���� A�
�ϥ� Sun Crypto �[�t�O
������Ѧ���X�ϥ� Directory Server �P Sun Crypto �[�t�O�A�H�W�j�s�u�į��O�A���s�u�ϥΪ��O�����Ҥ����Ҫ��w���q�T�ݶ��h (SSL) ��w�C
�}�l�e
�� A-1 �Ҳ[�\�����ءA�����b�xըϥ� Sun Crypto �[�t�O�H�W�j SSL �s�u�įध�e�����C
�� A-1
�ϥΤ����d����M���
|
��M���
|
����
|
|
�����d�w��
|
��z�b�D��W�w�˵w��B�X�ʵ{���B���ɮשM�z���ε{���ɡA�аѾ\�����d�Ҵ��Ѫ����~������C
|
|
Directory Server�w��
|
�p�ݫ�O�A�аѾ\�mSun Java Enterprise System 2004Q2 �w�˫�n�n�C
|
|
��A������ (PKCS#12 �榡)
|
��o Directory Server ����A�����Ұ��� .p12 �ɮ�
|
|
CA ���� (PEM �榡)
|
��o���ұ��v��� (CA) �� CA ���Ұ�����p�v�W�j���l�� (PEM) �榡�ɮסC
|
�аѾ\�� 11 ���u�z���ҩM�[�K�v������ SSL ��w�����M SSL ���Ҫ��Q�סA�H�Φp��z�L Server �D���x���X�ϥΨ�w�P�䴩�z�� Sun Java System ��A������O�C
�إ� Token
Directory Server �ϥ� Token �M�K�X�Ӧs��[�t�O�W���A��K�X���_��ơCToken �ĥ� user@realm ���榡�A�䤤 user �O�ϥΥ[�t�O�Φ����ϥΪ� (�K�X���_��ƪ��֦���)�A�� realm �O�ϥΥ[�t�O�Φ����d�� (�ϥΪ̤Ψ���_��ƪ���3ΰ�)�C�[�t�O user ���ݻP�t�ΤW���ϥΪ̱b�ᦳ�����Y�C���ܼƥu�Ѥ����d�ϥΡC�p�ݨϥΪ̩M�d�i�@�B����A�аѷӥ[�t�O���~������C
�z�i�H�ϥΨt�ΩҴ��Ѥ����d�A�Ϊ� secadm(1M) ���ε{���ӫإ� Token ���ϥΪ̩M�d��C�[�t�O�]���\�إߦh�� slots �Ӻz�h��3�ε{���� Token�C���B���]�]���į�t�G�A�z�N�D���w�� Directory Server �æ]���u�ϥΤF�@�Ӵ��� (�w�]��)�C�p�ݨϥΰt�Ʀh�ӳn��3�ε{���������d���ԲӸ�T�A�аѾ\�[�t�O���~������C
�а��U�C�B�J�إ� Token ���ϥΪ̻P�d��H�s��w�]�����ѡC
- �Ұ� secadm ���ε{���C
$ CryptoPath/bin/secadm
�w�]�� CryptoPath �� /opt/SUNWconn/crypto�C
- �إ� Token ���d��C
secadm> create realm=dsrealm
System Administrator Login Required
Login: super-user
Password:
Realm dsrealm created successfully.
- �]�w�n�إߨϥΪ̪��d��C
secadm> set realm=dsrealm
secadm{dsrealm}> su
System Administrator Login Required
Login: super-user
Password:
secadm{root@dsrealm}#
- �إߨϥΪ� nobody ���ϥιw�]�����ѡA�æb���s�Ұʤw�t�m SSL �� Directory Server �ɿ�J�K�X�C
secadm{root@dsrealm}# create user=nobody
Initial password: password
Confirm password: password
User nobody created successfully.
