Enabling Secure Connection to Internal Database - dogtagpki/pki GitHub Wiki

Overview

This document describes the process to configure an existing PKI instance to use SSL connection to DS.

Note: Since DS 1.4 the SSL is enabled up by default with a server certificate issued by a self-signed CA certificate.

There are two ways to enable a secure connection from PKI to DS:

  • Install DS CA certificate into PKI.

  • Install PKI-issued server certificate into DS.

Installing DS CA Certificate into PKI

This procedure is simpler but it relies on the self-signed CA certificate in DS, so it might not work in all cases.

Exporting DS CA certificate

To find the nickname of the CA certificate in DS:

$ certutil -L -d /etc/dirsrv/slapd-localhost

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Self-Signed-CA                                               CT,,
Server-Cert                                                  u,u,u

To export the DS CA certificate:

$ certutil -L -d /etc/dirsrv/slapd-localhost -n Self-Signed-CA -a > ca_signing.crt

Importing DS CA certificate into PKI

To import the DS CA certificate:

$ certutil -A -d /var/lib/pki/pki-tomcat/conf/alias -n "ds-ca_signing" -i ca_signing.crt -t "CT,C,C"

To verify the import:

$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca_signing                                                   CTu,Cu,Cu
ca_ocsp_signing                                              u,u,u
subsystem                                                    u,u,u
ca_audit_signing                                             u,u,Pu
sslserver                                                    u,u,u
ds-ca_signing                                                CT,C,C

Finally, restart PKI server:

$ systemctl restart pki-tomcatd@$pki-tomcat.service

Installing PKI-Issued Server Certificate into DS

This procedure is more complex but it uses the actual CA certificate in PKI.

Exporting PKI CA certificate

To export PKI CA certificate:

$ pki-server cert-export ca_signing --cert-file ca_signing.crt

Importing PKI CA certificate into DS

To remove the old CA certificate from DS:

$ certutil -D -d /etc/dirsrv/slapd-localhost -f /etc/dirsrv/slapd-localhost/pwdfile.txt -n Self-Signed-CA

To import PKI CA certificate into DS:

$ pki -d /etc/dirsrv/slapd-localhost -C /etc/dirsrv/slapd-localhost/pwdfile.txt \
    nss-cert-import ca_signing \
    --cert ca_signing.crt \
    --trust CT,C,C

Generating server certificate request

To show the existing server key in DS:

$ certutil -K -d /etc/dirsrv/slapd-localhost -f /etc/dirsrv/slapd-localhost/pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      d33aaa95388e61eaa164c381a7fbb59c0c5007c8   NSS Certificate DB:Server-Cert

To generate a server certificate request with the same key:

$ pki -d /etc/dirsrv/slapd-localhost -C /etc/dirsrv/slapd-localhost/pwdfile.txt \
    nss-cert-request \
    --key-id d33aaa95388e61eaa164c381a7fbb59c0c5007c8 \
    --subject "CN=pki.example.com" \
    --ext /usr/share/pki/server/certs/sslserver.conf \
    --csr ds-sslserver.csr

Issuing server certificate

To issue a server certificate for DS:

$ pki -d /var/lib/pki/pki-tomcat/conf/alias/ -f /var/lib/pki/pki-tomcat/conf/password.conf \
    nss-cert-issue \
    --issuer ca_signing \
    --csr ds-sslserver.csr \
    --ext /usr/share/pki/server/certs/sslserver.conf \
    --cert ds-sslserver.crt

Importing server certificate

To remove the old server certificate from DS:

$ certutil -D -d /etc/dirsrv/slapd-localhost -f /etc/dirsrv/slapd-localhost/pwdfile.txt -n Server-Cert

To import the server certificate into DS:

$ pki -d /etc/dirsrv/slapd-localhost -C /etc/dirsrv/slapd-localhost/pwdfile.txt \
    nss-cert-import Server-Cert \
    --cert ds-sslserver.crt

To verify the import:

$ certutil -L -d /etc/dirsrv/slapd-localhost

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca_signing                                                   CT,C,C
Server-Cert                                                  u,u,u

Finally, restart DS:

$ systemctl restart [email protected]

Verification

Verify in DS error log at /var/log/dirsrv/slapd-localhost/errors that the DS started succesfully with SSL:

INFO - Security Initialization - SSL info: Enabling default cipher set.
INFO - Security Initialization - SSL info: Configured NSS Ciphers
INFO - Security Initialization - SSL info:     TLS_AES_128_GCM_SHA256: enabled
INFO - Security Initialization - SSL info:     TLS_CHACHA20_POLY1305_SHA256: enabled
INFO - Security Initialization - SSL info:     TLS_AES_256_GCM_SHA384: enabled
INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
INFO - Security Initialization - SSL info:     TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
INFO - Security Initialization - SSL info:     TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
INFO - Security Initialization - SSL info:     TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
INFO - Security Initialization - SSL info:     TLS_RSA_WITH_AES_128_CBC_SHA: enabled
INFO - Security Initialization - SSL info:     TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
INFO - Security Initialization - SSL info:     TLS_RSA_WITH_AES_256_CBC_SHA: enabled
INFO - Security Initialization - SSL info:     TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3
INFO - main - 389-Directory/1.3.7.8 B2017.324.1651 starting up
...
INFO - slapd_daemon - slapd started.  Listening on All Interfaces port 389 for LDAP requests
INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests

Verify SSL connection with mozldap-tools and NSS database:

$ /usr/lib64/mozldap/ldapsearch \
   -Z -h $HOSTNAME -p 636 \
   -D "cn=Directory Manager" \
   -w Secret.123 \
   -P /etc/dirsrv/slapd-localhost \
   -b "dc=example,dc=com" \
   -s base \
   "(objectClass=*)"

or with openldap-clients and DS/PKI CA certificate:

$ LDAPTLS_CACERT=ca_signing.crt \
    ldapsearch -H ldaps://$HOSTNAME:636 \
    -x -D "cn=Directory Manager" \
    -w Secret.123 \
    -b "dc=example,dc=com" \
    -s base \
    "(objectClass=*)"

or with openldap-clients and NSS databsae:

$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-localhost \
    ldapsearch -H ldaps://$HOSTNAME:636 \
    -x -D "cn=Directory Manager" \
    -w Secret.123 \
    -b "dc=example,dc=com" \
    -s base \
    "(objectClass=*)"

Enabling Secure DS Connection in PKI

Configure PKI server to use SSL by editing /var/lib/pki/pki-tomcat/<subsystem>/conf/CS.cfg:

internaldb.ldapconn.host=pki.example.com
internaldb.ldapconn.port=636
internaldb.ldapconn.secureConn=true

Restart PKI server:

$ systemctl restart [email protected]

Verify in DS access log at /var/log/dirsrv/slapd-localhost/access that PKI server is connecting using SSL:

conn=36 fd=64 slot=64 SSL connection from pki.example.com to pki.example.com
conn=36 TLS1.2 128-bit AES

Verify PKI server can communicate with the DS with the following command:

$ pki ca-cert-find

See Also

⚠️ **GitHub.com Fallback** ⚠️