Enabling Secure Connection to Internal Database - dogtagpki/pki GitHub Wiki
This document describes the process to configure an existing PKI instance to use SSL connection to DS.
Note: Since DS 1.4 the SSL is enabled up by default with a server certificate issued by a self-signed CA certificate.
There are two ways to enable a secure connection from PKI to DS:
-
Install DS CA certificate into PKI.
-
Install PKI-issued server certificate into DS.
This procedure is simpler but it relies on the self-signed CA certificate in DS, so it might not work in all cases.
To find the nickname of the CA certificate in DS:
$ certutil -L -d /etc/dirsrv/slapd-localhost Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Self-Signed-CA CT,, Server-Cert u,u,u
To export the DS CA certificate:
$ certutil -L -d /etc/dirsrv/slapd-localhost -n Self-Signed-CA -a > ca_signing.crt
To import the DS CA certificate:
$ certutil -A -d /var/lib/pki/pki-tomcat/conf/alias -n "ds-ca_signing" -i ca_signing.crt -t "CT,C,C"
To verify the import:
$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ca_signing CTu,Cu,Cu ca_ocsp_signing u,u,u subsystem u,u,u ca_audit_signing u,u,Pu sslserver u,u,u ds-ca_signing CT,C,C
Finally, restart PKI server:
$ systemctl restart pki-tomcatd@$pki-tomcat.service
This procedure is more complex but it uses the actual CA certificate in PKI.
To export PKI CA certificate:
$ pki-server cert-export ca_signing --cert-file ca_signing.crt
To remove the old CA certificate from DS:
$ certutil -D -d /etc/dirsrv/slapd-localhost -f /etc/dirsrv/slapd-localhost/pwdfile.txt -n Self-Signed-CA
To import PKI CA certificate into DS:
$ pki -d /etc/dirsrv/slapd-localhost -C /etc/dirsrv/slapd-localhost/pwdfile.txt \ nss-cert-import ca_signing \ --cert ca_signing.crt \ --trust CT,C,C
To show the existing server key in DS:
$ certutil -K -d /etc/dirsrv/slapd-localhost -f /etc/dirsrv/slapd-localhost/pwdfile.txt certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa d33aaa95388e61eaa164c381a7fbb59c0c5007c8 NSS Certificate DB:Server-Cert
To generate a server certificate request with the same key:
$ pki -d /etc/dirsrv/slapd-localhost -C /etc/dirsrv/slapd-localhost/pwdfile.txt \ nss-cert-request \ --key-id d33aaa95388e61eaa164c381a7fbb59c0c5007c8 \ --subject "CN=pki.example.com" \ --ext /usr/share/pki/server/certs/sslserver.conf \ --csr ds-sslserver.csr
To issue a server certificate for DS:
$ pki -d /var/lib/pki/pki-tomcat/conf/alias/ -f /var/lib/pki/pki-tomcat/conf/password.conf \ nss-cert-issue \ --issuer ca_signing \ --csr ds-sslserver.csr \ --ext /usr/share/pki/server/certs/sslserver.conf \ --cert ds-sslserver.crt
To remove the old server certificate from DS:
$ certutil -D -d /etc/dirsrv/slapd-localhost -f /etc/dirsrv/slapd-localhost/pwdfile.txt -n Server-Cert
To import the server certificate into DS:
$ pki -d /etc/dirsrv/slapd-localhost -C /etc/dirsrv/slapd-localhost/pwdfile.txt \ nss-cert-import Server-Cert \ --cert ds-sslserver.crt
To verify the import:
$ certutil -L -d /etc/dirsrv/slapd-localhost Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ca_signing CT,C,C Server-Cert u,u,u
Finally, restart DS:
$ systemctl restart [email protected]
Verify in DS error log at /var/log/dirsrv/slapd-localhost/errors
that the DS started succesfully with SSL:
INFO - Security Initialization - SSL info: Enabling default cipher set. INFO - Security Initialization - SSL info: Configured NSS Ciphers INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA: enabled INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA: enabled INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3 INFO - main - 389-Directory/1.3.7.8 B2017.324.1651 starting up ... INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests
Verify SSL connection with mozldap-tools and NSS database:
$ /usr/lib64/mozldap/ldapsearch \ -Z -h $HOSTNAME -p 636 \ -D "cn=Directory Manager" \ -w Secret.123 \ -P /etc/dirsrv/slapd-localhost \ -b "dc=example,dc=com" \ -s base \ "(objectClass=*)"
or with openldap-clients and DS/PKI CA certificate:
$ LDAPTLS_CACERT=ca_signing.crt \ ldapsearch -H ldaps://$HOSTNAME:636 \ -x -D "cn=Directory Manager" \ -w Secret.123 \ -b "dc=example,dc=com" \ -s base \ "(objectClass=*)"
or with openldap-clients and NSS databsae:
$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-localhost \ ldapsearch -H ldaps://$HOSTNAME:636 \ -x -D "cn=Directory Manager" \ -w Secret.123 \ -b "dc=example,dc=com" \ -s base \ "(objectClass=*)"
Configure PKI server to use SSL by editing /var/lib/pki/pki-tomcat/<subsystem>/conf/CS.cfg
:
internaldb.ldapconn.host=pki.example.com internaldb.ldapconn.port=636 internaldb.ldapconn.secureConn=true
Restart PKI server:
$ systemctl restart [email protected]
Verify in DS access log at /var/log/dirsrv/slapd-localhost/access
that PKI server is connecting using SSL:
conn=36 fd=64 slot=64 SSL connection from pki.example.com to pki.example.com conn=36 TLS1.2 128-bit AES
Verify PKI server can communicate with the DS with the following command:
$ pki ca-cert-find