Ok, after having looked at the code, I think we should restore the way
ADS 1.5.1 was handling an external keystore.
What about adding the two missing parameters in server.xml ? :
<ldapService id="ldapsService"
enabled="true"
tcpPort="10636"
enableLdaps="true"
nbTcpThreads="8">
<directoryService>#directoryService</directoryService>
</ldapService>
should become :
<ldapService id="ldapsService"
enabled="true"
tcpPort="10636"
enableLdaps="true"
nbTcpThreads="8"
keystoreFile="/home/user/.keystore">
certificatePassword="changeit">
<directoryService>#directoryService</directoryService>
</ldapService>
wdyt ?
Stefan Seelmann wrote:
Hi Stefan,
Stefan Zoerner schrieb:
Hi all,
I am facing some problems with the current (since 1.5.3, I assume) SSL
configuration. In earlier days, it was possible to provide a keystore
with the public/private key, certificate etc. here
http://cwiki.apache.org/confluence/display/DIRxSRVx11/3.3.+How+to+enable+SSL
Now, the server creates a keypair when it starts the first time and
stores it in the entry uid=admin,ou=system, in different attributes.
To be honest: This is an example why our documentation is so bad. The
old behavior has been well described in the docs. Someone changed it
completely, and did not update the docs. Same situation holds true for
the whole configuration. :-(
Nevertheless, the new SSL functionality seems to be simpler, because it
is possible to set it up automatically. But if I plan to use a custom
certificate, it should be at least possible. Today, there was a
corresponding question on the user list.
I wanted to update the docs to reflect the changes, and I am still
trying to figure out, what an easy way for our users would be.
A question for the current implementation: Is there any way to
configure/influence the key creation at startup? I assume no, but
perhaps I am missing something.
I have no idea. The only direction I could point you to the class where
the initial private key and certificate are created, see [1].
Currently, the only way to set up my own certificate is modifying the
attribute values for uid=admin,ou=system
This is not an easy task, because we do not have any tools for that.
There is no wizard in Studio yet. Even if there would be one -- it
should be possible without a UI client, ...
You are right, if we create some tooling we should put all common code
into the shared libraries, and then create a wizard for studio and a
CL-tool.
I was able to store my private key, but I am a little bit confused about
some attribute. What exactly is contained in userCertificate and what in
publicKey?
I assume, userCertificate holds the certificate the server presents to
client. But why do we need publicKey as well. I think it is contained in
the userCertificate. No?
I assume too.
Kind Regards,
Stefan
[1]
http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/security/TlsKeyGenerator.java?view=markup
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
