasPZ9WNNAHTegIZM
nn1vCffL3mxrcB/ZfGKYeVr6aJagpEXehEPbqAHY+EUz3ejKGF1RKLJRKEUHyEHl
chv9bPPfDmFH5X/qbe2oFZG8kL7IABxQGs5Qvqxl1SOWEvZiL55/JDgfdDJ9qQo=
-----END CERTIFICATE-----


Signed certificate is in newcert.pem



bash-3.00$ ls

demoCA newcert.pem newreq.pem

==================================================================
6.This creates newcert.pem (server certificate signed by CA) with private key, newreq.pem

So far we have created only the certificates needs to be used by the openldap server. Lets see how to configure the openldap using this certificates ...

Stop the openldap if it is already running :-

bash-3.00# ps -ef | grep slapd

root 26718 26710 0 11:09:04 pts/2 0:00 grep slapd

root 7915 1 0 Apr 17 ? 0:00 ./slapd

bash-3.00# kill -9 7915


bash-3.00# ps -ef | grep slapd
root 26720 26710 0 11:09:28 pts/2 0:00 grep slapd


bash-3.00# netstat -an | egrep '389|636'


no process running on port 389 or 636

=======================================================================
7. Copy the certificates to the ldap directory

a ) Copy cacert.pem - CA root certificate from Demo CA folder to /usr/local/var/openldap-data
b ) rename newcert.pem to servercrt.pem
c ) rename newreq.pem to serverkey.pem
d ) Copy servercrt.pem and serverkey.pem to /usr/local/var/openldap-data

so /usr/local/var/openldap-data has 3 new files in it
cacert.pem , servercrt.pem , serverkey.pem


==============================================================================
8. Edit the slapd.conf file from /usr/local/etc/openldap and add the following entry in to it below the entry
"argsfile /usr/local/var/run/slapd.args "

TLSCipherSuite HIGH:MEDIUM:+SSLv2

TLSCACertificateFile /usr/local/var/openldap-data/cacert.pem

TLSCertificateFile /usr/local/var/openldap-data/servercrt.pem

TLSCertificateKeyFile /usr/local/var/openldap-data/serverkey.pem


# Client verification not required

TLSVerifyClient never


=================================================================================
9.Start the openldap server by using the following command

# cd /usr/local/libexec

# ../slapd -h “ldap://iecsoa1:389 ldaps://iecsoa1:636”

Enter PEM pass phrase:adminadmin


Check to see the processes are listening in the configured ports

# netstat -an | egrep '389|636'

10.12.185.65.389 *.* 0 0 49152 0 LISTEN

10.12.185.65.636 *.* 0 0 49152 0 LISTEN


Use any external ldap-browser to connect to the both the URLs and check.


=================================================================================
For the client side , we have to use the server certificate , So we have to create keystore and trustore

Steps to create Client Truststore and Keystore from Server certificate .

First Convert from pem to jks format

Now to create Client Trust - store and key store

1. bash-3.00# pwd

/usr/local/ssl/bin


bash-3.00# openssl pkcs8 -topk8 -nocrypt -in /usr/local/ssl/mycerts/demoCA/private/cakey.pem -inform PEM -out key.der -outform DER

Enter pass phrase for /usr/local/ssl/mycerts/demoCA/private/cakey.pem:adminadmin


bash-3.00# openssl x509 -in /usr/local/ssl/mycerts/demoCA/cacert.pem -inform PEM -out cert.der -outform DER

bash-3.00# ls

c_rehash cert.der key.der openssl

======================================================================
2. Create a keystore using the java program

java program can be found at here


======================================================================
3. To view the contents of the keystore use this command
C:\Documents and Settings\admin\Desktop\openldapCerts>keytool -list -v -keystore keystore.jks

