Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
01-09-2010, 09:23 PM
|
#1
|
Senior Member
Registered: Jun 2008
Location: Germany
Distribution: Slackware
Posts: 1,466
Rep:
|
Help regarding the Fedora SSL setup?
Guys,
I am in verse to setup Fedora DS with SSL on my CentOS Machine.
All I did is ran setupssl2.sh script, restarted directory Server and Admin server as shown below:
Code:
==============================================================================
This program will set up the 389 Directory and Administration Servers.
It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
- Press "Enter" to choose the default and go to the next screen
- Type "Control-B" then "Enter" to go back to the previous screen
- Type "Control-C" to cancel the setup program
Would you like to continue with set up? [yes]: yes
==============================================================================
BY SETTING UP AND USING THIS SOFTWARE YOU ARE CONSENTING TO BE BOUND BY
AND ARE BECOMING A PARTY TO THE AGREEMENT FOUND IN THE
LICENSE.TXT FILE. IF YOU DO NOT AGREE TO ALL OF THE TERMS
OF THIS AGREEMENT, PLEASE DO NOT SET UP OR USE THIS SOFTWARE.
Do you agree to the license terms? [no]: yes
==============================================================================
Your system has been scanned for potential problems, missing patches,
etc. The following output is a report of the items found that need to
be addressed before running this software in a production
environment.
389 Directory Server system tuning analysis version 10-AUGUST-2007.
NOTICE : System is i686-unknown-linux2.6.18-164.el5 (1 processor).
ERROR : Only 249MB of physical memory is available on the system. 256MB is the
recommended minimum. 1024MB is recommended for best performance on large production system.
NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes). This may cause temporary server congestion from lost
client connections.
WARNING: There are only 1024 file descriptors (hard limit) available, which
limit the number of simultaneous connections.
WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.
ERROR : The above errors MUST be corrected before proceeding.
Would you like to continue? [no]: yes
==============================================================================
Choose a setup type:
1. Express
Allows you to quickly set up the servers using the most
common options and pre-defined defaults. Useful for quick
evaluation of the products.
2. Typical
Allows you to specify common defaults and options.
3. Custom
Allows you to specify more advanced options. This is
recommended for experienced server administrators only.
To accept the default shown in brackets, press the Enter key.
Choose a setup type [2]: 2
==============================================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: eros.example.com.
To accept the default shown in brackets, press the Enter key.
Computer name [389-ds.sapient.com]:
==============================================================================
The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user). The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.
If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.
System User [fds]:
System Group [fds]:
==============================================================================
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers. If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server. To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
<hostname>.<domainname>(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).
If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.
Do you want to register this software with an existing
configuration directory server? [yes]: no
==============================================================================
Please enter the administrator ID for the configuration directory
server. This is the ID typically used to log in to the console. You
will also be prompted for the password.
Configuration directory server
administrator ID [admin]:
Password:
Password (confirm):
==============================================================================
The information stored in the configuration directory server can be
separated into different Administration Domains. If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.
If you are not using administrative domains, press Enter to select the
default. Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.
Administration Domain [sap.com]:
==============================================================================
The standard directory server network port number is 389. However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.
Directory server network port [389]: 636
==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.
Directory server identifier [389-ds]:
==============================================================================
The suffix is the root of your directory tree. The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.
Suffix [dc=sap, dc=com]: dc=im,dc=sap,dc=com
==============================================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user. The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word "back", then Enter to back up and start over.
Directory Manager DN [cn=Directory Manager]:
Password:
Password (confirm):
==============================================================================
The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is
restricted.
Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.
Administration port [9830]:
==============================================================================
The interactive phase is complete. The script will now set up your
servers. Enter No or go Back if you want to change something.
Are you ready to set up your servers? [yes]: yes
Creating directory server . . .
Your new DS instance '389-ds' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server reconfiguration . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Starting admin server . . .
The admin server was successfully started.
Admin server was successfully reconfigured and started.
Exiting . . .
