Manualshelf

HP OSMS Blueprint: Directory Services on HP ProLiant Servers with SLES10

ManualsBrandsHP ManualsSoftwareHP Linux Caliper Software Electronic LTU
21222324252627282930
11. Copy the newreq.pem file created in step 9 and the newcert.pem file in step 10 to the
CDS server, and put them in the /opt/symas/ssl/ directory. On the CDS server, rename
the file newreq.pem to serverkey.pem and rename the file newcert.pem to
servercert.pem
12. Add the paths of the server certificate file and key file to the slapd.conf file by setting the
values as follows:
TLSCertificateFile /opt/symas/ssl/servercert.pem
TLSCertificateKeyFile /opt/symas/ssl/serverkey.pem
13. Restart the CDS server by entering the following command:
# /etc/init.d/cdsserver restart
14. On the CDS client, use the openssl command to verify that the CA file works by entering
the following:
# /opt/symas/bin/openssl verify -CAfile /opt/symas/ssl/cacert.pem
\
/opt/symas/ssl/cacert.pem
The following displays:
../ssl/cacert.pem: OK
The output might contain the following error message:
error 9 at 0 depth lookup:certificate is not yet valid
If this message is displayed, it means the date of the client machine is invalid for the CA file
and you need to adjust the client date to a value later than the date of the CA server.
15. To verify that TLS is operating correctly, enter the following command on the CDS client:
# /opt/symas/bin/ldapsearch -x -D rootdn -w rootpw -h master \
-b 'dc=example,dc=com' -s base -ZZ -LLL
The option -ZZ instructs the command to start the TLS request.
The following is displayed:
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: example
Using the EXTERNAL Authentication Mechanism with TLS
TLS provides strong authentication when used with the EXTERNAL mechanism. CDS clients
must have a valid certificate to identify themselves. All authentication information for clients
must be written to a configuration file that is specified by the environment variable LDAPRC. The
following steps describe how to configure the EXTERNAL mechanism with TLS.
1. Verify that all the steps in “Configuring TLS for Network Encryption (page 25) passed so
that TLS is working correctly.
2. Create and sign the CDS client certificate on the CA server by repeating steps 8 through 10
in “Configuring TLS for Network Encryption .
The difference is that the full domain name of the CDS client should be entered as Common
Name. Verify that the Email Address is osmsuser@cdsclient.test. If it is empty,
enter this e-mail address. Also, verify that the key and the signed certificate are stored in
the newreq.pem and newcert.pem files, respectively.
26