Sun Java(TM) System Directory Server 5 2004Q2 °ü¸® ¼³¸í¼ |
ºÎ·Ï A
Sun Crypto Accelerator º¸µå »ç¿ëÀÌ ºÎ·Ï¿¡¼´Â Directory Server¿Í ÇÔ²² Sun Crypto Accelerator º¸µå¸¦ »ç¿ëÇÏ¿© ÀÎÁõ¼ ±â¹ÝÀÇ ÀÎÁõ°ú SSL(Secure Sockets Layer) ÇÁ·ÎÅäÄÝÀ» »ç¿ëÇÑ ¿¬°áÀÇ ¼º´É Çâ»ó ¹æ¹ý¿¡ ´ëÇØ ¼³¸íÇÕ´Ï´Ù.
½ÃÀÛ Àü ÁÖÀÇ »çÇ×Ç¥ A-1¿¡´Â Sun Crypto Accelerator º¸µå¸¦ »ç¿ëÇÏ¿© SSL ¿¬°á ¼º´ÉÀ» Çâ»ó½ÃÅ°±â À§ÇØ ¸ÕÀú ¼öÇàÇØ¾ß ÇÏ´Â Ç׸ñÀÌ ¼³¸íµÇ¾î ÀÖ½À´Ï´Ù.
Ç¥ A-1 º¸µå »ç¿ëÀ» À§ÇÑ Çʼö »çÇ×
Çʼö »çÇ×
ÁÖÀÇ
º¸µå ¼³Ä¡
È£½ºÆ®¿¡ Çϵå¿þ¾î, µå¶óÀ̹ö, ÆÐÄ¡ ¹× °ü¸® À¯Æ¿¸®Æ¼¸¦ ¼³Ä¡ÇÏ´Â °æ¿ì º¸µå¿ëÀ¸·Î Á¦°øµÈ Á¦Ç° ¼³¸í¼¸¦ ÂüÁ¶ÇϽʽÿÀ.
Directory Server ¼³Ä¡
ÀÚ¼¼ÇÑ ³»¿ëÀº Sun Java Enterprise System 2004Q2 ¼³Ä¡ ¼³¸í¼¸¦ ÂüÁ¶ÇϽʽÿÀ.
¼¹ö ÀÎÁõ¼(PKCS#12 Çü½Ä)
Directory Server¿¡ ´ëÇÑ ¼¹ö ÀÎÁõ¼¸¦ .p12 ÆÄÀÏ·Î ¹Þ½À´Ï´Ù.
CA ÀÎÁõ¼(PEM Çü½Ä)
ÀÎÁõ ±â°ü(CA)¿¡ ´ëÇÑ CA ÀÎÁõ¼¸¦ PEM(Privacy Enhanced Mail) Çü½ÄÀÇ ÆÄÀÏ·Î ¹Þ½À´Ï´Ù.
SSL ÇÁ·ÎÅäÄÝ°ú SSL ÀÎÁõ¼¿¡ ´ëÇÑ ÀÚ¼¼ÇÑ ¼³¸í ¹× ¼¹ö ÄܼÖÀ» ÅëÇÑ °ü¸®¸¦ Áö¿øÇÏ´Â Sun Java System ¼¹ö¿Í ÇÔ²² ÇÁ·ÎÅäÄÝÀ» »ç¿ëÇÏ´Â ¹æ¹ýÀº 11Àå, "ÀÎÁõ ¹× ¾ÏÈ£È °ü¸®"¸¦ ÂüÁ¶ÇϽʽÿÀ.
