Installation of Sun Directory Server Enterprise Edition (DSEE)

Installation of Sun Directory Server Enterprise Edition (DSEE) on Windows:-

Here are the complete steps :-

1. through command line
D:\Softwares\LDAP\DSEE.6.3.Windows-X86-full\DSEE_ZIP_Distribution>dsee_deploy.exe install -i C:\DSEE =============================================================================================================================================================
=============================================================================================================================================================
2. accept the license
Do you accept the license terms ? : yesCheck availability of port 11162Checking running Directory Server instancesChecking running Directory Proxy Server instancesUnzipping sun-ldap-base.zip ...Unzipping sun-ldap-perl.zip ...Unzipping sun-ldap-dsrk6.zip ...Unzipping sun-ldapcsdk-tools.zip ...Unzipping sun-ldapcsdk-dev.zip ...Unzipping sun-ldap-ljdk.zip ...Unzipping sun-ldap-jre.zip ...Unzipping sun-ldap-shared.zip ...Unzipping sun-ldap-shared-l10n.zip ...Unzipping sun-ldap-directory.zip ...Unzipping sun-ldap-directory-l10n.zip ...Unzipping sun-ldap-directory-config.zip ...Unzipping sun-ldap-directory-dev.zip ...Unzipping sun-ldap-mfwk.zip ...Unzipping sun-ldap-cacao.zip ...Unzipping sun-ldap-console-agent.zip ...Unzipping sun-ldap-console-cli.zip ...Unzipping sun-ldap-console-common.zip ...Unzipping sun-ldap-console-var.zip ...Unzipping sun-ldap-jdmk.zip ...Unzipping sun-ldap-directory-client.zip ...Unzipping sun-ldap-directory-client-l10n.zip ...Unzipping sun-ldap-proxy.zip ...Unzipping sun-ldap-proxy-l10n.zip ...Unzipping sun-ldap-proxy-client.zip ...Unzipping sun-ldap-proxy-client-l10n.zip ...Unzipping sun-ldap-console-gui.zip ...Unzipping sun-ldap-console-gui-help.zip ...Unzipping sun-ldap-console-gui-l10n.zip ...Unzipping sun-ldap-console-gui-help-l10n.zip ...Creating WAR file for Console
Configuring Cacao at D:/DSEE/dsee6/cacao_2Setting Cacao parameter jdmk-home with default value [D:\DSEE\dsee6\private]Setting Cacao parameter java-home with default value [D:\DSEE\jre]Setting Cacao parameter nss-lib-home with default value [D:\DSEE\dsee6\private\lib]Setting Cacao parameter nss-tools-home with default value [D:\DSEE\dsee6\bin]Registering DSCC agent into cacaoStarting Cacao if necessaryRegistering JESMF agent into CacaoInitializing JESMF...Registering DS in JESMF...Checking Cacao status...Deploying JESMF in Cacao...Deploying DS in JESMF...DS has been successfully registered in JESMF.Making a copy of dsee_deploy.exeMaking a copy of listrunnings.exeYou can now start your Directory Server InstancesYou can now start your Directory Proxy Server Instances
=============================================================================================================================================================
=============================================================================================================================================================
3. Create a Instance.

D:\DSEE\ds6\bin>dsadm create -p 1389 -P 636 D:\DSEE\instance

Warning: 636 is a privileged port ; make sure that user 'Raghuvir Kamath' has right to use it before running start subcommand

Choose the Directory Manager password:adminadmin

Confirm the Directory Manager password:adminadmin

Use 'dsadm start 'C:\DSEE\instance'' tado start the instance
=============================================================================================================================================================
=============================================================================================================================================================
4. Start the instance.