Enter keystore password:adminadmin


Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: client
Creation date: Apr 20, 2009
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN
Issuer: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN
Serial number: 0
Valid from: Mon Apr 20 09:17:43 IST 2009 until: Thu Apr 19 09:17:43 IST 2012
Certificate fingerprints:
MD5: 7C:22:37:66:C8:BE:A8:36:6B:37:5A:A8:EC:08:72:0B
SHA1: 84:5D:9A:32:13:EC:F5:19:19:5E:B6:1C:9C:DB:90:7A:65:EC:F5:F1
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]

]

#4: ObjectId: 2.16.840.1.113730.1.13 Criticality=false



*******************************************
*******************************************

======================================================================
4. use keytool to generate trust store ( note the default alias is "client" )

C:\Documents and Settings\admin\Desktop\openldapCerts>keytool -export -alias client -storepass adminadmin -file client.cer -keystore keystore.jks

Certificate stored in file


======================================================================
Import the above certificate to a new Truststore named "trustore"

C:\Documents and Settings\admin\Desktop\openldapCerts>keytool -import -alias client -file client.cer -keystore truststore

Enter keystore password:adminadmin

Re-enter new password:adminadmin

Owner: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN

Issuer: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN

Serial number: 0
Valid from: Mon Apr 20 09:17:43 IST 2009 until: Thu Apr 19 09:17:43 IST 2012

Certificate fingerprints:

MD5: 7C:22:37:66:C8:BE:A8:36:6B:37:5A:A8:EC:08:72:0B
SHA1: 84:5D:9A:32:13:EC:F5:19:19:5E:B6:1C:9C:DB:90:7A:65:EC:F5:F1
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]

]

#4: ObjectId: 2.16.840.1.113730.1.13 Criticality=false

Trust this certificate? [no]: yes


Certificate was added to keystore

======================================================================
To View contents of the trustore

C:\Documents and Settings\admin\Desktop\openldapCerts>keytool -list -v -keystore truststore
Enter keystore password:adminadmin

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: client
Creation date: Apr 20, 2009
Entry type: trustedCertEntry

Owner: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN
Issuer: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN
Serial number: 0
Valid from: Mon Apr 20 09:17:43 IST 2009 until: Thu Apr 19 09:17:43 IST 2012
Certificate fingerprints:
MD5: 7C:22:37:66:C8:BE:A8:36:6B:37:5A:A8:EC:08:72:0B
SHA1: 84:5D:9A:32:13:EC:F5:19:19:5E:B6:1C:9C:DB:90:7A:65:EC:F5:F1
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]

]

#4: ObjectId: 2.16.840.1.113730.1.13 Criticality=false



*******************************************
*******************************************


======================================================================

Installing Open LDAP 2.4.11 on SOLARIS SPARC

Steps :-

1. Download the binaries from http://www.sunfreeware.com/indexsparc10.html

or download all these from here :- Part1 and Part2

The download will contain the following packages -

db-4.2.52.NC-sol10-sparc-local.gz
openldap-stable-20080813.tgz
libgcc-3.4.6-sol10-sparc-local.gz
openssl-0.9.8j-sol10-sparc-local.gz
openldap-2.4.11-sol10-sparc-local.gz
sasl-2.1.21-sol10-sparc-local.gz

2. Now login to your solaris sparc box as "root" , root access has to be there ,else it wont install.

3. run pkgadd command , to check if it working. then unzip the files using "gunzip filename"

4. run pkgadd -d db-4.2.52.NC-sol10-sparc-local and similarly install all the packages

5. After installing all the packages , configure slapd.conf file based on your requirements .
slapd.conf can be located at /usr/local/etc/openldap

the sample slapd.conf will look like

include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema

pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args

database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw adminadmin

directory /usr/local/var/openldap-data
index default pres,eq
index objectClass eq
index uid,cn,sn

6. Start slapd using the command from /usr/local/libexec
./slapd -f ../etc/openldap/slapd.conf

7. Now the connect the open ldap using our ldapbrowser
ensure that "append base dn" is checked .

8. After connecting import the following for the base dn

dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: dcObject
objectClass: organization
o: root
ou: mostral

