Enabling SSL in Directory Server
Follow these steps to enable SSL in a Directory Server using a self-signed certificate.
Note –
These abbreviated procedures are for your convenience. Refer to the Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide for more information.
-
On Windows, use the certutilversion bundled with Identity Synchronization for Windows 6.0 within the ISW-host-name\shared\bin folder.
-
On Solaris, certutil is installed in /usr/sfw/bin by default.
-
On Linux, certutil is installed in /opt/sun/private/bin by default.
To Enable SSL in Directory Server
Note: The following procedure is applicable only for Solaris because Directory Server 6.0 is not yet available for Windows
-
Create a DS instance
/opt/SUNWdsee/ds6/bin/dsadm create -p non-ldap-port-P ldap-secure-port <DS-server-root>/slapd-<hostname>
-
Start the instance
/opt/SUNWdsee/ds6/bin/dsadm start <DS-server-root>/slapd-<hostname>
-
Create a self-signed certificate
/opt/SUNWdsee/ds6/bin/dsadm add-selfsign-cert -S "cn=<machine name with domain>,O=<preferred root suffix>"/<DS-server-root>/slapd-<hostname>/<certificate name>
Where S = Create an individual certificate and add it to database,the second variable represents the path of Directory Server instance and the last variable is for the certificate alias.
-
Set the server properties to this certificate
/opt/SUNWdsee/ds6/bin/dsconf set-server-prop -p non-ldap-port ssl-rsa-cert-name:<certificate name>
-
Restart the DS
/opt/SUNWdsee/ds6/bin/dsadm restart /<DS-server-root>/slapd-<hostname>/
-
Now stop the DS and remove the default Cert (this ensures that the above generated certificate will be the default cert)
/opt/SUNWdsee/ds6/bin/dsadm stop /<DS-server-root>/slapd-<hostname>/
-
Now remove the default certificate
/opt/SUNWdsee/ds6/bin/dsadm remove-cert /<DS-server-root>/slapd-<hostname>/ defaultCert
where the first variable represents the slapd-path and the second variable represents the alias of the certificate. In case you want to export the above default cert, following is the command
/opt/SUNWdsee/ds6/bin/dsadm export-cert -o /<any path>/slapd-cert.export /<DS-server-root>/slapd-<hostname>/ <original default cert alias>
where o=output file (/<any path>/slapd-cert.export),the second variable represents the slapd-path and the third variable represents the certificate alias.
Retrieving the CA Certificate from the Directory Server Certificate Database
Ensure that you have enabled SSL in Directory Server. To export the Directory Server certificate to a temporary file so that you can import it into the certificate database of the Directory Server Connector, issue the following command:
<ISW-server-root>\shared\bin\certutil.exe -L -d . -P slapd-hostname- -n server-cert -a \ > C:\s-cert.txt
ISW-server-root is the path where ISW-hostname directory is present.
These examples are run in the alias directory immediately below the server root. Otherwise, Directory Server will not find the certificate database.
Retrieving the CA Certificate from the Directory Server (using dsadm command on Solaris platform)
Ensure that you have enabled SSL in Directory Server. To retrieve the CA certificate issue the following command:
/opt/SUNWdsee/ds6/bin/dsadm export-cert -o /<any path> /slapd-cert.export /<DS-server-root>/slapd-<hostname>/ <original default cert alias>
- © 2010, Oracle Corporation and/or its affiliates