D:\DSEE\ds6\bin>dsadm start D:\DSEE\instance

Waiting for Directory Server instance 'D:/DSEE/instance' to start...Directory Server instance 'D:/DSEE/instance' started: pid=2816
=============================================================================================================================================================
=============================================================================================================================================================

5. Create a suffix

D:\DSEE\ds6\bin>dsconf create-suffix -e -h localhost -p 1389 dc=example,dc=comEnter "cn=Directory Manager" password:adminadmin =============================================================================================================================================================
=============================================================================================================================================================

6. Import the Example.ldif to the directory.

D:\DSEE\ds6\bin>dsconf import -e -h localhost -p 1389 D:\DSEE\ds6\ldif\Example.ldif dc=example,dc=comEnter "cn=Directory Manager" password:New data will override existing data of the suffix "dc=example,dc=com".Initialization will have to be performed on replicated suffixes.Do you want to continue [y/n] ? y## Index buffering enabled with bucket size 40## Beginning import job...## Processing file "D:\DSEE\ds6\ldif\Example.ldif"## Finished scanning file "D:\DSEE\ds6\ldif\Example.ldif" (160 entries)## Workers finished; cleaning up...## Workers cleaned up.## Cleaning up producer thread...## Indexing complete.## Starting numsubordinates attribute generation. This may take a while, please wait for further activity reports.## Numsubordinates attribute generation complete. Flushing caches...## Closing files...## Import complete. Processed 160 entries in 5 seconds. (32.00 entries/sec)
Task completed (slapd exit code: 0).
=============================================================================================================================================================
=============================================================================================================================================================

D:\DSEE\dsrk6\bin>dir

Volume in drive D has no label.

Volume Serial Number is 6C13-6887
Directory of D:\DSEE\dsrk6\bin
08/07/2008 03:41 PM

.08/07/2008 03:41 PM ..03/11/2008 03:53 PM 54,431 authrate.exe03/11/2008 03:53 PM 2,263 cities03/11/2008 03:53 PM 54,449 dsmlmodify.exe03/11/2008 03:53 PM 54,449 dsmlsearch.exe03/11/2008 03:53 PM 3,636 example.template08/07/2008 03:32 PM example_files03/11/2008 03:53 PM 60,238 first.names03/11/2008 03:53 PM 106,146 last.names03/11/2008 03:30 PM 54,431 ldapcmp.exe03/11/2008 03:30 PM 54,431 ldapcompare.exe03/11/2008 03:30 PM 54,431 ldapdelete.exe03/11/2008 03:30 PM 54,431 ldapmodify.exe03/11/2008 03:30 PM 54,431 ldappasswd.exe03/11/2008 03:30 PM 54,431 ldapsearch.exe03/11/2008 03:53 PM 54,449 ldapsubtdel.exe03/11/2008 03:53 PM 54,431 ldifxform.exe03/11/2008 03:53 PM 107,868 logconv03/11/2008 03:53 PM 54,449 makeldif.exe03/11/2008 03:53 PM 54,431 modrate.exe03/11/2008 03:53 PM 54,431 searchrate.exe03/11/2008 03:53 PM 3,259 solaris.template03/11/2008 03:53 PM 153 states03/11/2008 03:53 PM 525 streets08/07/2008 03:41 PM 37,854 test.ldif08/07/2008 03:31 PM 554 test.template 24 File(s) 1,084,602 bytes 3 Dir(s) 36,942,323,712 bytes free D:\DSEE\dsrk6\bin>makeldif -t test.template -o test.ldif

Processing complete.101 total entries written. =============================================================================================================================================================
=============================================================================================================================================================

D:\DSEE\dscc6\bin>dsccsetup ads-create

Choose password for Directory Service Manager:adminadmin

Confirm password for Directory Service Manager:adminadmin

Creating DSCC registry...

DSCC Registry has been created successfully

=============================================================================================================================================================
=============================================================================================================================================================
To Deploy WAR File with Tomcat

just copy the war file from D:\DSEE\var\dscc6 to C:\apache-tomcat-6.0.13\webapps.

Add the emphasized text in the ${CATALINA_BASE}/conf/web.xml file as shown below:

... jsp org.apache.jasper.servlet.JspServlet fork false xpoweredBy false ... enablePooling false 3

Add the following entries in System variables

CATALINA_HOME C:\apache-tomcat-6.0.13

CATALINA_BASE C:\apache-tomcat-6.0.13
Start the tomcat app server from C:\apache-tomcat-6.0.13\bin\startserver.bat
in the console u will see

INFO: Deploying web application archive dscc.warAug 13, 2008 12:30:03 PM org.apache.coyote.http11.Http11Protocol startINFO: Starting Coyote HTTP/1.1 on http-8080Aug 13, 2008 12:30:03 PM org.apache.jk.common.ChannelSocket initINFO: JK: ajp13 listening on /0.0.0.0:8009Aug 13, 2008 12:30:03 PM org.apache.jk.server.JkMain startINFO: Jk running ID=0 time=0/47 config=nullAug 13, 2008 12:30:03 PM org.apache.catalina.startup.Catalina startINFO: Server startup in 9208 ms

