1. Install Open ssl on unix machine. ( here i have used a solaris sparc machine )
Get the software from http://www.sunfreeware.com/indexsparc10.html
" openssl-0.9.8j-sol10-sparc-local.gz "
Now login to your solaris sparc box as "root" , root access has to be there ,else it wont install.
run pkgadd command , to check if it working. then unzip the files using "gunzip filename"
run pkgadd -d openssl-0.9.8j-sol10-sparc-local and similarly install all the packages
This will get installed in /usr/local/ssl/ by default.
==========================================================================
2. Set the path on the unix machine to use this open ssl .
bash-3.00# PATH=$PATH:/usr/local/ssl/bin:.
bash-3.00# export PATH
bash-3.00# which openssl
/usr/local/ssl/bin/openssl
bash-3.00# echo $PATH
/usr/local/ssl/bin:.
======================================================================
3. Create a CA root certificate
bash-3.00# mkdir openldapcerts
bash-3.00# cd openldapcerts
bash-3.00$ pwd
/home/rk208995/openldapcerts
run the below command , enter the password as "adminadmin" , then enter country , state , city , for Common name , enter the FQDN of the local machine. here it is iecsoa1
At the end it asks for password again , enter "adminadmin"
bash-3.00$ /usr/local/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
.............++++++
................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:adminadmin
Verifying - Enter PEM pass phrase:adminadmin
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Karnataka
Locality Name (eg, city) []:Bangalore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SMI
Organizational Unit Name (eg, section) []:SMI
Common Name (eg, YOUR name) []:iecsoa1.india.sun.com
Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:adminadmin
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Apr 20 03:47:43 2009 GMT
Not After : Apr 19 03:47:43 2012 GMT
Subject:
countryName = IN
stateOrProvinceName = Karnataka
organizationName = SMI
organizationalUnitName = SMI
commonName = iecsoa1.india.sun.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F7:77:14:1C:86:D3:F3:4E:9A:EE:7C:D1:E3:80:27:66:56:4B:0F:D2
X509v3 Authority Key Identifier:
keyid:F7:77:14:1C:86:D3:F3:4E:9A:EE:7C:D1:E3:80:27:66:56:4B:0F:D2
Certificate is to be certified until Apr 19 03:47:43 2012 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
======================================================================
4. Create a CSR for the ldap server
Note: When asked for a 'Common Name', you must enter the ldap url in the following format,
ldaps://
e.g. ldaps://ldapserver.com:636
This will create a csr “newreq.pem”
bash-3.00$ openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
Generating a 1024 bit RSA private key
.............................++++++
..................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Karnataka
Locality Name (eg, city) []:Bangalore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SMI
Organizational Unit Name (eg, section) []:SMI
Common Name (eg, YOUR name) []:ldaps://iecsoa1.india.sun.com:636
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
bash-3.00$ ls
demoCA newreq.pem
=======================================================================
5.Use the CA to sign the CSR , enter password as "adminadmin"
bash-3.00$ /usr/local/ssl/misc/CA.sh -sign
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:adminadmin
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 20 03:54:29 2009 GMT
Not After : Apr 20 03:54:29 2010 GMT
Subject:
countryName = IN
stateOrProvinceName = Karnataka
localityName = Bangalore
organizationName = SMI
organizationalUnitName = SMI
commonName = ldaps://iecsoa1.india.sun.com:636
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C3:4B:3E:75:0C:2F:CB:23:79:BB:3B:F2:61:61:63:F9:E9:F2:D9:91
X509v3 Authority Key Identifier:
keyid:F7:77:14:1C:86:D3:F3:4E:9A:EE:7C:D1:E3:80:27:66:56:4B:0F:D2
Certificate is to be certified until Apr 20 03:54:29 2010 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IN, ST=Karnataka, O=SMI, OU=SMI, CN=iecsoa1.india.sun.com
Validity
Not Before: Apr 20 03:54:29 2009 GMT
Not After : Apr 20 03:54:29 2010 GMT
Subject: C=IN, ST=Karnataka, L=Bangalore, O=SMI, OU=SMI, CN=ldaps://iecsoa1.india.sun.com:636
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c4:26:62:b3:3a:50:cb:0a:5d:c6:e0:b6:e6:72:
