I am trying to configure SLDAP and I am running into some issues with simply configuring the NSS Tools from Mozilla based on their documentation. Has anyone configured SLDAP before and if so, I am looking for better documentation for configuring this...our environment is 7.6.04 on windows 2008 64 bit server with a SQL 64bit db
Here is the doc I am working from: -------------------------------------------------------------------------------------------------------------------------- Troubleshooting SSL with Certutil (updated 03/23/11-DR) This document contains steps that have been used to configure SSL for use with the Remedy AREA and ARDBC LDAP plugins. Most of the information in this document is supported by the individual 3rd party vendors, not BMC, but has been provided as a convenience to the customer. These steps were written from a Windows Server perspective but should be applicable, with some interpretation, to most Unix platforms. -Certutil Documentation http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html -Certutil Related Libraries and Executables For ARServer 7.5 and greater use: ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_11_RTM/ For ARServer pre-7.5 use ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_4_2_RTM/ A. To export a certificate from Active Directories for use with AR System: 1. From the Active Directory Controller, open the Certificates Console a. Run mmc b. Add Certificates Snap-In, local computer c. Locate the server certificate 2. Right-click on the certificate you would like to export, choose All Tasks, Export 3. From the Export Wizard, choose Base 64 X.509 (.cer) file and save it to the hard drive on the ARServer box. We will refer to this folder as “c:\cert” B. To generate a certificate that can be used by AR System for LDAP 1. Obtain the CERTUTIL utility from Mozilla a. Notes i. The standard Microsoft Windows CertUtil will not work since the AR System used Sun LDAP libraries ii. There will be four files from seamonkey that will be in place in the nss bin directory, libplc4.dll, libplds4.dll, libnspr4.dll, and nspr4.dll b. Use FTP to connect and download the following files (use the correct location for your particular Operating System) i. ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_11_RTM/WINNT5.0_OPT.OBJ/ ii. ftp://ftp.mozilla.org/pub/mozilla.org/seamonkey/releases/1.0.5/seamonkey-1.0.5.en-US.win32.zip iii. c. Unzip the nss-3.11.zip into a folder on the server called c:\nss-3.11 d. Open the seamonkey-1.0.5.en-us.win32.zip and extract the plc4.dll, nspr4.dll, and plds4.dll files, place these in the c:\nss-3.11\bin directory on the server. e. Create a copy of “nspr4.dll” and name it “libnspr4.dll” f. Rename “plc4.dll” to “libplc4.dll” Rename “plds4.dll” to “libplds4.dll” 2. Create the cert7.db or cert8.db file a. Create a folder called “c:\cert” (unless it was already created) b. Open a command window and change directories to “c:\nss-3.4.2\bin” c. Create the certificate store i. Certutil –N –d “c:\cert” 1. This creates the cert7.db file or cert8.db file depending on the version of certutil 2. –N is for new certificate and key database 3. –d specified the folder to locate the cert7.db file d. Add the certificate to the store i. Certutil –A –n certname –t “PTCu,P,P” –d “c:\cert” –a –i “exported cert file” For example: certutil -A -n astro -t "PTCu,P,P" -d "c:\cert" -a -i "c:\cert\astrocert1.cer" 1. This adds the exported certificate to the store 2 –A is to add the certificate 3. –n is the nick name for the certificate (to be used later) 4. –t is the trust, Trusted, peer, Trusted CA to issue server and client certs, used for authentication 5. –d is the cert store location 6. –a is to use ASCII format 7. –i is the certificate file to import e. Validate the certificate i. Certutil –L –d “c:\cert” –n “certname” For example: certutil -L -d "c:\cert" -n "astro" 1. –L is to display information about certificate 2. –d is store location 3. –n is nickname for certificate (entered above) Example output: Certificate: Data: Version: 3 (0x2) Serial Number: 5e:c9:54:50:18:2a:bf:a5:43:17:25:6a:ff:3a:47:fa Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: CN=Astro CA, OU=Support, O=Remedy, L=Pleasanton, ST=CA, C=US, E= [email protected] Validity: Not Before: Thu Mar 25 20:50:35 2004 Not After: Sat Mar 25 20:50:35 2006 Subject: CN=Astro CA, OU=Support, O=Remedy, L=Pleasanton, ST=CA, C=US, E [email protected] Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: 00:c3:8e:64:71:be:d6:cb:5c:59:7f:4b:83:48:18: ff:b1:2c:ee:fe:a5:fe:45:55:12:91:21:4f:f2:10: 99:21:d3:78:c4:2c:de:33:b7:2b:cf:b5:0e:a5:82: 43:ee:21:ab:a8:cc:bb:4b:4f:3f:61:94:c8:c5:55: 0b:ad:ae:4e:87 Exponent: 65537 (0x10001) Signed Extensions: Name: 2b:06:01:04:01:82:37:14:02 Data: "" Name: Certificate Key Usage Data: 03:02:01:46 Name: Certificate Basic Constraints Critical: True Data: Is a CA with a maximum path length of -2. Name: Certificate Subject Key ID Data: 04:14:20:a1:e7:b8:9e:e7:f7:49:22:fb:47:b6:fd:c5: e3:20:fa:67:6d:e3 Name: CRL Distribution Points Data: Sequence { Sequence { Option 0 bf:a0:81:bc:86:81:b9:6c:64:61:70:3a:2f:2f: 2f:43:4e:3d:41:73:74:72:6f:25:32:30:43:41: 2c:43:4e:3d:61:73:74:72:6f:2c:43:4e:3d:43: 44:50:2c:43:4e:3d:50:75:62:6c:69:63:25:32: 30:4b:65:79:25:32:30:53:65:72:76:69:63:65: 73:2c:43:4e:3d:53:65:72:76:69:63:65:73:2c: 43:4e:3d:43:6f:6e:66:69:67:75:72:61:74:69: 6f:6e:2c:44:43:3d:6a:65:74:73:6f:6e:73:2c: 44:43:3d:72:65:6d:65:64:79:2c:44:43:3d:63: 6f:6d:3f:63:65:72:74:69:66:69:63:61:74:65: 52:65:76:6f:63:61:74:69:6f:6e:4c:69:73:74: 3f:62:61:73:65:3f:6f:62:6a:65:63:74:63:6c: 61:73:73:3d:63:52:4c:44:69:73:74:72:69:62: 75:74:69:6f:6e:50:6f:69:6e } 74:30:3f:a0:3d:a0:3b:86:39:68:74:74:70:3a:2f:2f: 61:73:74:72:6f:2e:6a:65:74:73:6f:6e:73:2e:72:65: 6d:65:64:79:2e:63:6f:6d:2f:43:65:72:74:45:6e:72: 6f:6c 6c:2f:41:73:74:72:6f:25:32:30:43:41:2e:63:72:6c l/Astro%20CA.crl } Name: 2b:06:01:04:01:82:37:15:01 Data: 131328 (0x20100) Fingerprint (MD5): D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E Fingerprint (SHA1): DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09 Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: 77:41:b6:79:ab:1f:77:5a:60:77:bb:65:ac:05:77:f3:5e:29: 76:4c:68:35:e0:8f:62:86:f0:9c:e0:bb:80:b7:b0:85:89:c2: 5b:6d:76:96:40:51:fc:0e:f8:75:61:77:33:a1:e6:2a:83:2a: b6:ab:29:3f:93:2d:04:6b:13:19 Certificate Trust Flags: SSL Flags: Valid CA Trusted CA Trusted Client CA Email Flags: Valid Peer Trusted Object Signing Flags: Valid Peer Trusted C. In the AREA LDAP Configuration Form, make sure to enable SSL flag to “Yes” and provide the directory name in the certificate database location field. Do not pass the name of the cert store (cert7.db or cert8.db) D. If the key does not work, try the following: 1. Open the Netscape Browser v 4.79 on the ARServer system and connect to: https:\\<ldap server>\ 2. When asked, choose to accept the certificate E. Diagnostic Information 1. To obtain more detailed information from the SSL communication between the AREA or ARDBC LDAP plugin and the LDAP host, you can use the SSLTRACE and SSLDEBUG environment variables to send Debug output to the command prompt (standard out). 2. Follow these steps to run the plugin server from a command prompt so that the Standard Out information will be visible. a. Edit armonitor.cfg and comment out the arplugin.exe line by prefixing it with a hash sign (#) b. Restart the AR System server service so that the plugin server is not longer running c. Open a command prompt to the folder where arserver.exe and arplugin.exe reside d. Set 2 environment variables: SET SSLDEBUG=1 SET SSLTRACE=3 e. Launch arplugin.exe from the command line: Arplugin –i . –m (This is the minimal syntax and assumes that the CONF folder containing ar.cfg is in the current directory) f. Enable Plugin logging and set the Plugin-Log-Level: to 100 or All g. Perform some steps using the Remedy clients that would cause an LDAP connection, using SSL, to take place. h. If an actual SSL connection was being made to the LDAP host, the command prompt should contain some diagnostic information including an error number. This error may be used by your SSL admins to troubleshoot the problem. In some cases, a descriptive error message is provided as well. i. When communicating with BMC Support, please include the Plugin log, the diagnostic output and , if possible, the output from certutil showing the validated certificate: Certutil –L –d “c:\cert” –n “certname” _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"