ÅäÅ« ÀÛ¼ºDirectory Server´Â ÅäÅ«°ú ºñ¹Ð¹øÈ£¸¦ »ç¿ëÇÏ¿© °¡¼Ó º¸µå¿¡ ÀÖ´Â ÇØ´ç ¾ÏÈ£È Å° ÀÚ·á¿¡ ¾×¼¼½ºÇÕ´Ï´Ù. ÅäÅ«Àº user@realm Çü½ÄÀ» »ç¿ëÇϸç, ¿©±â¼ user´Â °¡¼Ó º¸µåÀÇ »ç¿ëÀڷμ, ¾ÏÈ£È Å° »ý¼º ÀÚ·áÀÇ ¼ÒÀ¯ÀÚ¸¦ ³ªÅ¸³»°í realmÀº °¡¼Ó º¸µåÀÇ ¿µ¿ªÀ¸·Î, »ç¿ëÀÚ ¹× ÇØ´ç Å° »ý¼º ÀÚ·áÀÇ ³í¸®Àû ºÐÇÒ ¿µ¿ªÀÔ´Ï´Ù. °¡¼Ó º¸µå user´Â ½Ã½ºÅÛÀÇ »ç¿ëÀÚ °èÁ¤°ú ¾Æ¹«·± °ü°è¸¦ °¡Áú ÇÊ¿ä°¡ ¾øÀ¸¸ç º¸µå¿¡¸¸ Àû¿ëµË´Ï´Ù. »ç¿ëÀÚ ¹× ¿µ¿ª¿¡ ´ëÇÑ ÀÚ¼¼ÇÑ ³»¿ëÀº °¡¼Ó º¸µå Á¦Ç° ¼³¸í¼¸¦ ÂüÁ¶ÇϽʽÿÀ.
º¸µå¿ëÀ¸·Î Á¦°øµÈ secadm(1M) À¯Æ¿¸®Æ¼¸¦ »ç¿ëÇÏ¿© ÅäÅ« »ç¿ëÀÚ¿Í ¿µ¿ªÀ» ÀÛ¼ºÇÒ ¼ö ÀÖ½À´Ï´Ù. °¡¼Ó º¸µå¿¡¼´Â ´Ù¼öÀÇ slotsÀ» ÀÛ¼ºÇÏ¿© ¿©·¯ ÀÀ¿ë ÇÁ·Î±×·¥¿¡ ´ëÇÑ ÅäÅ«À» °ü¸®ÇÒ ¼öµµ ÀÖ½À´Ï´Ù. ¿©±â¼´Â ¼º´ÉÀ» À§ÇØ È£½ºÆ®¸¦ Directory Server Àü¿ëÀ¸·Î ¼³Á¤ÇÏ¿© ±âº»°ªÀÎ ÇÑ °³ÀÇ ½½·ÔÀ» »ç¿ëÇÑ´Ù°í °¡Á¤ÇÕ´Ï´Ù. ¿©·¯ ¼ÒÇÁÆ®¿þ¾î ÀÀ¿ë ÇÁ·Î±×·¥¿¡ ´ëÇØ º¸µå¸¦ »ç¿ëÇÏ´Â ¹æ¹ýÀº °¡¼Ó º¸µå Á¦Ç° ¼³¸í¼¸¦ ÂüÁ¶ÇϽʽÿÀ.
±âº» ½½·Ô¿¡ ¾×¼¼½ºÇÒ ÅäÅ« »ç¿ëÀÚ¿Í ¿µ¿ªÀ» ÀÛ¼ºÇÏ·Á¸é ´ÙÀ½ ´Ü°è¸¦ ¼öÇàÇÕ´Ï´Ù.
- secadm À¯Æ¿¸®Æ¼¸¦ ½ÃÀÛÇÕ´Ï´Ù.
$ CryptoPath/bin/secadm
±âº» CryptoPath´Â /opt/SUNWconn/cryptoÀÔ´Ï´Ù.
