directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@gmail.com>
Subject Re: [ApacheDS] Setting up my own certificate for SSL
Date Thu, 18 Dec 2008 14:46:38 GMT
Ok, after having looked at the code, I think we should restore the way 
ADS 1.5.1 was handling an external keystore.

What about adding the two missing parameters in server.xml ? :

  <ldapService id="ldapsService"
              enabled="true"
              tcpPort="10636"
              enableLdaps="true"
              nbTcpThreads="8">
    <directoryService>#directoryService</directoryService>
  </ldapService>

should become :

  <ldapService id="ldapsService"
              enabled="true"
              tcpPort="10636"
              enableLdaps="true"
              nbTcpThreads="8"
              keystoreFile="/home/user/.keystore">
              certificatePassword="changeit">
    <directoryService>#directoryService</directoryService>
  </ldapService>

wdyt ?

Stefan Seelmann wrote:
> Hi Stefan,
>
> Stefan Zoerner schrieb:
>   
>> Hi all,
>>
>> I am facing some problems with the current (since 1.5.3, I assume) SSL
>> configuration. In earlier days, it was possible to provide a keystore
>> with the public/private key, certificate etc. here
>>
>> http://cwiki.apache.org/confluence/display/DIRxSRVx11/3.3.+How+to+enable+SSL
>>
>>
>> Now, the server creates a keypair when it starts the first time and
>> stores it in the entry uid=admin,ou=system, in different attributes.
>>
>> To be honest: This is an example why our documentation is so bad. The
>> old behavior has been well described in the docs. Someone changed it
>> completely, and did not update the docs. Same situation holds true for
>> the whole configuration. :-(
>>
>> Nevertheless, the new SSL functionality seems to be simpler, because it
>> is possible to set it up automatically. But if I plan to use a custom
>> certificate, it should be at least possible. Today, there was a
>> corresponding question on the user list.
>>
>> I wanted to update the docs to reflect the changes, and I am still
>> trying to figure out, what an easy way for our users would be.
>>
>> A question for the current implementation: Is there any way to
>> configure/influence the key creation at startup? I assume no, but
>> perhaps I am missing something.
>>     
>
> I have no idea. The only direction I could point you to the class where
> the initial private key and certificate are created, see [1].
>
>   
>> Currently, the only way to set up my own certificate is modifying the
>> attribute values for uid=admin,ou=system
>>
>> This is not an easy task, because we do not have any tools for that.
>> There is no wizard in Studio yet. Even if there would be one -- it
>> should be possible without a UI client, ...
>>     
>
> You are right, if we create some tooling we should put all common code
> into the shared libraries, and then create a wizard for studio and a
> CL-tool.
>
>   
>> I was able to store my private key, but I am a little bit confused about
>> some attribute. What exactly is contained in userCertificate and what in
>> publicKey?
>>
>> I assume, userCertificate holds the certificate the server presents to
>> client. But why do we need publicKey as well. I think it is contained in
>> the userCertificate. No?
>>     
>
> I assume too.
>
> Kind Regards,
> Stefan
>
>
> [1]
> http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/security/TlsKeyGenerator.java?view=markup
>
>   


-- 
--
cordialement, regards,
Emmanuel L├ęcharny
www.iktek.com
directory.apache.org



Mime
View raw message