ipa-server/ipa-install/ipa-server-setupssl


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

#!/bin/bash

if [ "$1" ] ; then
    password=$1
else
    echo "password required"
    exit 1
fi

if [ "$2" -a -d "$2" ] ; then
    secdir="$2"
else
    secdir=/etc/dirsrv/slapd-localhost
fi

if [ "$3" ] ; then
    myhost=$3
else
    myhost=`hostname --fqdn`
fi


if [ "$4" ] ; then
    ldapport=$4
else
    ldapport=389
fi

me=`whoami`
if [ "$me" = "root" ] ; then
    isroot=1
fi

# see if there are already certs and keys
if [ -f $secdir/cert8.db ] ; then
    # look for CA cert
    if certutil -L -d $secdir -n "CA certificate" 2> /dev/null ; then
        echo "Using existing CA certificate"
    else
        echo "No CA certificate found - will create new one"
        needCA=1
    fi

    # look for server cert
    if certutil -L -d $secdir -n "Server-Cert" 2> /dev/null ; then
        echo "Using existing directory Server-Cert"
    else
        echo "No Server Cert found - will create new one"
        needServerCert=1
    fi

    prefix="new-"
    prefixarg="-P $prefix"
else
    needCA=1
    needServerCert=1
fi

if test -z "$needCA" -a -z "$needServerCert" ; then
    echo "No certs needed - exiting"
    exit 0
fi

# get our user and group
if test -n "$isroot" ; then
    uid=`/bin/ls -ald $secdir | awk '{print $3}'`
    gid=`/bin/ls -ald $secdir | awk '{print $4}'`
fi

# 2. Create a password file for your security token password:
if [ -f $secdir/pwdfile.txt ] ; then
    echo "Using existing $secdir/pwdfile.txt"
else
    (ps -ef ; w ) | sha1sum | awk '{print $1}' > $secdir/pwdfile.txt
    if test -n "$isroot" ; then
        chown $uid:$gid $secdir/pwdfile.txt
    fi
    chmod 400 $secdir/pwdfile.txt
fi

# 3. Create a "noise" file for your encryption mechanism: 
if [ -f $secdir/noise.txt ] ; then
    echo "Using existing $secdir/noise.txt file"
else
    (w ; ps -ef ; date ) | sha1sum | awk '{print $1}' > $secdir/noise.txt
    if test -n "$isroot" ; then
        chown $uid:$gid $secdir/noise.txt
    fi
    chmod 400 $secdir/noise.txt
fi

# 4. Create the key3.db and cert8.db databases:
certutil -N $prefixarg -d $secdir -f $secdir/pwdfile.txt
if test -n "$isroot" ; then
    chown $uid:$gid $secdir/${prefix}key3.db $secdir/${prefix}cert8.db
fi
chmod 600 $secdir/${prefix}key3.db $secdir/${prefix}cert8.db


if test -n "$needCA" ; then
# 5. Generate the encryption key:
    certutil -G $prefixarg -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
# 6. Generate the self-signed certificate: 
    certutil -S $prefixarg -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
# export the CA cert for use with other apps
    certutil -L $prefixarg -d $secdir -n "CA certificate" -a > $secdir/cacert.asc
    pk12util -d $secdir $prefixarg -o $secdir/cacert.p12 -n "CA certificate" -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
fi

if test -n "$needServerCert" ; then
# 7. Generate the server certificate:
    certutil -S $prefixarg -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
fi

# create the pin file
if [ ! -f $secdir/pin.txt ] ; then
    pinfile=$secdir/pin.txt
    echo 'Internal (Software) Token:'`cat $secdir/pwdfile.txt` > $pinfile
    if test -n "$isroot" ; then
        chown $uid:$gid $pinfile
    fi
    chmod 400 $pinfile
else
    echo Using existing $secdir/pin.txt
fi

if [ -n "$prefix" ] ; then
    # move the old files out of the way
    mv $secdir/cert8.db $secdir/orig-cert8.db
    mv $secdir/key3.db $secdir/orig-key3.db
    # move in the new files - will be used after server restart
    mv $secdir/${prefix}cert8.db $secdir/cert8.db
    mv $secdir/${prefix}key3.db $secdir/key3.db
fi

# enable SSL in the directory server

ldapmodify -x -h localhost -p $ldapport -D "cn=Directory Manager" -w $password <<EOF
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
-
add: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
 +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
 +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
 +tls_rsa_export1024_with_des_cbc_sha

dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off

dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)
nsSSLActivation: on

EOF