Deployment Example: Single Sign-On, Load Balancing and Failover Using Sun OpenSSO Enterprise 8.0

4.3 Enabling Secure Communication for the Directory Server User Data Instances

By default, when an instance of Directory Server is created (in this case, am-users), its SSL port is secured with a self-signed certificate named defaultCert. A self-signed certificate contains a public and private key; the public key is signed by the private key. The am-users instances, though, need to use a server certificate signed by a certificate authority (CA) to allow for secure communication between the instances and the soon-to-be-installed user data load balancer. This entails installing the server certificate signed by the CA and the root certificate confirming the signature of the CA on both Directory Server host machines. Use the following list of procedures as a checklist for completing this task.

To Install a Root Certificate and a Server Certificate on Directory Server 1

Before You Begin

You should already have a root certificate from the CA of your choice. Send server certificate requests to the same CA. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

Generate a request for a server certificate signed by a CA.

# cd /var/opt/mps/serverroot/ds6/bin
# ./dsadm request-cert -S "CN=ds-1.example.com, 
OU=OpenSSO Enterprise, O=Sun Microsystems, L=Santa Clara 
 ST=California, C=US" -F ascii -o ds-1.csr /var/opt/mps/am-users

ds-1.csr is the certificate request.

Send ds-1.csr to the CA of your choice.

The CA issues and returns a certified server certificate named ds-1.cer.

Add ds-1.cer, the CA-signed server certificate, to the certificate store.
# ./dsadm add-cert /var/opt/mps/am-users ds-1 ds-1.cer

(Optional) Verify that the certificate was successfully added.
# ./dsadm list-certs /var/opt/mps/am-users
A list of certificates for the am-users instance is displayed including the defaultCert and ds-1.

Add ca.cer, the root certificate, to the certificate store.

# ./dsadm add-cert --ca /var/opt/mps/am-users CA-cert ca.cer

(Optional) Verify that the root certificate was successfully added.

# ./dsadm list-certs -C /var/opt/mps/am-users | grep CA-cert

CA-cert
2007/09/20 11:41  2010/06/17 11:41  n  
E=nobody@nowhere.com,CN=openssltestca,OU=am,
O=sun,L=santa clara,ST=california,C=us  Same as issuer

Configure the Directory Server instance to use the imported certificates.

# ./dsconf set-server-prop -h ds-1.example.com 
-p 1489 ssl-rsa-cert-name:ds-1

Enter "cn=Directory Manager" password: dsmanager

Before setting SSL configuration, export Directory Server data.

Do you want to continue [y/n] ?  y

Directory Server must be restarted for changes to take effect.

Restart the Directory Server instance.

# ./dsadm stop /var/opt/mps/am-users
# ./dsadm start /var/opt/mps/am-users

Server started: pid=5472

Run ldapsearch on Directory Server 1 to verify that the directory entries can be accessed through the secure port.

# cd /var/opt/mps/serverroot/dsrk6/bin
# ./ldapsearch -h ds-1.example.com -p 1736 
-Z -P /var/opt/mps/am-users/alias slapd-cert8.db 
-b "" -s base "(objectclass=*)"

version: 1
dn:
objectClass:top
namingContexts: dc=company,dc=com
supportedExtension: 2.16.840.1.113730.3.5.7
:
supportedSSLCiphers: SSL-CK_RC4_128_EXPORT40_WITH_MD5
supportedSSLCiphers: SSL-CK_RC2_128_CBC_EXPORT40_WITH_MD5

This confirms that the Directory Server instance can be accessed through the secure port.

Log out of the ds–1 host machine.

To Install a Root Certificate and a Server Certificate on Directory Server 2