9. then import the actual data , sample would be like

dn: ou=mostral, dc=example,dc=com
ou: mostral
objectClass: top
objectClass: organizationalunit

dn: uid=scarter,ou=mostral, dc=example,dc=com
givenName: Sam
sn: Carter
telephoneNumber: +1 408 555 4798
userPassword:: e1NTSEF9UmIxZk9JL2x5TlQ3bGFEc0FKaEhJdEs4bW9LbkVBSWZEMWpNU0E9PQ
==
ou: Accounting
ou: mostral
l: Sunnyvale
roomNumber: 4612
mail: scarter@example.com
facsimileTelephoneNumber: +1 408 555 9751
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: scarter
cn: Sam Carter

Now open ldap 2.4.11 is ready to use with some sample data in it .

More on LDAP

For Sun - One LDAP 5.2 config

- For Add operation the credentials are :-

location = "ldap://localhost:1389"

principal = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

credential = "STC"

All about Open ESB

Architecture


NMR
Open ESB) hosts a set of pluggable component containers, which integrate various types of IT assets. These pluggable component containers are interconnected with a fast, reliable, in-memory messaging bus called the Normalized Message Router (NMR) also referred to as the JBI Bus.

Service Engines
Service Engines provide business logic and transformation services to other components, as well as consume such services.

Binding components
Binding components provide the ability to use communications protocols to both access remotely provided services, and allow remote service consumers to access services provided within the JBI environment

A Binding Component may choose to implement one or more communications protocols, offering connectivity services to SEs and thereby enabling SEs to expose their services to remote consumers as well as enabling the consumption of remote services.

JBI
- Java Business Integration (JBI) is a specification developed under the Java Community Process (JCP) for an approach to implementing a service-oriented architecture (SOA). The JCP reference is JSR 208 for JBI 1.0 and JSR 312 for JBI 2.0.
-JBI provides an environment in which plug-in components reside.
-JBI provides for interoperation between plug-in components by means of message-based service invocation.
-JBI provides a set of services to facilitate management of the JBI environment, including the installed components. This includes component installation and life cycle management services.
-the JBI environment is a container for service engines and binding components.

JBI Architecture
JBI Components
-NMR
-Service Engines
-Binding components
-Shared Libraries

Normalized Message Exchange

Delivery Channel
A DeliveryChannel represents a bidirectional communication pipe used by bindings and engines to communicate with the NMR.

Message Flow
Service Unit
Service Unit (SU) jar files package the artifacts to deploy to a specific container/component.

Descriptor - JBI.xml
The descriptor can declare what services are consumed/provided with the deployment of this SU

Service Assembly or Composite Application
A collection of service units.

Composite Application / Component Life Cycle

All About LDAP

** Directory
Directory is like a dictionary; it allows one to look up a name and retrieve items of information associated with that name.
Names in a directory are organized in a hierarchical tree.

**Object and classes :- Data stored in LDAP is stored in objects. These objects contain a number of attributes, which are basically a set of key/value pairs.

** Directory service
A directory service is simply the software system that stores and organizes information in a directory, and provides access to that information.

** Difference b/w Directory service and Database
The major difference with databases and directories is at the system level where a database is used to automate a process with a dedicated (relational) data model, but a directory is used to hold "identified" objects that can be used by many applications in random ways.

**The Lightweight Directory Access Protocol
The Lightweight Directory Access Protocol, or LDAP , is an application protocol for querying and modifying directory services running over TCP/IP.[1]

**Entries, Attributes, and Values
Entry

cn: John Doe
mail: johndoe@sun.com
mail: jdoe@stc.com
telephoneNumber: 471-6000 x.1234

Attributes :- cn , mail, telephoneNumber
Values :- John Doe ,johndoe@sun.com,jdoe@stc.com


** LDAP Directory Structure
Tree structure.
Top most - root
higher levels of hirearchy - groupings or organizations.
leaf nodes - individual persons

** Distinguished Names & Relative Distinguished Names

distinguished name of the John Doe entry is:
cn=John Doe, ou=People, dc=sun.com

cn=John Doe, ou=People is a RDN relative to the root RDN dc=sun.com.

