directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hammond, Steve" <steve.hamm...@Polycom.com>
Subject RE: [ApacheDS] Setting up my own certificate for SSL
Date Thu, 18 Dec 2008 21:23:43 GMT
>From what I remember from when it was moved, it is required to be in the
Server DIT for StartTLS to work.  I don't know the reason for that tho.

-----Original Message-----
From: Stefan Zoerner [mailto:stefan@labeo.de] 
Sent: Thursday, December 18, 2008 12:03 PM
To: Apache Directory Developers List
Subject: Re: [ApacheDS] Setting up my own certificate for SSL

Emmanuel Lecharny wrote:
> Ok, after having looked at the code, I think we should restore the way

> ADS 1.5.1 was handling an external keystore.
> 
> What about adding the two missing parameters in server.xml ? :
> 
>  <ldapService id="ldapsService"
>              enabled="true"
>              tcpPort="10636"
>              enableLdaps="true"
>              nbTcpThreads="8">
>    <directoryService>#directoryService</directoryService>
>  </ldapService>
> 
> should become :
> 
>  <ldapService id="ldapsService"
>              enabled="true"
>              tcpPort="10636"
>              enableLdaps="true"
>              nbTcpThreads="8"
>              keystoreFile="/home/user/.keystore">
>              certificatePassword="changeit">
>    <directoryService>#directoryService</directoryService>
>  </ldapService>
> 
> wdyt ?

This we be a good option for those users who like the old style of using

a keystore file created with standard server tools. For the current 
questions on the ML and my VSLDAP requirements it would be fine.

Disadvantage of this approach is the plain text password in the XML 
file. It offers an intermediate user the chance of extracting the 
private key from the keystore.

The new approach has the advantage that the private key is relatively 
save in the server DIT.

Is it planned to support both approaches? The keystore is only used if 
it is provided in the XML. Otherwise the key stored in the DIT is used? 
Or should we remove the DIT variant completely? Alex as added in March 
or April; I don't remember the reason for the change.

It would be nice to have en extended LDAP operation for key pair 
creation. Call parameters could carry the parameters needed. It would be

easy to trigger the functionality via Studio or CL tool. Adding the 
keypair with an LDAP request seems not to be a good idea, because the 
private key should not be transported over the wire. This is perhaps a 
feature for the 2.0

Greetings from Hamburg,
     Stefan




Mime
View raw message