Steps to configure Open DS with SSL

Step 1 :- Create keystore

C:\Documents and Settings\Raghuvir Kamath> keytool -genkey -alias server-cert -keyalg rsa -dname "CN=compapps.india.sun.com,O=SMI,C=IN" -keystore keystore -storetype JKS
Enter keystore password:adminadmin
Re-enter new password:adminadmin

Enter key password for (RETURN if same as keystore password):

This will create "keystore" in the location C:\Documents and Settings\Raghuvir Kamath

Step 2:- Self sign the keystore

Self Sign the certificate using keytool

D:\LDAP\openDS>keytool -selfcert -alias server-cert -validity 1825 -keystore keystore -storetype JKS

Enter keystore password:adminadmin

Step 3 :-Export the public key

D:\LDAP\openDS>keytool -export -alias server-cert -file server-cert.txt -rfc -keystore keystore
Enter keystore password:
Certificate stored in file

Step 4:- Create a new truststore

keytool -import -alias server-cert -file server-cert.txt -keystore truststore -storetype JKS

Type yes when you are prompted about whether you want to trust the certificate.

This step is needed only if the SSL and StartTLS settings were not specified during installation or if you want to change those settings

Step 5:- Install Open DS

Install Open DS 1.0.0 from the web as webinstaller https://opends.dev.java.net/

Step 6:- Configure SSL during installation

While installing , configure OpenDS for SSL , use existing keystore , the one created in step 2. give the keystore as input. Refer screenshots for this.To Check if SSL and TLS is enabled on your LDAP server is use the statuspanel.bat from your LDAP server installation folder.

Configuring Open LDAP with SSL

Steps to configure Open LDAP with SSL

1. Install Open ssl on unix machine. ( here i have used a solaris sparc machine )

Get the software from http://www.sunfreeware.com/indexsparc10.html
" openssl-0.9.8j-sol10-sparc-local.gz "

Now login to your solaris sparc box as "root" , root access has to be there ,else it wont install.

run pkgadd command , to check if it working. then unzip the files using "gunzip filename"

run pkgadd -d openssl-0.9.8j-sol10-sparc-local and similarly install all the packages

This will get installed in /usr/local/ssl/ by default.

==========================================================================

2. Set the path on the unix machine to use this open ssl .

bash-3.00# PATH=$PATH:/usr/local/ssl/bin:.

bash-3.00# export PATH

bash-3.00# which openssl
/usr/local/ssl/bin/openssl

bash-3.00# echo $PATH
/usr/local/ssl/bin:.

======================================================================

3. Create a CA root certificate

bash-3.00# mkdir openldapcerts


bash-3.00# cd openldapcerts


bash-3.00$ pwd
/home/rk208995/openldapcerts

run the below command , enter the password as "adminadmin" , then enter country , state , city , for Common name , enter the FQDN of the local machine. here it is iecsoa1
At the end it asks for password again , enter "adminadmin"

bash-3.00$ /usr/local/ssl/misc/CA.sh -newca

CA certificate filename (or enter to create)


Making CA certificate ...

Generating a 1024 bit RSA private key

.............++++++

................++++++

writing new private key to './demoCA/private/./cakey.pem'

Enter PEM pass phrase:adminadmin

Verifying - Enter PEM pass phrase:adminadmin

-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----


Country Name (2 letter code) [AU]:IN

State or Province Name (full name) [Some-State]:Karnataka

Locality Name (eg, city) []:Bangalore

Organization Name (eg, company) [Internet Widgits Pty Ltd]:SMI

Organizational Unit Name (eg, section) []:SMI

Common Name (eg, YOUR name) []:iecsoa1.india.sun.com

Email Address []:


Please enter the following 'extra' attributes to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /usr/local/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/./cakey.pem:adminadmin

Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Apr 20 03:47:43 2009 GMT
Not After : Apr 19 03:47:43 2012 GMT
Subject:
countryName = IN
stateOrProvinceName = Karnataka
organizationName = SMI
organizationalUnitName = SMI
commonName = iecsoa1.india.sun.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F7:77:14:1C:86:D3:F3:4E:9A:EE:7C:D1:E3:80:27:66:56:4B:0F:D2
X509v3 Authority Key Identifier:
keyid:F7:77:14:1C:86:D3:F3:4E:9A:EE:7C:D1:E3:80:27:66:56:4B:0F:D2


Certificate is to be certified until Apr 19 03:47:43 2012 GMT (1095 days)


Write out database with 1 new entries

Data Base Updated

======================================================================
4. Create a CSR for the ldap server

Note: When asked for a 'Common Name', you must enter the ldap url in the following format,
ldaps://:
e.g. ldaps://ldapserver.com:636

This will create a csr “newreq.pem”

bash-3.00$ openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem

Generating a 1024 bit RSA private key

.............................++++++

..................++++++

writing new private key to 'newreq.pem'

-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

Country Name (2 letter code) [AU]:IN

State or Province Name (full name) [Some-State]:Karnataka

Locality Name (eg, city) []:Bangalore

Organization Name (eg, company) [Internet Widgits Pty Ltd]:SMI

Organizational Unit Name (eg, section) []:SMI

Common Name (eg, YOUR name) []:ldaps://iecsoa1.india.sun.com:636

Email Address []:


Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:

An optional company name []:


bash-3.00$ ls

demoCA newreq.pem

=======================================================================

5.Use the CA to sign the CSR , enter password as "adminadmin"

bash-3.00$ /usr/local/ssl/misc/CA.sh -sign

Using configuration from /usr/local/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem:adminadmin

Check that the request matches the signature

Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 20 03:54:29 2009 GMT
Not After : Apr 20 03:54:29 2010 GMT
Subject:
countryName = IN
stateOrProvinceName = Karnataka
localityName = Bangalore
organizationName = SMI
organizationalUnitName = SMI
commonName = ldaps://iecsoa1.india.sun.com:636
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C3:4B:3E:75:0C:2F:CB:23:79:BB:3B:F2:61:61:63:F9:E9:F2:D9:91
X509v3 Authority Key Identifier:
keyid:F7:77:14:1C:86:D3:F3:4E:9A:EE:7C:D1:E3:80:27:66:56:4B:0F:D2


Certificate is to be certified until Apr 20 03:54:29 2010 GMT (365 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

Certificate:

Data:

Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IN, ST=Karnataka, O=SMI, OU=SMI, CN=iecsoa1.india.sun.com
Validity
Not Before: Apr 20 03:54:29 2009 GMT
Not After : Apr 20 03:54:29 2010 GMT
Subject: C=IN, ST=Karnataka, L=Bangalore, O=SMI, OU=SMI, CN=ldaps://iecsoa1.india.sun.com:636
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c4:26:62:b3:3a:50:cb:0a:5d:c6:e0:b6:e6:72:
6a:6e:ba:a5:7f:6d:4e:e5:54:36:95:db:72:87:19:
8e:64:f3:07:81:f8:59:51:ef:03:0a:72:13:eb:dc:
8d:38:14:39:cc:ad:cb:16:db:f9:12:44:24:a7:c0:
c8:1e:8a:b6:b3:b3:b4:9e:aa:7f:b2:3e:76:80:8a:
19:70:02:2b:4d:c5:5f:e8:f3:83:71:51:05:61:37:
a1:1b:fd:85:91:6f:74:22:1b:01:e8:5e:e8:4d:15:
b2:9c:2e:f3:0e:c9:b6:a0:5b:8f:1c:4b:b9:ee:77:
bd:ea:69:5b:f9:83:1c:db:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C3:4B:3E:75:0C:2F:CB:23:79:BB:3B:F2:61:61:63:F9:E9:F2:D9:91
X509v3 Authority Key Identifier:
keyid:F7:77:14:1C:86:D3:F3:4E:9A:EE:7C:D1:E3:80:27:66:56:4B:0F:D2