- ÅäÅ« ¿µ¿ªÀ» ÀÛ¼ºÇÕ´Ï´Ù.
secadm> create realm=dsrealm
System Administrator Login Required
Login: super-user
Password:
Realm dsrealm created successfully.- ÀÛ¼ºÇÏ·Á´Â »ç¿ëÀÚ°¡ Æ÷Ç﵃ ¿µ¿ªÀ» ¼³Á¤ÇÕ´Ï´Ù.
secadm> set realm=dsrealm
secadm{dsrealm}> su
System Administrator Login Required
Login: super-user
Password:
secadm{root@dsrealm}#- SSLÀÌ ±¸¼ºµÈ Directory Server¸¦ ´Ù½Ã ½ÃÀÛÇÒ ¶§ »ç¿ëµÇ´Â ºñ¹Ð¹øÈ£¸¦ Á¦°øÇÏ¿© ±âº» ½½·ÔÀ» »ç¿ëÇÒ nobody »ç¿ëÀÚ¸¦ ÀÛ¼ºÇÕ´Ï´Ù.
secadm{root@dsrealm}# create user=nobody
Initial password: password
Confirm password: password
User nobody created successfully.
secadm{root@dsrealm}# exitÀÌÁ¦ nobody@dsrealm ÅäÅ«ÀÇ »ç¿ëÀÚ¿Í ¿µ¿ªÀÌ ÀÛ¼ºµÇ¾úÀ¸¸ç Directory Server¸¦ ´Ù½Ã ½ÃÀÛÇÒ ¶§ »ç¿ëµÇ´Â ºñ¹Ð¹øÈ£¸¦ Á¦°øÇß½À´Ï´Ù.
º¸µå ¹ÙÀεù »ý¼º°¡¼Ó º¸µåÀÇ ¹ÙÀεùÀº Directory Server°¡ º¸µå¿¡ ¹ÙÀεåÇÒ ¼ö ÀÖµµ·Ï »ý¼ºÇÏ´Â ¿ÜºÎ º¸¾È ¸ðµâÀÇ Çü½ÄÀ» »ç¿ëÇÕ´Ï´Ù. ´Ù¾çÇÑ SSL ¾Ë°í¸®ÁòÀ» Áö¿øÇÏ´Â Directory Server ÀÎÁõ¼ µ¥ÀÌÅͺ£À̽º¿Í ¿ÜºÎ º¸¾È ¸ðµâ °£ÀÇ ¹ÙÀεùÀ» »ý¼ºÇÏ·Á¸é ´ÙÀ½ ´Ü°è¸¦ ¼öÇàÇÕ´Ï´Ù.
- modutilÀ» »ç¿ëÇϱâ Àü¿¡ LD_LIBRARY_PATH¸¦ ¼³Á¤ÇÕ´Ï´Ù.
$ set LD_LIBRARY_PATH=ServerRoot/lib ; export LD_LIBRARY_PATH
- º¸¾È ¸ðµâ µ¥ÀÌÅͺ£À̽º°¡ ¾øÀ» °æ¿ì ¾Æ·¡ ¸í·ÉÀ» ½ÇÇàÇÏ¿© ÀÛ¼ºÇÕ´Ï´Ù.
$ cd ServerRoot/shared/bin
$ ./modutil -create -dbdir ../../alias -dbprefix "slapd-serverID"- ¿ÜºÎ º¸¾È ¸ðµâÀ» º¸¾È ¸ðµâ µ¥ÀÌÅͺ£À̽º¿¡ Ãß°¡ÇÕ´Ï´Ù.
$ ./modutil -add "Crypto Mod" -dbdir ../../alias -nocertdb \
-libfile CryptoPath/lib/libpkcs11.so \
-mechanisms "RSA:DSA:RC4:DES" -dbprefix "slapd-serverID"±âº» CryptoPath´Â /opt/SUNWconn/cryptoÀÔ´Ï´Ù.
- º¸¾È ¸ðµâÀ» ³ª¿ÇÏ¿© ¸ðµâÀÌ Á¦´ë·Î Ãß°¡µÇ¾ú´ÂÁö È®ÀÎÇÕ´Ï´Ù.
$ ./modutil -list -dbdir ../../alias -dbprefix "slapd-serverID"
´Ü°è 3¿¡¼ Ãß°¡ÇÑ Crypto Mod Ç׸ñÀÌ Ç¥½ÃµÇ¾î¾ß ÇÕ´Ï´Ù.