secadm{root@dsrealm}# exit
���ɱz�w�g�إ� Token nobody@dsrealm ���ϥΪ̩M�d��A�ô��ѭ��s�Ұ� Directory Server �ɩҭn�ϥΪ��K�X�C
���ͤ����d���s��
�[�t�O�s�������ϥαz�Ҳ��ͪ��~���w���ҲէΦ��A�o�� Directory Server �~��P�����d�s���C�а��U�C�B�J�A�ϥ~���w���ҲջP�i�䴩�h�� SSL �t��k�� Directory Server ���Ҹ�Ʈw�������ͳs���C
- �ϥ� modutil ���e�A�г]�w LD_LIBRARY_PATH�C
$ set LD_LIBRARY_PATH=ServerRoot/lib ; export LD_LIBRARY_PATH
- �إߦw���Ҳո�Ʈw (�p�G�S������)�C
$ cd ServerRoot/shared/bin
$ ./modutil -create -dbdir ../../alias -dbprefix "slapd-serverID"
- �N�~���w���Ҳե[�J�w���Ҳո�Ʈw���C
$ ./modutil -add "Crypto Mod" -dbdir ../../alias -nocertdb \
-libfile CryptoPath/lib/libpkcs11.so \
-mechanisms "RSA:DSA:RC4:DES" -dbprefix "slapd-serverID"
�w�]�� CryptoPath �� /opt/SUNWconn/crypto�C
- �C�X�w���ҲեH�T�w�[�J���\�C
$ ./modutil -list -dbdir ../../alias -dbprefix "slapd-serverID"
�z3�ӷ|�ݨ�b�B�J 3 ���ҥ[�J�� Crypto Mod �����ءC
- �N�~���w���Ҳճ]�w�� RSA�BDSA�BRC4 �M DES ���w�]�ȡC
$ ./modutil -default "Crypto Mod" -dbdir ../../alias \
-mechanisms "RSA:DSA:RC4:DES" -dbprefix "slapd-serverID"
�o3�ӷ|���\�a�ܧ�w�]���w���ҲաC
���ɡA�z�w�g���ͥ[�t�O���s���åB�i�H�פJ���ҡC
�פJ����
�b�t�m SSL ���e�A�z�����פJ�Ҩ�o����A���H�� CA ���ҡA�p �� A-1 ���ҭz�C���U�C�B�J�H�פJ���ҡC
- �פJ��A������ .p12 �ɡC
$ cd ServerRoot/shared/bin
$ ./pk12util -i ServerCert.p12 -d ../../alias -P "slapd-serverID" \
-h "nobody@dsrealm"
Enter Password or Pin for "nobody@dsrealm": password
Enter Password for PKCS12 file: password
- �פJ CA ���ҡC
$ ./certutil -A -n "Crypto CA Cert" -t CT -i CACert.txt \
-d ../../alias -P "slapd-serverID" -h "nobody@dsrealm"
- �C�X�P Token ������ҥH�T�w�פJ���\�C
$ ./certutil -L -d ../../alias -P "slapd-serverID" \
-h "nobody@dsrealm"
�z3�ӷ|�ݨ�b�B�J 1 �M�B�J 2 ���ҥ[�J�����Ҫ����ءC
���ɱz�w�g�פJ���ҡA�åB�i�H�t�m Directory Server �H��ť SSL �s�u�C
�t�m SSL
�Q�αz�إߪ� Token �M�K�X�B�b�~���w���ҲթM Directory Server ���Ҹ�Ʈw�������ͪ��s���B�H�ΩҶפJ�����ҡA�K�i�H�N Directory Server �t�m�����b�w���Ҧ����ҰʡC���o�ǨB�J�Ӱt�m SSL �æb�w���Ҧ������s�Ұ� Directory Server�C
- �إ߭ק諸 ssl.ldif �ɡA�ܧ�P SSL ���� Directory Server �պA���ءC
�{���X�d�� A-1 �קאּ�ϥΤ����d�ӱҥ� SSL (ssl.ldif)
|
|
|
dn:cn=RSA,cn=encryption,cn=config
|
|
changetype:add
|
|
objectclass:top
|
|
objectclass:nsEncryptionModule
|
|
cn:RSA
|
|
nsSSLToken:nobody@dsrealm
|
|
nsSSLPersonalitySSL:ServerCertNickname
|
|
nsSSLActivation:on
|
|
|
|
dn:cn=encryption,cn=config
|
|
changetype:modify
|
|
replace:nsSSL3
|
|
nsSSL3:on
|
|
-
|
|
replace:nsSSLClientAuth
|
|
nsSSLClientAuth:allowed
|
|
-
|
|
replace:nsSSL3Ciphers
|
|
nsSSL3Ciphers:-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,
|
|
+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,
|
|
+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,
|
|
+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
|
|
+tls_rsa_export1024_with_rc4_56_sha,
|
|
+tls_rsa_export1024_with_des_cbc_sha
|
|
-
|
|
replace:nsCertfile
|
|
nsCertfile:alias/slapd-serverID-cert8.db
|
|
-
|
|
replace:nsKeyFile
|
|
nsKeyFile:alias/slapd-serverID-key3.db
|
|
|
|
dn:cn=config
|
|
changetype:modify
|
|
replace:nsslapd-secureport
|
|
nsslapd-secureport:port
|
|
-
|
|
replace:nsslapd-security
|
|
nsslapd-security:on
|
|
|
|
���B�� port �O nsslapd-secureport ���ȡA�� Directory Server �b�w���Ҧ����Ұʫ��ť SSL �s�u���s����C
- �M�έק�H�ܧ� Directory Server �պA�C
$ ldapmodify -p currPort -D "cn=directory manager" -w password -f ssl.ldif
�䤤 currPort �� Directory Server �ثe��ť�Τ�ݭn�D���s���X�C
- �b�w���Ҧ������s�Ұ� Directory Server�C
$ ServerRoot/slapd-serverID/restart-slapd
Enter PIN for nobody@dsrealm: password
���B�� password ���إ� Token nobody@dsrealm �ɴ��ѵ� nobody ���ϥΪ̱K�X�C
���ɡADirectory Server �z�L�z��w���s�����ť SSL �y�q�C�z�i�H�t�m Sun Java System Administration Server �M�Τ��3�ε{���H�z�L�ӳs����s�� SSL �� Directory Server�C�p�ݸԲӸ�T�A�аѾ\�� 11 ���u�z���ҩM�[�K�v�C