Log file is '/tmp/setupHw6wUC.log'
[root@389-ds dirsrv]# cd /opt/
[root@389-ds opt]# ./setupssl2.sh
No CA certificate found - will create new one
No Server Cert found - will create new one
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1002 (0x3ea)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=CAcert"
Validity:
Not Before: Sat Jan 09 15:28:53 2010
Not After : Thu Jan 09 15:28:53 2020
Subject: "CN=389-ds.sap.com,OU=Fedora Administration Server"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
d7:d7:07:6c:75:e5:3c:81:9d:7e:f0:43:13:ca:9d:38:
3d:3b:2b:d3:af:8d:3c:c0:ba:0f:4b:ef:d9:5b:4e:0a:
32:15:4d:11:66:d0:4a:95:5a:a9:bc:33:76:6a:37:fe:
8b:40:4f:83:dc:a0:57:51:af:42:ed:9f:db:1e:11:7c:
d0:c0:94:1b:18:e8:a2:e0:7e:b1:e2:1b:25:dc:4c:8a:
36:90:e1:3b:26:23:68:94:a6:1b:fc:2a:b2:86:50:38:
84:6d:30:93:32:62:0d:78:bb:5b:51:ba:d5:22:63:6c:
cf:ec:6b:64:31:62:ee:eb:b2:da:a8:76:c7:20:d0:81
Exponent: 65537 (0x10001)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
4a:a2:7f:03:a0:cb:22:2a:4a:92:88:9c:0d:68:9d:4f:
56:50:2c:63:0d:ae:38:19:e0:0d:1f:3a:18:72:88:c6:
f8:03:39:34:9c:1b:e5:57:c0:b6:15:64:8c:2b:6e:82:
45:14:34:a7:c0:29:cc:1a:79:da:30:6a:66:72:cd:27:
60:1e:c5:e3:cf:d9:f1:67:d9:d5:81:69:96:9d:ea:d6:
12:c5:fd:ef:6f:d8:58:8b:ed:0c:73:cc:9b:8e:81:80:
21:ee:95:95:55:0d:e6:13:46:8f:ba:9f:0b:71:27:aa:
ee:c1:4c:ba:c8:63:14:c9:21:b8:ee:bb:12:7b:ea:96
Fingerprint (MD5):
E9:B5:B2:A7:C1:C2:F9:D4:21:7C:30:E4:36:92:D7:D8
Fingerprint (SHA1):
C6:36:8E:A2:91:F2:15:29:A8:F2:E9:77:CB:90:8D:CD:4D:61:C7:B7
Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User
Using existing admin server-cert
Creating password file for security token
Creating noise file
Creating new key and cert db
Creating encryption key for CA
Generating key. This may take a few moments...
Creating self-signed CA certificate
Generating key. This may take a few moments...
Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?
Exporting the CA certificate to cacert.asc
Generating server certificate for Fedora Directory Server on host 389-ds.sapient.com
Using fully qualified hostname 389-ds.sapient.com for the server name in the server cert subject DN
Note: If you do not want to use this hostname, edit this script to change myhost to the
real hostname you want to use
Generating key. This may take a few moments...
Creating pin file for directory server
Enabling the use of a password file in admin server
Enabling SSL in the directory server - when prompted, provide the directory manager password
Enter LDAP Password:
ldap_bind: Can't contact LDAP server (-1)
Done. You must restart the directory server and the admin server for the changes to take effect.
[root@389-ds opt]# service disrvrsrv-ds restart
dirsrv-ds: unrecognized service
[root@389-ds opt]# service dirsrv-ds restart restartdirs restartrv- restart./setupssl2.sh cd /opt//usr/sbin/setup-ds-admin.pl
rm -fr slapd-389-ds/ls/usr/sbin/setup-ds-admin.pl
service dirsrv-admin stopadmin-serv
lsservice admin-serv stopdirsrv-admin artstratarrestrestart
Shutting down dirsrv-admin:
[ OK ]
Starting dirsrv-admin:
[ OK ]
[root@389-ds opt]# service dirsrv-admin restart restart
./setupssl2.sh cd /opt//usr/sbin/setup-ds-admin.pl
rm -fr slapd-389-ds/ls/usr/sbin/setup-ds-admin.pl
service dirsrv-admin stopadmin-servdirsrv-admin
Shutting down dirsrv-admin:
[ OK ]
[root@389-ds opt]# service dirsrv-admin stopart