- ÀÌ ¿ÜºÎ º¸¾È ¸ðµâÀ» RSA, DSA, RC4 ¹× DESÀÇ ±âº»°ªÀ¸·Î ¼³Á¤ÇÕ´Ï´Ù.
$ ./modutil -default "Crypto Mod" -dbdir ../../alias \
-mechanisms "RSA:DSA:RC4:DES" -dbprefix "slapd-serverID"ÀÌ·¸°Ô ÇÏ¸é ±âº» º¸¾È ¸ðµâÀÌ Á¦´ë·Î º¯°æµË´Ï´Ù.
ÀÌÁ¦ °¡¼Ó º¸µå¿¡ ´ëÇÑ ¹ÙÀεùÀ» »ý¼ºÇßÀ¸¹Ç·Î ÀÎÁõ¼¸¦ °¡Á®¿Ã ¼ö ÀÖ½À´Ï´Ù.
ÀÎÁõ¼ °¡Á®¿À±âSSLÀ» ±¸¼ºÇϱâ Àü¿¡ ¸ÕÀú Ç¥ A-1¿¡ ¼³¸íµÈ ´ë·Î ¹ÞÀº ¼¹ö ÀÎÁõ¼¿Í CA ÀÎÁõ¼¸¦ °¡Á®¿Í¾ß ÇÕ´Ï´Ù. ÀÎÁõ¼¸¦ °¡Á®¿À·Á¸é ´ÙÀ½ ´Ü°è¸¦ ¼öÇàÇÕ´Ï´Ù.
- ¼¹ö ÀÎÁõ¼ .p12 ÆÄÀÏÀ» °¡Á®¿É´Ï´Ù.
$ cd ServerRoot/shared/bin
$ ./pk12util -i ServerCert.p12 -d ../../alias -P "slapd-serverID" \
-h "nobody@dsrealm"
Enter Password or Pin for "nobody@dsrealm": password
Enter Password for PKCS12 file: password- CA ÀÎÁõ¼¸¦ °¡Á®¿É´Ï´Ù.
$ ./certutil -A -n "Crypto CA Cert" -t CT -i CACert.txt \
-d ../../alias -P "slapd-serverID" -h "nobody@dsrealm"- ÅäÅ«°ú °ü·ÃµÈ ÀÎÁõ¼¸¦ ³ª¿ÇÏ¿© ÀÎÁõ¼¸¦ Á¦´ë·Î °¡Á®¿Ô´ÂÁö È®ÀÎÇÕ´Ï´Ù.
$ ./certutil -L -d ../../alias -P "slapd-serverID" \
-h "nobody@dsrealm"´Ü°è 1 ¹× ´Ü°è 2¿¡¼ Ãß°¡ÇÑ ÀÎÁõ¼ Ç׸ñÀÌ Ç¥½ÃµÇ¾î¾ß ÇÕ´Ï´Ù.
ÀÌÁ¦ ÀÎÁõ¼¸¦ °¡Á®¿ÔÀ¸¹Ç·Î Directory Server¿¡¼ SSL ¿¬°áÀ» ¼ö½ÅÇϵµ·Ï ±¸¼ºÇÒ ¼ö ÀÖ½À´Ï´Ù.
SSL ±¸¼ºÀÛ¼ºÇÑ ÅäÅ«°ú ºñ¹Ð¹øÈ£, ¿ÜºÎ º¸¾È ¸ðµâ°ú Directory Server ÀÎÁõ¼ µ¥ÀÌÅͺ£À̽º °£¿¡ »ý¼ºÇÑ ¹ÙÀεù, ±×¸®°í °¡Á®¿Â ÀÎÁõ¼¸¦ »ç¿ëÇÏ¿© Directory Server°¡ º¸¾È ¸ðµå·Î ½ÃÀ۵ǵµ·Ï ±¸¼ºÇÒ ¼ö ÀÖ½À´Ï´Ù. SSLÀ» ±¸¼ºÇÏ°í Directory Server¸¦ º¸¾È ¸ðµå·Î ´Ù½Ã ½ÃÀÛÇÏ·Á¸é ´ÙÀ½ ´Ü°è¸¦ ¼öÇàÇÕ´Ï´Ù.