Another example would be uid=bjensen,ou=People,dc=example,dc=com

**LDAP Service
A directory service is a distributed database application designed to manage the entries
and attributes in a directory.


**LDAP Client
A directory client accesses a directory service using the LDAP protocol. A directory client may use one of several client APIs available in order to access the directory service.


**Working of Client
By connecting to an LDAP server, the LDAP BC/eWay enables to search, compare, and modify an LDAP directory using the LDAP protocol.


**Referrals
referral is information that a server sends back to the client indicating that the requested information can be found at another location (possibly at another server).

Type :-
The type describes what the information is; the value is the information itself.
cn: person5
Here "cn" is the type and "person5" is the value.

Attribute:-
attribute is comprised of a type and one or more values that describe a particular trait of the object’s entry.

Entry:-
An entry, the base unit of the LDAP, is a collection of attributes which contain information that describes it.

Object Classes:-
The object classes are required or allowed and are defined with one or more attributes which are also required or allowed.

LDAP Schema:-
LDAP Schema defines what can be stored in the directory. It includes object classes and attributes.

**SSL with LDAP

SSL:-Secure Socket Layer (SSL) technology allows web browsers and web servers to communicate over a secure connection. Uses Encryption , Decryption .

SSL uses public key cryptography, which is based on key pairs. Public key , private key.

Digital signature :-The server computes a value and encrypts the value using its private key. The encrypted value is called a digital signature.

keytool:- Keytool is used to generate certificates. The keytool stores the keys and certificates in a file termed a keystore, a repository of certificates used for identifying a client or a server. Typically, a keystore contains one client or one server's identity.

For J2EE ,the server certificate is in keystore.jks. The cacerts.jks file contains all the trusted certificates, including client certificates

Authentication:- To verify that the site(server) is who and what it claims to be. To verify that the client is who and what it claims to be .

Confidentiality:-
Data cannot be deciphered by the third party and the data remains confidential between client and server.

Integrity:-
Data will not be modified in transit by that third party.

KeyStore :-
A KeyStore consists of a database containing a private key and an associated
certificate, or an associated certificate chain. The certificate chain consists of the
client certificate and one or more certification authority (CA) certificates.

TrustStore:-
A TrustStore contains only the certificates trusted by the client. It is a repository of certificates.


Steps to create a keystore,trust store for server :-

1. Generate certificate .keystore.jks

C:\jdk1.5.0_13\bin>keytool -genkey -alias server -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks

What is your first and last name? [Unknown]: raghuvir

What is the name of your organizational unit? [Unknown]: india

What is the name of your organization? [Unknown]: sun

What is the name of your City or Locality? [Unknown]: blr

What is the name of your State or Province? [Unknown]: karnataka

What is the two-letter country code for this unit? [Unknown]: ka

Is CN=raghuvir, OU=india, O=sun, L=blr, ST=karnataka, C=ka correct? [no]: yes


2. Export it into file server.cer

C:\jdk1.5.0_13\bin>keytool -export -alias server -storepass changeit -file server.cer -keystore keystore.jks

Certificate stored in file

3. Import server.cer into the trust store (cacerts.jks)

C:\jdk1.5.0_13\bin>keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore cacerts.jks -keypass changeit -storepass changeit

Owner: CN=raghuvir, OU=india, O=sun, L=blr, ST=karnataka, C=kaIssuer: CN=raghuvir, OU=india, O=sun, L=blr, ST=karnataka, C=ka

Serial number: 4892be08Valid from: Fri Aug 01 13:10:56 IST 2008 until: Thu Oct 30 13:10:56 IST 2008Certificate fingerprints: MD5: A3:BD:00:49:35:3B:99:BB:82:15:B9:B0:68:5C:6B:86 SHA1: 09:07:4D:46:8A:22:2A:BE:7C:F4:0C:1E:C5:41:F9:84:B8:83:F3:13Trust this certificate? [no]: yesCertificate was added to keystore[Storing cacerts.jks]


