SunLDAP SSL configuration

  1. Create a CA root certificate:

Note: Either you can use the your existing CA root else follow these procedure for creating a CA root certificate

 2. Create a CSR for the SunLDAP server:

Using dsadm to create CSR for the SunLDAP server.  Login to the server installed with SunLDAP

# cd /opt/sun/ds6/bin            ### for RHAS 4 and /opt/SUNWdsee/ds6/bin for Solaris

#./dsadm request-cert –name ldaps://sun-ldapserver.com:636 –org SMI –org-unit SMI –city Bangalore –state Karnataka –country IN -F ascii -o /tmp/newreq.pem /var/opt/sun/dsins1   ### refer dsadm man for more info

# ls /tmp/newreq.pem
newreq.pem

Note: “-F ascii” is needed for the CA to sign the request

 3: Use the CA to sign the CSR:

Use the CA created in step 1 to sign the CSR

Note: Refer signing CSR using CA

 4: Enabling SSL for SunLDAP:

After completing the above procedures, we’ll be having the following certificates which needs to be added to the directory instance repository,

cacert.pem        –    CA Root certificate
newcert.pem        –    ldapserver certificate ( ldaps://hostname:port-no.)

1.Copy the certificates to the /tmp dir
2.Login to the server and change directory

    # cd /opt/sun/ds6/bin         ### for RHAS 4 and /opt/SUNWdsee/ds6/bin for Solaris

3.Add the server certificate
# ./dsadm add-cert <instance path>  <cert-alias> < certpath >
# ./dsadm add-cert /var/opt/sun/dsins1 server-cert /tmp/newcert.pem

4.Add the CA root certificate
# ./dsadm add-cert -C <instance path>  <cert-alias> < certpath >
# ./dsadm add-cert -C /var/opt/sun/dsins1 theCARoot  /tmp/cacert.pem

5.Set the server properties to use the newly added server certificate
# ./dsconf set-server-prop -e -p non-ssl-port ssl-rsa-cert-name:<certificate alias>
# ./dsconf set-server-prop -e -p 389 ssl-rsa-cert-name:server-cert          ### alias for server cert

6.Restart the DS for changes to get into effect
# ./dsadm restart instance path
# ./dsadm restart /var/opt/sun/dsins1

7.Now stop the DS and remove the default Cert (this ensures that the above generated certificate will be the default cert)
# ./dsadm stop instancepath
# ./dsadm stop /var/opt/sun/dsins1

8.Now remove the default certificate
# ./dsadm remove-cert instance-path cert-alias
# ./dsadm remove-cert /var/opt/sun/dsins1 defaultCert

 In case you want to export the above default cert, following is the command
# ./dsadm export-cert -o /<any path>/slapd-cert.export instance-path <original default cert alias>
where o=output file
9.Now start the server to use the ssl certificate created by us.
    # ./dsadm start instance-path
    # ./dsadm start /var/opt/sun/dsins1

10. Check using any ldap browser to the ports 389 and 636.

Advertisements

2 Responses to SunLDAP SSL configuration

  1. Jonathan G says:

    I have found that I need to use certutil to add Root certs to the Directory, so that trust flags (CT) are set appropriately:
    # /usr/sfw/bin/certutil –A –n CA –t CT,, -d /var/opt/SUNWdsee/dsins1/alias –i /tmp/CACert
    #/usr/sfw/bin/certutil -L -P slapd- -d /var/opt/SUNWdsee/dsins1/alias
    defaultCert CTu,u,u
    servercert u,u,u
    RootCA CT,,

  2. Raghuvir says:

    Thanks hari, I am able to configure Sunone LDAP 6.0 as well as 6.3 with the above steps. thanks a ton !!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: