New server certificate for LDAPS

OpenDJ logo

Some notes on creating and using a new server certificate for LDAPS with OpenDJ.

This version shows the command-line configuration.

Step 1. Generate and self-sign the server certificate using the keytool command.

The keytool command comes with the Java environment.

mark@mark-netbook:~/OpenDJ$ keytool -genkey -alias server-cert \
 -keyalg rsa -dname "CN=mark-netbook,O=Example Corp,C=FR" \
 -keystore config/keystore -storepass changeit -keypass changeit
mark@mark-netbook:~/OpenDJ$ keytool -selfcert -alias server-cert \
 -keystore config/keystore -storepass changeit

Notice the hostname on the CN attribute matches the hostname used on the laptop for this test installation.

Also notice that a JKS keystore is created here in the OpenDJ/config/ directory.

Step 2. Start the dsconfig command in interactive mode.

mark@mark-netbook:~/OpenDJ$ ./bin/dsconfig

>>>> Specify OpenDS LDAP connection parameters

Directory server hostname or IP address [mark-netbook]: 

Directory server administration port number [4444]: 

Administrator user bind DN [cn=Directory Manager]: 

Password for user 'cn=Directory Manager': 

>>>> OpenDS configuration console main menu

What do you want to configure?

    1)   Access Control Handler               23)  Log Rotation Policy
    2)   Account Status Notification Handler  24)  Matching Rule
    3)   Administration Connector             25)  Monitor Provider
    4)   Alert Handler                        26)  Network Group
    5)   Attribute Syntax                     27)  Network Group QOS Policy
    6)   Backend                              28)  Password Generator
    7)   Certificate Mapper                   29)  Password Policy
    8)   Connection Handler                   30)  Password Storage Scheme
    9)   Crypto Manager                       31)  Password Validator
    10)  Debug Target                         32)  Plugin
    11)  Entry Cache                          33)  Plugin Root
    12)  Extended Operation Handler           34)  Replication Domain
    13)  Extension                            35)  Replication Server
    14)  External Changelog Domain            36)  Root DN
    15)  Global Configuration                 37)  Root DSE Backend
    16)  Group Implementation                 38)  SASL Mechanism Handler
    17)  Identity Mapper                      39)  Synchronization Provider
    18)  Key Manager Provider                 40)  Trust Manager Provider
    19)  Local DB Index                       41)  Virtual Attribute
    20)  Local DB VLV Index                   42)  Work Queue
    21)  Log Publisher                        43)  Workflow
    22)  Log Retention Policy                 44)  Workflow Element

    q)   quit

Enter choice:

Step 3. Configure the File Based Key Manager Provider for JKS to use the filename and keystore PIN that you set up with the keytool command.

>>>> Configure the properties of the File Based Key Manager Provider

        Property                            Value(s)
        ---------------------------------------------------
    1)  enabled                             true
    2)  key-store-file                      config/keystore
    3)  key-store-pin                       changeit
    4)  key-store-pin-environment-variable  -
    5)  key-store-pin-file                  -
    6)  key-store-pin-property              -
    7)  key-store-type                      JKS

    ?)  help
    f)  finish - apply any changes to the File Based Key Manager Provider
    c)  cancel
    q)  quit

Enter choice [f]: 

The File Based Key Manager Provider was modified successfully

Step 4. Configure the File Based Trust Manager Provider for JKS to use the keystore and PIN you set up.

>>>> Configure the properties of the File Based Trust Manager Provider

        Property                              Value(s)
        -----------------------------------------------------
    1)  enabled                               true
    2)  trust-store-file                      config/keystore
    3)  trust-store-pin                       changeit
    4)  trust-store-pin-environment-variable  -
    5)  trust-store-pin-file                  -
    6)  trust-store-pin-property              -
    7)  trust-store-type                      JKS

    ?)  help
    f)  finish - apply any changes to the File Based Trust Manager Provider
    c)  cancel
    q)  quit

Enter choice [f]: 

The File Based Trust Manager Provider was modified successfully

Step 5. Configure the listen-port and enabled properties of the LDAPS Connection Handler as shown below.

>>>> Configure the properties of the LDAP Connection Handler

         Property                Value(s)
         ----------------------------------------------------------------------
    1)   allow-ldap-v2           true
    2)   allow-start-tls         false
    3)   allowed-client          All clients with addresses that do not match
                                 an address on the deny list are allowed. If
                                 there is no deny list, then all clients are
                                 allowed.
    4)   denied-client           If an allow list is specified, then only
                                 clients with addresses on the allow list are
                                 allowed. Otherwise, all clients are allowed.
    5)   enabled                 true
    6)   keep-stats              true
    7)   key-manager-provider    JKS
    8)   listen-address          0.0.0.0
    9)   listen-port             1636
    10)  ssl-cert-nickname       Let the server decide.
    11)  ssl-cipher-suite        Uses the default set of SSL cipher suites
                                 provided by the server's JVM.
    12)  ssl-client-auth-policy  optional
    13)  ssl-protocol            Uses the default set of SSL protocols provided
                                 by the server's JVM.
    14)  trust-manager-provider  JKS
    15)  use-ssl                 true