Steps to creat a client keystore and trust store :-
1. Generate client certificate : keystore.jks

C:\jdk1.5.0_13\bin>keytool -genkey -alias client-alias -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks -dname "CN=client_hostname, OU=John,O=Sun, L=Bangalore, S=Karnataka, C=IN"

2. Export client certificate to a file called client.cer

C:\jdk1.5.0_13\bin>keytool -export -alias client-alias -storepass changeit -file client.cer -keystore keystore.jks

Certificate stored in file

3.Create truststore from client.cer , cacerts.jks

C:\jdk1.5.0_13\bin>keytool -import -v -trustcacerts -alias client-alias -file client.cer -keystore cacerts.jks -keypass changeit -storepass changeit

Owner: CN=client_hostname, OU=John, O=Sun, L=Bangalore, ST=Karnataka, C=INIssuer: CN=client_hostname, OU=John, O=Sun, L=Bangalore, ST=Karnataka, C=INSerial number: 4892cc92Valid from: Fri Aug 01 14:12:58 IST 2008 until: Thu Oct 30 14:12:58 IST 2008Certificate fingerprints: MD5: 17:C0:51:E9:BB:42:A1:83:20:B3:AD:64:46:1D:F9:19 SHA1: 54:61:C1:14:B0:21:FD:34:6B:EB:EE:32:50:C8:7A:9D:7A:60:FF:96Trust this certificate? [no]: yes

Certificate was added to keystore[Storing cacerts.jks]


Access Control :-
Using access control, you can control access to the entire directory, a subtree of the directory, specific entries in the directory (including entries defining configuration tasks), or a specific set of entry attributes.

The aci attribute has the following syntax:

aci: (target)(version 3.0;acl "name";permission bindRules;)

The following is an example of a complete LDIF ACI:

aci: (target="ldap:///uid=bjensen,dc=example,dc=com" (targetattr=*)(version 3.0; acl "example"; allow (write) userdn=ldap:///self;)

In this example, the ACI states that the user bjensen has rights to modify all attributes in her own directory entry.

target can be
target -> ldap:///distinguished_name
targetattr -> attribute


Adding an ACI at the Command-Line
Use the following ldapmodify command to give say for
example Charlene Daniels full rights to the directory:
ldapmodify -h myServer -p 5201 -D "cn=directory manager" -w passworddn: o=MyCorp,dc=example,dc=comchangetype: modifyadd: aciaci: (targetattr=*)(version 3.0; aci "give charlene full rights"; allow(all) userdn = ldap:///uid=cdaniels,ou=People,o=MyCorp,dc=example,dc=com;)

The following LDIF example allows members of the Engineering Admins group to modify the departmentNumber and manager attributes of all entries in the Engineering business category. This example uses LDAP filtering to select all entries with businessCategory attributes set to Engineering:

dn: dc=example,dc=comobjectClass: topobjectClass: organizationaci: (targetattr="departmentNumber manager") (targetfilter="(businessCategory=Engineering)") (version 3.0; acl "eng-admins-write"; allow (write) groupdn ="ldap:///cn=Engineering Admins, dc=example,dc=com";)

Referrals:-
Referral contains one or more LDAP URLs of Objects which is returned to the client.


The following table shows the values defined for this property. If this property has not been set, then the default is to ignore referrals.

ignore Ignore referrals
follow Automatically follow any referrals
throw Throw a ReferralException for each referral

Serach in LDAP :- http://docs.sun.com/source/816-6696-10/cmdline.html#14656

1)the following call will return all entries in the directory:
ldapsearch -h myServer -p 5201 -D "cn=directory manager" -w password -b "dc=example,dc=com" -s sub "objectclass=*"

2)You can specify a search filter directly on the command line. If you do this, be sure to enclose your filter in quotation marks ("filter"). Also, do not specify the -f option. For example:
ldapsearch -h myServer -p 5201 -D "cn=directory manager" -w password -b "dc=example,dc=com" "cn=Charlene Daniels"