The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
For usage solely within an organization, you might want to create certificates that you can use with LDAP. There are a number of ways of creating suitable certificates, for example:
Create a self-signed CA certificate together with a private key file.
Create a self-signed root CA certificate and private key file, and use the CA certificate and its key file to sign a separate server certificate for each server.
The following procedure describes how to use openssl to create a self-signed CA certificate and private key file, and then use these files to sign server certificates.
To create the CA certificate and use it to sign a server certificate:
Change directory to
/etc/openldap/certs
on the LDAP server:#
cd /etc/openldap/certs
Create the private key file
CAcert-key.pem
for the CA certificate:#
openssl genrsa -out CAcert-key.pem 1024
Generating RSA private key, 1024 bit long modulus ......++++++ ....++++++ e is 65537 (0x10001)Change the mode on the key file to 0400:
#
chmod 0400 CAcert-key.pem
Create the certificate request
CAcert.csr
:#
openssl req -new -key CAcert-key.pem -out CAcert.csr
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Redwood City
Organization Name (eg, company) [Default Company Ltd]:Mydom Inc
Organizational Unit Name (eg, section) []:Org
Common Name (eg, your name or your server's hostname) []:www.mydom.org
Email Address []:root@mydom.org
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:<Enter>
An optional company name []:<Enter>
Create a CA certificate that is valid for approximately three years:
#
openssl x509 -req -days 1095 -in CAcert.csr -signkey CAcert-key.pem -out CAcert.pem
rt-key.pem -out CAcert.pem Signature ok subject=/C=US/ST=California/L=Redwood City/O=Mydom Inc/OU=Org/CN=www.mydom.org/emailAddress=root@mydom.org Getting Private keyFor each server certificate that you want to create:
Create the private key for the server certificate:
#
openssl genrsa -out
Generating RSA private key, 1024 bit long modulus .............++++++ ...........................++++++ e is 65537 (0x10001)server
-key.pem 1024NoteIf you intend to generate server certificates for several servers, name the certificate, its key file, and the certificate request so that you can easily identify both the server and the service, for example,
ldap_host02-cert.pem
,ldap_host02-key.pem
, andldap_host02-cert.csr
.Change the mode on the key file to 0400, and change its user and group ownership to
ldap
:#
chmod 0400
#server
-key.pemchown ldap:ldap
server
-key.pemCreate the certificate request
server-cert.csr
:#
openssl req -new -key
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:server
-key.pem -outserver
-cert.csrUS
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Redwood City
Organization Name (eg, company) [Default Company Ltd]:Mydom Inc
Organizational Unit Name (eg, section) []:Org
Common Name (eg, your name or your server's hostname) []:ldap.mydom.com
Email Address []:root@mydom.com
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:<Enter>
An optional company name []:<Enter>
NoteFor the Common Name, specify the Fully Qualified Domain Name (FQDN) of the server. If the FQDN of the server does not match the common name specified in the certificate, clients cannot obtain a connection to the server.
Use the CA certificate and its corresponding key file to sign the certificate request and generate the server certificate:
#
openssl x509 -req -days 1095 -CAcreateserial
\-in
\server
-cert.csr -CA CAcert.pem -CAkey CAcert-key.pem-out
Signature ok subject=/C=US/ST=California/L=Redwood City/O=Mydom Inc/OU=Org/CN=ldap.mydom.com/emailAddress=root@mydom.com Getting CA Private Keyserver
-cert.pem
If you generate server certificates for other LDAP servers, copy the appropriate server certificate, its corresponding key file, and the CA certificate to
/etc/openldap/certs
on those servers.Set up a web server to host the CA certificate for access by clients. The following steps assume that the LDAP server performs this function. You can use any suitable, alternative server instead.
Install the Apache HTTP server.
#
yum install httpd
Create a directory for the CA certificate under
/var/www/html
, for example:#
mkdir /var/www/html/certs
Copy the CA certificate to
/var/www/html/certs
.#
cp CAcert.pem /var/www/html/certs
CautionDo not copy the key files.
Edit the HTTP server configuration file,
/etc/httpd/conf/httpd.conf
, and specify the resolvable domain name of the server in the argument toServerName
.ServerName
server_addr
:80If the server does not have a resolvable domain name, enter its IP address instead.
Verify that the setting of the
Options
directive in the<Directory "/var/www/html">
section specifiesIndexes
andFollowSymLinks
to allow you to browse the directory hierarchy, for example:Options Indexes FollowSymLinks
Start the Apache HTTP server, and configure it to start after a reboot.
#
service httpd start
#chkconfig httpd on
If you have enabled a firewall on your system, configure it to allow incoming HTTP connection requests on TCP port 80.
For example, the following command configures
iptables
to allow incoming HTTP connection requests and saves the change to the firewall configuration:#
iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
#service iptables save