    ?)   help
    f)   finish - apply any changes to the LDAP Connection Handler
    c)   cancel
    q)   quit

Enter choice [f]: 

The LDAP Connection Handler was modified successfully

Step 6. Try a search using SSL to check that your new certificate is in place.

mark@mark-netbook:~/OpenDJ$ ./bin/ldapsearch --port 1636 --useSSL \
 --baseDN "" --searchScope base "(objectclass=*)"

The server is using the following certificate:
Subject DN:  CN=mark-netbook, O=Example Corp, C=FR
Issuer DN:  CN=mark-netbook, O=Example Corp, C=FR
Validity:  Tue Apr 05 16:47:26 CEST 2011 through Mon Jul 04 16:47:26 CEST 2011
Do you wish to trust this certificate and continue connecting to the server?
Please enter "yes" or "no":yes
dn:
objectClass: top
objectClass: ds-root-dse

Of course, this self-signed certificate should not be trusted by default by client applications, but could be used for tests.

Advertisements

2 thoughts on “New server certificate for LDAPS

  1. Hello, I am unable to change the keystore password on my java keystore file and properly update OpenDJ with the new password. The keystore works correctly with its existing password and contains a cert issued by a CA (it is not self-signed.) So, the task I am trying to complete here is simply changing the password on the keystore file and update OpenDJ accordingly.

    Before making any changes to the keystore or OpenDJ, I will show my File Based Key Manager Provider for JKS from dsconfig:

    1) enabled true
    2) key-store-file /path/to/keystore
    3) key-store-pin –
    4) key-store-pin-environment-variable –
    5) key-store-pin-file path/to/keystore.pin
    6) key-store-pin-property –
    7) key-store-type JKS

    As shown, in the working state, I do not have a key-store-pin, rather, I have
    key-store-pin-file which contains the keystore password (pin) in clear text. This was how the OpenDJ “Setup” program set it up — it was very easy to do through the Setup GUI but unfortunately, that GUI is unavailable for this task.

    Now I will change the keystore password.

    keytool -storepasswd -keystore /path/to/keystore
    Enter keystore password: ********
    New keystore password: ********
    Re-enter new keystore password: ********

    I have tried updating OpenDJ two different ways (reverting back to the working state in between each attempt to ensure I am not mixing problems.) Neither works, unfortunately.

    (1) I have tried just putting the new password into /path/to/keystore.pin, shutting down and restarting OpenDJ. This does not work.

    (2) Using dsconfig, I have tried clearing key-store-pin-file and entering the value directly in key-store-pin. After restarting OpenDJ, this does not work either.

    I have tried a couple variations on the above: trying (1) with a renamed keystore and keystore.pin file, trying (2) with just a renamed keystore file, nothing works.

    Interestingly, when I use keytool to revert the password back to what it was in the past and revert all of OpenDJs settings back to what I show way above, everything works again. So, I do not think it is a problem with the way I am changing the keystore password nor a problem with OpenDJ accepting the configuration changes I make. I would be very grateful for any assistance!

  2. Hi,

    Sorry for the delay.

    Is it possible that your key password is not exactly the same as your keystore password? See the note about this in the Admin Guide procedure To Request and Install a CA-Signed Certificate. (There’s no separate key.pin.)

    When I ensure both passwords are the same, OpenDJ seems to work fine as in the following example. Notice I don’t have to touch dsconfig at all. Granted, server-cert is self-signed in this example, but I don’t see why this would be different with a CA-signed cert.

    $ cd /path/to/OpenDJ/bin
    $ stop-ds
    $ keytool -storepasswd -keystore ../config/keystore -new password -storepass `cat ../config/keystore.pin`
    $ keytool -keypasswd -keystore ../config/keystore -storepass password -alias server-cert -new password -keypass `cat ../config/keystore.pin`
    $ echo password > ../config/keystore.pin
    $ start-ds
    $ ldapsearch -p 1389 -b dc=example,dc=com --useStartTLS uid=bjensen cn
    The server is using the following certificate: 
        Subject DN:  CN=desktop.example.com, O=OpenDJ Self-Signed Certificate
        Issuer DN:  CN=desktop.example.com, O=OpenDJ Self-Signed Certificate
        Validity:  Sat Feb 23 09:13:51 CET 2013 through Fri Feb 18 09:13:51 CET 2033
    Do you wish to trust this certificate and continue connecting to the server?
    Please enter "yes" or "no":yes
    dn: uid=bjensen,ou=People,dc=example,dc=com
    cn: Barbara Jensen
    cn: Babs Jensen
    
    $

    Hope it helps. Regards,
    Mark

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s