FedFsInstallNsdbCertificates0.9
From Linux NFS
Chucklever (Talk | contribs) (→LDAP server configuration) |
Chucklever (Talk | contribs) (→Passing out the server's x.509 certificate) |
||
(2 intermediate revisions not shown) | |||
Line 13: | Line 13: | ||
== Introduction == | == Introduction == | ||
- | A | + | A [[FedFsGlossary#Namespace_Database|Namespace Database]], or NSDB, is the repository for fileset location information in a [[FedFsGlossary#FedFs_Domain|FedFS domain]]. At its core, an NSDB is simply an LDAP server with an NSDB Container Entry, or NCE, for short. FedFS data is stored as children of this entry. |
In this article, we show how to create and distribute x.509 LDAP server certificates. With these certificates, NSDB clients (fileservers or NSDB administrative tools) can use TLS when communicating with NSDBs. | In this article, we show how to create and distribute x.509 LDAP server certificates. With these certificates, NSDB clients (fileservers or NSDB administrative tools) can use TLS when communicating with NSDBs. | ||
Line 19: | Line 19: | ||
== LDAP server configuration == | == LDAP server configuration == | ||
- | For now, this bit is specific to OpenLDAP on Fedora. More to come | + | For now, this bit is specific to OpenLDAP on Fedora. More to come. |
- | + | ==== Create a self-signed CA certicate ==== | |
- | # cd /etc/pki/tls/ | + | # cd /etc/pki/tls/misc |
- | # | + | # ./CA -newca |
- | + | ||
- | + | Answer the questions. Choose a secure but easy-to-remember database password. The Common Name must match the FQDN of the LDAP/NSDB server. | |
- | + | The new CA cert is placed in /etc/pki/CA/cacert.pem | |
- | + | ||
- | + | ==== Create a certificate request and key for the LDAP server ==== | |
+ | |||
+ | # ./CA -newreq-nodes | ||
+ | |||
+ | Answer the questions. The Common Name must match the FQDN of the LDAP/NSDB server. | ||
+ | |||
+ | The new certificate request and key are placed in /etc/pki/tls/misc/newreq.pem | ||
+ | |||
+ | ==== Sign the LDAP server certificate request with the CA certificate ==== | ||
+ | |||
+ | # ./CA -sign | ||
+ | |||
+ | The signed certificate is placed in newcert.pem | ||
+ | |||
+ | ==== Install and secure the new certificate material ==== | ||
+ | |||
+ | # cp /etc/pki/CA/cacert.pem /etc/openldap/cacert.pem | ||
+ | # chmod 444 /etc/openldap/cacert.pem | ||
+ | # mv /etc/pki/tls/misc/newcert.pem /etc/openldap/server-cert.pem | ||
+ | # chmod 444 /etc/openldap/server-cert.pem | ||
+ | # chown ldap.ldap /etc/openldap/server-cert.pem | ||
+ | # mv /etc/pki/tls/misc/newreq.pem /etc/openldap/server-key.pem | ||
+ | # chmod 400 /etc/openldap/server-key.pem | ||
+ | # chown ldap.ldap /etc/openldap/server-key.pem | ||
+ | |||
+ | ==== Configure the LDAP server to use the new certificates ==== | ||
+ | |||
+ | On your LDAP/NSDB server, edit /tmp/ldif and add only these lines: | ||
dn: cn=config | dn: cn=config | ||
- | + | changeType: modify | |
- | + | add: olcTLSCACertificateFile | |
- | olcTLSCACertificateFile: /etc/ | + | olcTLSCACertificateFile: /etc/openldap/cacert.pem |
- | + | - | |
- | + | add: olcTLSCertificateFile | |
- | + | olcTLSCertificateFile: /etc/openldap/server-cert.pem | |
- | + | - | |
- | olcTLSCertificateFile: /etc/ | + | add: olcTLSCertificateKeyFile |
- | + | olcTLSCertificateKeyFile: /etc/openldap/server-key.pem | |
- | + | - | |
- | + | add: olcTLSVerifyClient | |
- | + | ||
- | olcTLSCertificateKeyFile: /etc/ | + | |
- | + | ||
- | + | ||
- | + | ||
- | + | ||
olcTLSVerifyClient: never | olcTLSVerifyClient: never | ||
- | + | Then: | |
- | + | $ ldapmodify -x -D "cn=Manager,cn=config" -W -f /tmp/ldif | |
Replace "cn=Manager" with your server's administrator DN, and supply an appropriate password when prompted. | Replace "cn=Manager" with your server's administrator DN, and supply an appropriate password when prompted. | ||
== Passing out the server's x.509 certificate == | == Passing out the server's x.509 certificate == | ||
+ | |||
+ | The CA cert created above (in the file /etc/openldap/cacert.pem) can now be distributed to fileservers that participate in your FedFS domain. The fileservers then use this certificate to authenticate your NSDB when performing junction resolution. | ||
