By default the SSL certs are only valid for 2 years. The interesting part is that no where in the startup scripts for ZLM does it state ..hey your SSL certs are expired. It just says, everything is started..however when you try to access your ZLM server, it will error out with unable to connect to port 10636 make sure ndsd is started.
10389 eDirectory LDAP
10636 eDirectory secure LDAP. if you run netstat -ntlu or p you will not see port 10636. The screwed up part was that I didn’t realize it was just a simple SSL cert at first, I honestly thought ndsd was having bigger issues. It wasn’t until much latter in the troubleshooting that I happened to find a hidden log somewhere that I just happened to notice the SSL cert expired due to the date. Really obscure place..oh well next time I will know.
Do the follow to get your secure ldap port back up.
————————————-
# ldapconfig set ‘Require TLS for Simple Binds with Password=no’ -a admin.system
|
1 2 3 4 5 6 7 |
Password: <strong><provide the ZLM Administrator password ></strong> LDAP Server Configuration: LDAP Server: CN=LDAP Server - blx-zlm002.O=system LDAP Group: CN=LDAP Group - blx-zlm002.O=system Require TLS for Simple Binds with Password set to no LDAP Server refreshed with the new configuration. |
Now we delete the eDirectory certificate authority using ldap tools and recreate it afterwards with the ndsconfig command. Take care that you need to insert the name of the ZLM management zone into the ldapdelete command. You used that during the ZLM installation in step 2 and can get it from the backup of the zlm.conf file:
# ldapdelete -H ldap://localhost:10389 -D cn=admin,o=system -W -Z -x ‘cn=<ZLM management zone name > -TREE CA,cn=Security’
Password: <provide the ZLM Administrator password >
sample:
# ldapdelete -H ldap://localhost:10389 -D cn=admin,o=system -W -Z -x ‘cn=BLX_ZLM002-TREE CA,cn=Security’
Now we use ndsconfig to recreate the certificate authority and that also recreates all the server certificates:
# ndsconfig upgrade
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
[1] Instance at /etc/nds.conf: blx-zlm002.O=system.BLX_ZLM002-TREE Migrating the eDirectory configuration file "/etc/nds.conf" to the new configuration file location "/etc/opt/novell/eDirectory/conf/nds.conf"... Upgrading Novell eDirectory server with the following parameters, Please wait... Tree Name : BLX_ZLM002-TREE Server DN : blx-zlm002.O=system Configuration File : /etc/opt/novell/eDirectory/conf/nds.conf Instance Location : /var/nds/data DIB Location : /var/nds/dib Checking if server is ready to service requests... Done Enter admin name with context[admin.org]: <strong>admin.system</strong> Enter the password for admin.system: <strong><provide the ZLM Administrator password ></strong> Performing eDirectory health check... Done For more details view health check logfile: /var/nds/log/ndscheck.log Extending schema... Done For more details view schema extension logfile: /var/nds/log/schema.log Configuring HTTP service... Done Configuring LDAP service... Done Configuring SNMP service... Done Configuring SAS service... Done Associating certificate with the NCP server object... INFO: Server is already associated with a certificate. Done Configuring NMAS service... Done Configuring SecretStore... INFO: SecretStore extensions have already been added to the server. Done Configuring LDAP Server with default SSL CertificateDNS certificate... Done Triggering the 'External Reference Check' process... Done The instance at /etc/opt/novell/eDirectory/conf/nds.conf is successfully configured. |
Now we need to migrate the eDirectory configuration file back to the original location:
# mv /etc/opt/novell/eDirectory/conf/nds.conf /etc
and delete the line “/etc/opt/novell/eDirectory/conf/nds.conf”from the file /etc/opt/novell/eDirectory/conf/.edir/instances.0. There must be only one line in containing “/etc/nds.conf”.
# rcndsd restart
Now check if the steps above worked and eDirectory is now listening on the secure ldap port:
# netstat -tanpu | grep 10636
|
1 |
tcp 0 0 0.0.0.0:10636 0.0.0.0:* LISTEN 12562/ndsd |
Now we switch back the TLS requirement as the port 10636 is now open:
# ldapconfig set ‘Require TLS for Simple Binds with Password=yes’ -a admin.system
|
1 2 3 4 5 6 7 8 9 10 |