6a:6e:ba:a5:7f:6d:4e:e5:54:36:95:db:72:87:19:
8e:64:f3:07:81:f8:59:51:ef:03:0a:72:13:eb:dc:
8d:38:14:39:cc:ad:cb:16:db:f9:12:44:24:a7:c0:
c8:1e:8a:b6:b3:b3:b4:9e:aa:7f:b2:3e:76:80:8a:
19:70:02:2b:4d:c5:5f:e8:f3:83:71:51:05:61:37:
a1:1b:fd:85:91:6f:74:22:1b:01:e8:5e:e8:4d:15:
b2:9c:2e:f3:0e:c9:b6:a0:5b:8f:1c:4b:b9:ee:77:
bd:ea:69:5b:f9:83:1c:db:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C3:4B:3E:75:0C:2F:CB:23:79:BB:3B:F2:61:61:63:F9:E9:F2:D9:91
X509v3 Authority Key Identifier:
keyid:F7:77:14:1C:86:D3:F3:4E:9A:EE:7C:D1:E3:80:27:66:56:4B:0F:D2
Signature Algorithm: sha1WithRSAEncryption
15:fd:e0:f4:06:92:3d:57:72:1d:9e:43:53:b6:bd:c8:0e:35:
fa:7c:24:6a:c3:d9:f5:63:4d:00:74:de:80:86:4c:9e:7d:6f:
09:f7:cb:de:6c:6b:70:1f:d9:7c:62:98:79:5a:fa:68:96:a0:
a4:45:de:84:43:db:a8:01:d8:f8:45:33:dd:e8:ca:18:5d:51:
28:b2:51:28:45:07:c8:41:e5:72:1b:fd:6c:f3:df:0e:61:47:
e5:7f:ea:6d:ed:a8:15:91:bc:90:be:c8:00:1c:50:1a:ce:50:
be:ac:65:d5:23:96:12:f6:62:2f:9e:7f:24:38:1f:74:32:7d:
a9:0a
-----BEGIN CERTIFICATE-----
MIICyzCCAjSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBdMQswCQYDVQQGEwJJTjES
MBAGA1UECBMJS2FybmF0YWthMQwwCgYDVQQKEwNTTUkxDDAKBgNVBAsTA1NNSTEe
MBwGA1UEAxMVaWVjc29hMS5pbmRpYS5zdW4uY29tMB4XDTA5MDQyMDAzNTQyOVoX
DTEwMDQyMDAzNTQyOVowfTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUthcm5hdGFr
YTESMBAGA1UEBxMJQmFuZ2Fsb3JlMQwwCgYDVQQKEwNTTUkxDDAKBgNVBAsTA1NN
STEqMCgGA1UEAxMhbGRhcHM6Ly9pZWNzb2ExLmluZGlhLnN1bi5jb206NjM2MIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEJmKzOlDLCl3G4LbmcmpuuqV/bU7l
VDaV23KHGY5k8weB+FlR7wMKchPr3I04FDnMrcsW2/kSRCSnwMgeirazs7Seqn+y
PnaAihlwAitNxV/o84NxUQVhN6Eb/YWRb3QiGwHoXuhNFbKcLvMOybagW48cS7nu
d73qaVv5gxzb/wIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1P
cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUw0s+dQwvyyN5
uzvyYWFj+eny2ZEwHwYDVR0jBBgwFoAU93cUHIbT806a7nzR44AnZlZLD9IwDQYJ
KoZIhvcNAQEFBQADgYEAFf3g9AaSPVdyHZ5DU7a9yA41+nwkasPZ9WNNAHTegIZM
nn1vCffL3mxrcB/ZfGKYeVr6aJagpEXehEPbqAHY+EUz3ejKGF1RKLJRKEUHyEHl
chv9bPPfDmFH5X/qbe2oFZG8kL7IABxQGs5Qvqxl1SOWEvZiL55/JDgfdDJ9qQo=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
bash-3.00$ ls
demoCA newcert.pem newreq.pem
==================================================================
6.This creates newcert.pem (server certificate signed by CA) with private key, newreq.pem
So far we have created only the certificates needs to be used by the openldap server. Lets see how to configure the openldap using this certificates ...
Stop the openldap if it is already running :-
bash-3.00# ps -ef | grep slapd
root 26718 26710 0 11:09:04 pts/2 0:00 grep slapd
root 7915 1 0 Apr 17 ? 0:00 ./slapd
bash-3.00# kill -9 7915
bash-3.00# ps -ef | grep slapd
root 26720 26710 0 11:09:28 pts/2 0:00 grep slapd
bash-3.00# netstat -an | egrep '389|636'
no process running on port 389 or 636
=======================================================================
7. Copy the certificates to the ldap directory
a ) Copy cacert.pem - CA root certificate from Demo CA folder to /usr/local/var/openldap-data
b ) rename newcert.pem to servercrt.pem
c ) rename newreq.pem to serverkey.pem
d ) Copy servercrt.pem and serverkey.pem to /usr/local/var/openldap-data
so /usr/local/var/openldap-data has 3 new files in it
cacert.pem , servercrt.pem , serverkey.pem
==============================================================================
8. Edit the slapd.conf file from /usr/local/etc/openldap and add the following entry in to it below the entry
"argsfile /usr/local/var/run/slapd.args "
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/local/var/openldap-data/cacert.pem
TLSCertificateFile /usr/local/var/openldap-data/servercrt.pem
TLSCertificateKeyFile /usr/local/var/openldap-data/serverkey.pem
# Client verification not required
TLSVerifyClient never
=================================================================================
9.Start the openldap server by using the following command
# cd /usr/local/libexec
# ../slapd -h “ldap://iecsoa1:389 ldaps://iecsoa1:636”
Enter PEM pass phrase:adminadmin
Check to see the processes are listening in the configured ports
# netstat -an | egrep '389|636'
10.12.185.65.389 *.* 0 0 49152 0 LISTEN
10.12.185.65.636 *.* 0 0 49152 0 LISTEN
Use any external ldap-browser to connect to the both the URLs and check.