+ | |||
+ | Suppose the name of your LDAP server is nsdb.example.net. After copying the file containing the certificate to /tmp/cert.pem on your fileserver, use this command on the fileserver to install the certificate: | ||
+ | |||
+ | # nsdbparams update -f /tmp/cert.pem nsdb.example.net | ||
+ | |||
+ | This operation copies the certificate material to a private directory, and saves the location of the copy in the fileserver's NSDB connection parameter database. Now, whenever the fileserver resolves a FedFS junction, it will use this certificate to establish a secure connection to nsdb.example.net. | ||
+ | |||
+ | To complete this task, copy the certificate and run the nsdbparams on each fileserver that will contain FedFS junctions. |
Latest revision as of 16:59, 14 January 2013
Contents |
Project: fedfs-utils
[ Project Home | News | Downloads | Docs | Mailing Lists | Source Control | Issues ]
Introduction
A Namespace Database, or NSDB, is the repository for fileset location information in a FedFS domain. At its core, an NSDB is simply an LDAP server with an NSDB Container Entry, or NCE, for short. FedFS data is stored as children of this entry.
In this article, we show how to create and distribute x.509 LDAP server certificates. With these certificates, NSDB clients (fileservers or NSDB administrative tools) can use TLS when communicating with NSDBs.
LDAP server configuration
For now, this bit is specific to OpenLDAP on Fedora. More to come.
Create a self-signed CA certicate
# cd /etc/pki/tls/misc # ./CA -newca
Answer the questions. Choose a secure but easy-to-remember database password. The Common Name must match the FQDN of the LDAP/NSDB server.
The new CA cert is placed in /etc/pki/CA/cacert.pem
Create a certificate request and key for the LDAP server
# ./CA -newreq-nodes
Answer the questions. The Common Name must match the FQDN of the LDAP/NSDB server.
The new certificate request and key are placed in /etc/pki/tls/misc/newreq.pem
Sign the LDAP server certificate request with the CA certificate
# ./CA -sign
The signed certificate is placed in newcert.pem
Install and secure the new certificate material
# cp /etc/pki/CA/cacert.pem /etc/openldap/cacert.pem # chmod 444 /etc/openldap/cacert.pem # mv /etc/pki/tls/misc/newcert.pem /etc/openldap/server-cert.pem # chmod 444 /etc/openldap/server-cert.pem # chown ldap.ldap /etc/openldap/server-cert.pem # mv /etc/pki/tls/misc/newreq.pem /etc/openldap/server-key.pem # chmod 400 /etc/openldap/server-key.pem # chown ldap.ldap /etc/openldap/server-key.pem
Configure the LDAP server to use the new certificates
On your LDAP/NSDB server, edit /tmp/ldif and add only these lines:
dn: cn=config changeType: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/cacert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/server-cert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/server-key.pem - add: olcTLSVerifyClient olcTLSVerifyClient: never
Then:
$ ldapmodify -x -D "cn=Manager,cn=config" -W -f /tmp/ldif
Replace "cn=Manager" with your server's administrator DN, and supply an appropriate password when prompted.
Passing out the server's x.509 certificate
The CA cert created above (in the file /etc/openldap/cacert.pem) can now be distributed to fileservers that participate in your FedFS domain. The fileservers then use this certificate to authenticate your NSDB when performing junction resolution.
Suppose the name of your LDAP server is nsdb.example.net. After copying the file containing the certificate to /tmp/cert.pem on your fileserver, use this command on the fileserver to install the certificate:
# nsdbparams update -f /tmp/cert.pem nsdb.example.net
This operation copies the certificate material to a private directory, and saves the location of the copy in the fileserver's NSDB connection parameter database. Now, whenever the fileserver resolves a FedFS junction, it will use this certificate to establish a secure connection to nsdb.example.net.
To complete this task, copy the certificate and run the nsdbparams on each fileserver that will contain FedFS junctions.