Starting dirsrv-admin:
[ OK ]
[root@389-ds opt]# service dirsrv-admin startoprestart restart
./setupssl2.sh cd /opt//usr/sbin/setup-ds-admin.pl
rm -fr slapd-389-ds/ls/usr/sbin/setup-ds-admin.pl
service dirsrv-admin stopadmin-serv
admin-serv: unrecognized service
[root@389-ds opt]# service admin-serv stopart
admin-serv: unrecognized service
[root@389-ds opt]# service admin-serv startopdirsrv-admin startoprestart restart
./setupssl2.sh cd /opt//usr/sbin/setup-ds-admin.pl
rm -fr slapd-389-ds/ls/usr/sbin/setup-ds-admin.pl
service dirsrv-admin stopadmin-serv
lscd /etc/dirsrvservice dirsrv-ds-admin stop stopcdlscd config/lscd config/lscd config/lscdservice dirsrv stopart
Starting dirsrv:
389-ds... already running[ OK ]
[root@389-ds opt]# service dirsrv startrstartestart
Shutting down dirsrv:
389-ds...[ OK ]
Starting dirsrv:
389-ds...[ OK ]
[root@389-ds opt]# netstat -arpm n | grep 686
[root@389-ds opt]# netstat -arpn | grep 686389
[root@389-ds opt]# netstat -arpn | grep 389n
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 :::636 :::* LISTEN
tcp 0 416 ::ffff:10.209.37.91:22 ::ffff:10.210.52.250:1225 ESTABLISHED
tcp 0 0 ::ffff:10.209.37.91:22 ::ffff:10.210.52.250:1197 ESTABLISHED
udp 0 0 0.0.0.0:68 0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 34908 /var/run/dirsrv/admin-serv.cgisock.5510
unix 2 [ ] DGRAM 1767 @/org/kernel/udev/udevd
unix 6 [ ] DGRAM 8308 /dev/log
unix 2 [ ACC ] STREAM LISTENING 7959 /var/run/setrans/.setrans-unix
unix 2 [ ACC ] STREAM LISTENING 8359 /var/run/dbus/system_bus_socket
unix 2 [ ] DGRAM 29966
unix 2 [ ] DGRAM 29422
unix 2 [ ] DGRAM 10880
unix 3 [ ] STREAM CONNECTED 8375
unix 3 [ ] STREAM CONNECTED 8374
unix 2 [ ] DGRAM 8316
[root@389-ds opt]#
[root@389-ds opt]#
[root@389-ds opt]# ./setupssl2.sh
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1000 (0x3e8)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=CAcert"
Validity:
Not Before: Sat Jan 09 16:16:52 2010
Not After : Thu Jan 09 16:16:52 2020
Subject: "CN=CAcert"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
cf:7f:a4:e5:40:26:32:0c:6e:8b:87:48:00:2a:ba:9f:
27:05:c9:26:ef:d4:64:76:56:0a:2c:ff:f1:ae:8c:3e:
20:95:0d:a8:08:46:66:86:05:1d:30:6c:80:be:cd:e3:
d2:c2:ec:ed:3a:7a:a1:6b:90:a6:42:cd:6f:57:cb:84:
1e:f0:da:9b:eb:54:1f:43:a9:3e:f6:15:68:03:10:ed:
66:ed:cc:49:c5:2c:b7:21:b4:94:df:77:eb:04:f7:ac:
07:af:6f:f7:52:2f:18:8e:d2:94:c8:8f:02:fa:e4:d2:
e1:16:c4:72:e9:9d:a9:47:14:91:3e:bf:14:e6:9f:57
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
71:7a:6e:c6:f4:3b:e4:14:ba:f0:91:b0:09:c1:3b:49:
26:18:8a:8e:61:97:12:6f:08:99:d6:fc:11:76:21:2b:
41:66:c5:e6:22:17:77:e0:5e:ae:b5:d7:3d:81:3a:2f:
73:01:5f:79:c4:55:a2:d8:fb:1a:92:35:b4:07:e9:da:
fa:c6:5f:e7:1b:a2:31:75:30:06:23:d2:45:b8:92:df:
cf:c5:15:a3:6a:a8:1b:ef:3c:d5:94:d0:02:17:58:c4:
b8:a3:f9:f5:74:64:f1:2f:25:1a:d2:c6:30:2b:2a:90:
e0:78:7e:8d:da:5b:18:52:fc:d4:39:1f:b7:bb:0d:c5
Fingerprint (MD5):
D6:FF:21:EC:FF:F1:02:6B:09:22:CF:DB:48:86:4D:85
Fingerprint (SHA1):
2C:2E:DE:C6:B1:A1:6F:8B:34:F3:B0:DD:70:DC:97:26:27:36:1C:BE
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
User
Trusted Client CA
Email Flags:
User
Object Signing Flags:
User
Using existing CA certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1001 (0x3e9)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=CAcert"
Validity:
Not Before: Sat Jan 09 16:16:53 2010
Not After : Thu Jan 09 16:16:53 2020
Subject: "CN=389-ds.sap.com,OU=Fedora Directory Server"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
b8:1e:0b:70:d1:63:3c:21:23:e7:d4:bb:f9:43:68:d8:
2f:dd:4c:d8:fd:54:86:7e:c0:eb:72:68:a4:12:6e:3b:
24:62:ba:31:44:88:ae:1e:00:12:5c:90:19:0c:aa:ca:
d7:fc:91:a3:de:15:0d:ed:7d:a4:73:c5:eb:84:9d:ba:
d2:50:7f:1e:71:3c:6c:b8:15:6c:c4:03:77:9a:c3:85:
a3:93:30:b9:1d:56:3f:0e:68:6c:88:30:f5:9d:e7:d4:
26:75:c2:c1:b7:db:e7:40:c3:64:13:c8:ab:4f:d4:df:
ef:be:2f:b5:c3:72:1a:fb:3a:89:57:9b:b6:7d:be:1d
Exponent: 65537 (0x10001)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
1d:92:f8:7d:36:11:78:2a:8e:ab:de:96:e2:1a:22:26:
71:af:b5:a9:b1:40:e3:08:f0:82:12:c9:9e:c2:d9:ba:
2f:5f:bd:c1:77:68:5a:07:e7:30:13:16:0a:ec:23:d2:
84:b9:69:a2:e2:ea:ac:59:9c:6b:02:2f:90:36:4a:58:
3a:82:46:5b:26:a8:15:09:5d:96:51:b1:97:6d:f9:75:
6c:25:56:a6:93:ad:6c:ac:a0:73:c6:71:f3:9c:1b:2e:
9d:2c:1d:71:10:26:16:79:90:15:53:04:5d:e1:74:4a:
89:cf:a2:75:20:ac:e9:9a:53:16:b6:f4:bd:a2:34:82
Fingerprint (MD5):
46:BF:CC:7F:86:3A:B0:7E:D2:84:92:00:FA:36:08:90
Fingerprint (SHA1):
1E:57:33:E9:E6:EE:74:DB:48:DC:B4:08:CA:28:B6:60:C2:B9:12:D0
Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User
Using existing directory Server-Cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1002 (0x3ea)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=CAcert"
Validity:
Not Before: Sat Jan 09 15:28:53 2010
Not After : Thu Jan 09 15:28:53 2020
Subject: "CN=389-ds.sapient.com,OU=Fedora Administration Server"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
d7:d7:07:6c:75:e5:3c:81:9d:7e:f0:43:13:ca:9d:38:
3d:3b:2b:d3:af:8d:3c:c0:ba:0f:4b:ef:d9:5b:4e:0a:
32:15:4d:11:66:d0:4a:95:5a:a9:bc:33:76:6a:37:fe:
8b:40:4f:83:dc:a0:57:51:af:42:ed:9f:db:1e:11:7c:
d0:c0:94:1b:18:e8:a2:e0:7e:b1:e2:1b:25:dc:4c:8a:
36:90:e1:3b:26:23:68:94:a6:1b:fc:2a:b2:86:50:38:
84:6d:30:93:32:62:0d:78:bb:5b:51:ba:d5:22:63:6c:
cf:ec:6b:64:31:62:ee:eb:b2:da:a8:76:c7:20:d0:81
Exponent: 65537 (0x10001)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
4a:a2:7f:03:a0:cb:22:2a:4a:92:88:9c:0d:68:9d:4f:
56:50:2c:63:0d:ae:38:19:e0:0d:1f:3a:18:72:88:c6:
f8:03:39:34:9c:1b:e5:57:c0:b6:15:64:8c:2b:6e:82:
45:14:34:a7:c0:29:cc:1a:79:da:30:6a:66:72:cd:27:
60:1e:c5:e3:cf:d9:f1:67:d9:d5:81:69:96:9d:ea:d6:
12:c5:fd:ef:6f:d8:58:8b:ed:0c:73:cc:9b:8e:81:80:
21:ee:95:95:55:0d:e6:13:46:8f:ba:9f:0b:71:27:aa:
ee:c1:4c:ba:c8:63:14:c9:21:b8:ee:bb:12:7b:ea:96
Fingerprint (MD5):
E9:B5:B2:A7:C1:C2:F9:D4:21:7C:30:E4:36:92:D7:D8
Fingerprint (SHA1):
C6:36:8E:A2:91:F2:15:29:A8:F2:E9:77:CB:90:8D:CD:4D:61:C7:B7
Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User
So I have created certificates through setupssl2.sh.
Now What should be the next step?
How can I know if SSL is configured properly.
I tried accessing through 389 Management Console but https:// not working.
Last edited by your_shadow03; 01-09-2010 at 09:39 PM.
|
|
|
01-10-2010, 11:33 AM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
Please post your thread in only one forum. Posting a single thread in the most relevant forum will make it easier for members to help you and will keep the discussion in one place. This thread is being closed because it is a duplicate.
|
|
|
All times are GMT -5. The time now is 05:57 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|