=================================================================================
For the client side , we have to use the server certificate , So we have to create keystore and trustore
Steps to create Client Truststore and Keystore from Server certificate .
First Convert from pem to jks format
Now to create Client Trust - store and key store
1. bash-3.00# pwd
/usr/local/ssl/bin
bash-3.00# openssl pkcs8 -topk8 -nocrypt -in /usr/local/ssl/mycerts/demoCA/private/cakey.pem -inform PEM -out key.der -outform DER
Enter pass phrase for /usr/local/ssl/mycerts/demoCA/private/cakey.pem:adminadmin
bash-3.00# openssl x509 -in /usr/local/ssl/mycerts/demoCA/cacert.pem -inform PEM -out cert.der -outform DER
bash-3.00# ls
c_rehash cert.der key.der openssl
======================================================================
2. Create a keystore using the java program
java program can be found at here
======================================================================
3. To view the contents of the keystore use this command
C:\Documents and Settings\admin\Desktop\openldapCerts>keytool -list -v -keystore keystore.jks
Enter keystore password:adminadmin
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: client
Creation date: Apr 20, 2009
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN
Issuer: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN
Serial number: 0
Valid from: Mon Apr 20 09:17:43 IST 2009 until: Thu Apr 19 09:17:43 IST 2012
Certificate fingerprints:
MD5: 7C:22:37:66:C8:BE:A8:36:6B:37:5A:A8:EC:08:72:0B
SHA1: 84:5D:9A:32:13:EC:F5:19:19:5E:B6:1C:9C:DB:90:7A:65:EC:F5:F1
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]
]
#4: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
*******************************************
*******************************************
======================================================================
4. use keytool to generate trust store ( note the default alias is "client" )
C:\Documents and Settings\admin\Desktop\openldapCerts>keytool -export -alias client -storepass adminadmin -file client.cer -keystore keystore.jks
Certificate stored in file
======================================================================
Import the above certificate to a new Truststore named "trustore"
C:\Documents and Settings\admin\Desktop\openldapCerts>keytool -import -alias client -file client.cer -keystore truststore
Enter keystore password:adminadmin
Re-enter new password:adminadmin
Owner: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN
Issuer: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN
Serial number: 0
Valid from: Mon Apr 20 09:17:43 IST 2009 until: Thu Apr 19 09:17:43 IST 2012
Certificate fingerprints:
MD5: 7C:22:37:66:C8:BE:A8:36:6B:37:5A:A8:EC:08:72:0B
SHA1: 84:5D:9A:32:13:EC:F5:19:19:5E:B6:1C:9C:DB:90:7A:65:EC:F5:F1
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]
]
#4: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Trust this certificate? [no]: yes
Certificate was added to keystore
======================================================================
To View contents of the trustore
C:\Documents and Settings\admin\Desktop\openldapCerts>keytool -list -v -keystore truststore
Enter keystore password:adminadmin
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: client
Creation date: Apr 20, 2009
Entry type: trustedCertEntry
Owner: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN
Issuer: CN=iecsoa1.india.sun.com, OU=SMI, O=SMI, ST=Karnataka, C=IN
Serial number: 0
Valid from: Mon Apr 20 09:17:43 IST 2009 until: Thu Apr 19 09:17:43 IST 2012
Certificate fingerprints:
MD5: 7C:22:37:66:C8:BE:A8:36:6B:37:5A:A8:EC:08:72:0B
SHA1: 84:5D:9A:32:13:EC:F5:19:19:5E:B6:1C:9C:DB:90:7A:65:EC:F5:F1
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F7 77 14 1C 86 D3 F3 4E 9A EE 7C D1 E3 80 27 66 .w.....N......'f
0010: 56 4B 0F D2 VK..
]
]
#4: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
*******************************************
*******************************************
======================================================================
No comments:
Post a Comment