Signature Algorithm: sha1WithRSAEncryption
15:fd:e0:f4:06:92:3d:57:72:1d:9e:43:53:b6:bd:c8:0e:35:
fa:7c:24:6a:c3:d9:f5:63:4d:00:74:de:80:86:4c:9e:7d:6f:
09:f7:cb:de:6c:6b:70:1f:d9:7c:62:98:79:5a:fa:68:96:a0:
a4:45:de:84:43:db:a8:01:d8:f8:45:33:dd:e8:ca:18:5d:51:
28:b2:51:28:45:07:c8:41:e5:72:1b:fd:6c:f3:df:0e:61:47:
e5:7f:ea:6d:ed:a8:15:91:bc:90:be:c8:00:1c:50:1a:ce:50:
be:ac:65:d5:23:96:12:f6:62:2f:9e:7f:24:38:1f:74:32:7d:
a9:0a

-----BEGIN CERTIFICATE-----
MIICyzCCAjSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBdMQswCQYDVQQGEwJJTjES
MBAGA1UECBMJS2FybmF0YWthMQwwCgYDVQQKEwNTTUkxDDAKBgNVBAsTA1NNSTEe
MBwGA1UEAxMVaWVjc29hMS5pbmRpYS5zdW4uY29tMB4XDTA5MDQyMDAzNTQyOVoX
DTEwMDQyMDAzNTQyOVowfTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUthcm5hdGFr
YTESMBAGA1UEBxMJQmFuZ2Fsb3JlMQwwCgYDVQQKEwNTTUkxDDAKBgNVBAsTA1NN
STEqMCgGA1UEAxMhbGRhcHM6Ly9pZWNzb2ExLmluZGlhLnN1bi5jb206NjM2MIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEJmKzOlDLCl3G4LbmcmpuuqV/bU7l
VDaV23KHGY5k8weB+FlR7wMKchPr3I04FDnMrcsW2/kSRCSnwMgeirazs7Seqn+y
PnaAihlwAitNxV/o84NxUQVhN6Eb/YWRb3QiGwHoXuhNFbKcLvMOybagW48cS7nu
d73qaVv5gxzb/wIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1P
cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUw0s+dQwvyyN5
uzvyYWFj+eny2ZEwHwYDVR0jBBgwFoAU93cUHIbT806a7nzR44AnZlZLD9IwDQYJ
KoZIhvcNAQEFBQADgYEAFf3g9AaSPVdyHZ5DU7a9yA41+nwkasPZ9WNNAHTegIZM
nn1vCffL3mxrcB/ZfGKYeVr6aJagpEXehEPbqAHY+EUz3ejKGF1RKLJRKEUHyEHl
chv9bPPfDmFH5X/qbe2oFZG8kL7IABxQGs5Qvqxl1SOWEvZiL55/JDgfdDJ9qQo=
-----END CERTIFICATE-----


Signed certificate is in newcert.pem



bash-3.00$ ls

demoCA newcert.pem newreq.pem

==================================================================
6.This creates newcert.pem (server certificate signed by CA) with private key, newreq.pem

So far we have created only the certificates needs to be used by the openldap server. Lets see how to configure the openldap using this certificates ...

Stop the openldap if it is already running :-

bash-3.00# ps -ef | grep slapd

root 26718 26710 0 11:09:04 pts/2 0:00 grep slapd

root 7915 1 0 Apr 17 ? 0:00 ./slapd

bash-3.00# kill -9 7915


bash-3.00# ps -ef | grep slapd
root 26720 26710 0 11:09:28 pts/2 0:00 grep slapd


bash-3.00# netstat -an | egrep '389|636'


no process running on port 389 or 636

=======================================================================
7. Copy the certificates to the ldap directory

a ) Copy cacert.pem - CA root certificate from Demo CA folder to /usr/local/var/openldap-data
b ) rename newcert.pem to servercrt.pem
c ) rename newreq.pem to serverkey.pem
d ) Copy servercrt.pem and serverkey.pem to /usr/local/var/openldap-data

so /usr/local/var/openldap-data has 3 new files in it
cacert.pem , servercrt.pem , serverkey.pem


==============================================================================
8. Edit the slapd.conf file from /usr/local/etc/openldap and add the following entry in to it below the entry
"argsfile /usr/local/var/run/slapd.args "

TLSCipherSuite HIGH:MEDIUM:+SSLv2

TLSCACertificateFile /usr/local/var/openldap-data/cacert.pem

TLSCertificateFile /usr/local/var/openldap-data/servercrt.pem

TLSCertificateKeyFile /usr/local/var/openldap-data/serverkey.pem


# Client verification not required

TLSVerifyClient never


=================================================================================
9.Start the openldap server by using the following command

# cd /usr/local/libexec

# ../slapd -h “ldap://iecsoa1:389 ldaps://iecsoa1:636”

Enter PEM pass phrase:adminadmin


Check to see the processes are listening in the configured ports

# netstat -an | egrep '389|636'

10.12.185.65.389 *.* 0 0 49152 0 LISTEN

10.12.185.65.636 *.* 0 0 49152 0 LISTEN


Use any external ldap-browser to connect to the both the URLs and check.