NLDAP server configuration utility for Novell eDirectory 8.8 SP3 v20216.73 [1] Instance at /etc/nds.conf: blx-zlm002.O=system.BLX_ZLM002-TREE Password: <provide the ZLM Administrator password > LDAP Server Configuration: LDAP Server: CN=LDAP Server - blx-zlm002.O=system LDAP Group: CN=LDAP Group - blx-zlm002.O=system Require TLS for Simple Binds with Password set to yes LDAP Server refreshed with the new configuration. |
As the certificate authority now has changed, we need to export the new public key of it and add it to the java key store ZLM uses for the secure ldap connection to the edirectory:
First grab the password for the java keystore we need to create from your running ZLM server, not the old config file ! Therefor check the file server.xml of the ZLM tomcat instance for it:
# cat /etc/opt/novell/zenworks/tomcat/base/server.xml | grep keystorePass
keystorePass=”6629e7bf19a845c1a8ee81cb2da50b89”
Then grab the public key of the edirectory certificate authority and copy it to a file eg. called ca.b64:
# openssl s_client -connect localhost:10636 -showcerts -keyform DER
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
CONNECTED(00000003) depth=1 /OU=Organizational CA/O=BLX_ZLM002-TREE verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/O=BLX_ZLM002-TREE/CN=blx-zlm002.brunold.at i:/OU=Organizational CA/O=BLX_ZLM002-TREE -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- <strong> 1 s:/OU=Organizational CA/O=BLX_ZLM002-TREE </strong> i:/OU=Organizational CA/O=BLX_ZLM002-TREE <strong>-----BEGIN CERTIFICATE----- MIIFOzCCBCOgAwIBAgIkAhwU4T7E9RD9k7RX/68pr64twzvO+ApIlj/Xgd5kAgIM DTQnMA0GCSqGSIb3DQEBBQUAMDYxGjAYBgNVBAsTEU9yZ2FuaXphdGlvbmFsIENB MRgwFgYDVQQKFA9CTFhfWkxNMDAyLVRSRUUwHhcNMTAwMjI2MTEyMDA0WhcNMjAw MjI2MTEyMDA0WjA2MRowGAYDVQQLExFPcmdhbml6YXRpb25hbCBDQTEYMBYGA1UE ChQPQkxYX1pMTTAwMi1UUkVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEA4yDkpyO/ck67GKDioJHl3LXI623pPAORuAHLJRJcaBziQowZO984snooe7/I yjQ6EqY7KFtJ4xoqCWcTf9MGolb0+Kw1PNHWdp00PIfMoTgh/kLZuBKzCzkpuvhG eOw+Cf3eGRkIS9SMEESTmmurbDWLLMcvttsnqGshm6mdMEF5qklEf4MBp9F15JHi UDfu0g1UQm8g1O2EUltlTfbnGWRAd8Mk6q2mpoiJRr29gyIMGBNeh965X8YVirei kXM9+RkeItcUISPFLKMloaIeU1y7fsMhkzKJE+1U1Xyb5oI+Tl79rHclJJ2jj7RE luGn3V+Yt7dSyxUATcCcSz8iTwIDAQABo4ICLzCCAiswHQYDVR0OBBYEFLmWcUAJ cuaeddzABSVzXafh6IoVMB8GA1UdIwQYMBaAFLmWcUAJcuaeddzABSVzXafh6IoV MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMIIBzAYLYIZIAYb4NwEJBAEEggG7 MIIBtwQCAQABAf8THU5vdmVsbCBTZWN1cml0eSBBdHRyaWJ1dGUodG0pFkNodHRw Oi8vZGV2ZWxvcGVyLm5vdmVsbC5jb20vcmVwb3NpdG9yeS9hdHRyaWJ1dGVzL2Nl cnRhdHRyc192MTAuaHRtMIIBSKAaAQEAMAgwBgIBAQIBRjAIMAYCAQECAQoCAWmh GgEBADAIMAYCAQECAQAwCDAGAgEBAgEAAgEAogYCARgBAf+jggEEoFgCAQICAgD/ AgEAAw0AgAAAAAAAAAAAAAAAAwkAgAAAAAAAAAAwGDAQAgEAAgh//////////wEB AAIEBvDfSDAYMBACAQACCH//////////AQEAAgQG8N9IoVgCAQICAgD/AgEAAw0A QAAAAAAAAAAAAAAAAwkAQAAAAAAAAAAwGDAQAgEAAgh//////////wEBAAIEFOE+ xDAYMBACAQACCH//////////AQEAAgQU4T7Eok4wTAIBAgICAP8CAQADDQCA//// //////////8DCQCA/////////zASMBACAQACCH//////////AQH/MBIwEAIBAAII f/////////8BAf8wDQYJKoZIhvcNAQEFBQADggEBAFIUh1l8IpbIxhK5bni8ZQFa GBtMzqB6LtmN0cSgSMXKgHMUiH3tVcS/xFKQzjLdM7Nhe+ZCGsWsHDAezlcTi/94 zOwNj8L8SnGWkfAjPSSIlXd31pvvxaUXY+u1YOLlP59USe1joX2/lWEPKyjUH62x AulOP6JFoVyrHEmaft4pa4l01mxIsM8dw1FLbJnlVQIcIE4WYYAUUAQ+5/TbwQGR 1Iza0vw1YuiCxiE3uLIa6E5FwyaDgkFqqdO366TFWUieCgOciFYfkQUdQBeKe20F ApDmLGq5VPEYg1DUsH6ISndQgjOn++KJaId2ExlF3RbiAN/oy05pQx6Hd4lVVrg= -----END CERTIFICATE----- </strong> --- Server certificate subject=/O=BLX_ZLM002-TREE/CN=blx-zlm002.brunold.at issuer=/OU=Organizational CA/O=BLX_ZLM002-TREE |
Take care that you copy the second certificate in the list (1 s:/OU=Organizational CA/O=BLX_ZLM002-TREE) starting with “—–BEGIN CERTIFICATE—–” till “—–END CERTIFICATE—–” into the ca.b64 file.
Now create the new java keystore and copy it to the appropriate location:
# /opt/novell/eDirectory/lib64/nds-modules/embox/jre/bin/keytool -import -file ca.b64 -alias
|
1 2 3 4 5 6 7 8 9 10 11 |
127.0.0.1 -keystore ldap-certs Enter keystore password: <provide the keystore password here > Owner: O=BLX_ZLM002-TREE, OU=Organizational CA Issuer: O=BLX_ZLM002-TREE, OU=Organizational CA Serial number: 21c14e13ec4f510fd93b457ffaf29afae2dc33bcef80a48963fd781de6402020c0d3427 Valid from: Fri Feb 26 12:20:04 CET 2010 until: Wed Feb 26 12:20:04 CET 2020 Certificate fingerprints: MD5: 9A:C6:F7:95:E3:1B:00:38:74:D6:AC:35:50:7E:9C:6F SHA1: 5B:8D:8B:7E:FE:27:89:C1:3B:26:90:42:F4:43:72:29:1A:C3:C1:17 Trust this certificate? [no]: yes Certificate was added to keystore |
# cp ldap-certs /opt/novell/zenworks/datamodel/share/ldap-certs