- SSL °ü·Ã Directory Server ±¸¼º Ç׸ñÀ» º¯°æÇϱâ À§ÇÑ ¼öÁ¤ ÀÛ¾÷ÀÌ ¿ä¾àµÈ ssl.ldif ÆÄÀÏÀ» ÀÛ¼ºÇÕ´Ï´Ù.
ÄÚµå ¿¹ A-1 º¸µå¸¦ »ç¿ëÇÏ¿© SSLÀ» È°¼ºÈÇϱâ À§ÇÑ ¼öÁ¤ ÀÛ¾÷(ssl.ldif)
dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLToken: nobody@dsrealm
nsSSLPersonalitySSL: ServerCertNickname1
nsSSLActivation: on
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
-
replace: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,
+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,
+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,
+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
+tls_rsa_export1024_with_rc4_56_sha,
+tls_rsa_export1024_with_des_cbc_sha
-
replace: nsCertfile
nsCertfile: alias/slapd-serverID-cert8.db
-
replace: nsKeyFile
nsKeyFile: alias/slapd-serverID-key3.db
dn: cn=config
changetype: modify
replace: nsslapd-secureport
nsslapd-secureport: port
-
replace: nsslapd-security
nsslapd-security: on
1ÀÌ º°¸íÀº Directory Server ÀÎÁõ¼¿¡ Æ÷ÇԵǾî ÀÖ½À´Ï´Ù.
¿©±â¼ nsslapd-secureport °ªÀÎ port´Â º¸¾È ¸ðµå·Î ½ÃÀÛµÈ Directory Server¿¡¼ SSL ¿¬°áÀ» ¼ö½ÅÇÏ´Â Æ÷Æ®ÀÔ´Ï´Ù.
- ¼öÁ¤ ÀÛ¾÷À» Àû¿ëÇÏ¿© Directory Server ±¸¼ºÀ» º¯°æÇÕ´Ï´Ù.
$ ldapmodify -p currPort -D "cn=directory manager" -w password -f ssl.ldif
¿©±â¼ currPort´Â Directory Server¿¡¼ ÇöÀç Ŭ¶óÀ̾ðÆ® ¿äûÀ» ¼ö½ÅÇÏ´Â Æ÷Æ® ¹øÈ£ÀÔ´Ï´Ù.
- Directory Server¸¦ º¸¾È ¸ðµå·Î ´Ù½Ã ½ÃÀÛÇÕ´Ï´Ù.
$ ServerRoot/slapd-serverID/restart-slapd
Enter PIN for nobody@dsrealm: password¿©±â¼ password´Â nobody@dsrealm ÅäÅ«À» ÀÛ¼ºÇÒ ¶§ ÀÔ·ÂÇÑ nobody »ç¿ëÀÚ ºñ¹Ð¹øÈ£ÀÔ´Ï´Ù.
ÀÌÁ¦ Directory Server´Â ÁöÁ¤ÇÑ Æ÷Æ®¿¡¼ SSL Æ®·¡ÇÈÀ» ¼ö½ÅÇÕ´Ï´Ù. ÀÌ Æ÷Æ®¿¡¼ SSLÀ» ÅëÇØ Directory Server¿¡ ¾×¼¼½ºÇϵµ·Ï Sun Java System Administration Server¿Í Ŭ¶óÀ̾ðÆ® ÀÀ¿ë ÇÁ·Î±×·¥À» ±¸¼ºÇÒ ¼ö ÀÖ½À´Ï´Ù. ÀÚ¼¼ÇÑ ³»¿ëÀº 11Àå, "ÀÎÁõ ¹× ¾ÏÈ£È °ü¸®"¸¦ ÂüÁ¶ÇϽʽÿÀ.