=================================================================================
For the client side , we have to use the server certificate , So we have to create keystore and trustore

Steps to create Client Truststore and Keystore from Server certificate .

First Convert from pem to jks format

Now to create Client Trust - store and key store

1. bash-3.00# pwd

/usr/local/ssl/bin


bash-3.00# openssl pkcs8 -topk8 -nocrypt -in /usr/local/ssl/mycerts/demoCA/private/cakey.pem -inform PEM -out key.der -outform DER

Enter pass phrase for /usr/local/ssl/mycerts/demoCA/private/cakey.pem:adminadmin


bash-3.00# openssl x509 -in /usr/local/ssl/mycerts/demoCA/cacert.pem -inform PEM -out cert.der -outform DER

bash-3.00# ls

c_rehash cert.der key.der openssl

======================================================================
2. Create a keystore using the java program

java program can be found at here


======================================================================
3. To view the contents of the keystore use this command
C:\Documents and Settings\admin\Desktop\openldapCerts>keytool -list -v -keystore keystore.jks

Enter keystore password:adminadmin


Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: client
Creation date: Apr 20, 2009
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN
Issuer: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN
Serial number: 0
Valid from: Mon Apr 20 09:17:43 IST 2009 until: Thu Apr 19 09:17:43 IST 2012
Certificate fingerprints:
MD5: 7C:22:37:66:C8:BE:A8:36:6B:37:5A:A8:EC:08:72:0B
SHA1: 84:5D:9A:32:13:EC:F5:19:19:5E:B6:1C:9C:DB:90:7A:65:EC:F5:F1
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]

]

#4: ObjectId: 2.16.840.1.113730.1.13 Criticality=false



*******************************************
*******************************************

======================================================================
4. use keytool to generate trust store ( note the default alias is "client" )

C:\Documents and Settings\admin\Desktop\openldapCerts>keytool -export -alias client -storepass adminadmin -file client.cer -keystore keystore.jks

Certificate stored in file


======================================================================
Import the above certificate to a new Truststore named "trustore"

C:\Documents and Settings\admin\Desktop\openldapCerts>keytool -import -alias client -file client.cer -keystore truststore

Enter keystore password:adminadmin

Re-enter new password:adminadmin

Owner: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN

Issuer: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN

Serial number: 0
Valid from: Mon Apr 20 09:17:43 IST 2009 until: Thu Apr 19 09:17:43 IST 2012

Certificate fingerprints:

MD5: 7C:22:37:66:C8:BE:A8:36:6B:37:5A:A8:EC:08:72:0B
SHA1: 84:5D:9A:32:13:EC:F5:19:19:5E:B6:1C:9C:DB:90:7A:65:EC:F5:F1
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]

]

#4: ObjectId: 2.16.840.1.113730.1.13 Criticality=false

Trust this certificate? [no]: yes


Certificate was added to keystore

======================================================================
To View contents of the trustore

C:\Documents and Settings\admin\Desktop\openldapCerts>keytool -list -v -keystore truststore
Enter keystore password:adminadmin

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: client
Creation date: Apr 20, 2009
Entry type: trustedCertEntry

Owner: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN
Issuer: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN
Serial number: 0
Valid from: Mon Apr 20 09:17:43 IST 2009 until: Thu Apr 19 09:17:43 IST 2012
Certificate fingerprints:
MD5: 7C:22:37:66:C8:BE:A8:36:6B:37:5A:A8:EC:08:72:0B
SHA1: 84:5D:9A:32:13:EC:F5:19:19:5E:B6:1C:9C:DB:90:7A:65:EC:F5:F1
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]

]

#4: ObjectId: 2.16.840.1.113730.1.13 Criticality=false



*******************************************
*******************************************


======================================================================