How do I configure SSL functionality within CA Directory r12.0 SP2?

Document ID : KB000053022
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

One of the new features of r12.0SP2 is the integration of the SSL features into the DSA itself. The SSL Daemon is no longer part of the product. This technica document explains how to configure a CA Directory r12.0 SP2 DSA to use SSL.

Solution:

As of r12.0SP2, the SSL Daemon is no longer a separate process from the DSA. The DSA now incorporates the SSL Daemon's functionality. To aid in this transition, the SSLD configuration parameters are now defined as a DSA configuration command.

In r12.0SP1, the common SSLD installation command looked like:

ssld install {ssld-instance-name} -ca config/ssld/trusted.pem -certfiles config/ssld/personalities

In r12.0 SP2, the DSA configuration command uses exactly the same parameters, but the syntax is different. The DSA configuration command for the SSL feature has the following syntax:

set ssl = {  
    cert-dir = "config/ssld/personalities"    # folder containing DSA personality certs   
    ca-file = "config/ssld/trusted.pem"           # trusted root CA that signed DSA certificates   
    cipher = "ALL:!EXPORT40:!ADH"                  # supported ciphers - syntax on OpenSSL website   
    protocol = tls                           # enable TLS only (default of fips set)   
    fips = true                                # enables FIPS 104-2 compliant encryption   
   
    # HSM options   
    lib = "<string> "                          # path to PKCS11 library supplied by HSM vendor   
    pin = "<string>"                         # HSM pin   
    slot = <num>                                # slot to use for HSM based encryption  
};  

An example implementation of this new configuration using the Democorp DSA sample:

  • Prior to configuring SSL for any DSA, the DSA's have to be created and the relevant PEM certificates and trusted root CA's must be stored in their relevant files and folders. Running the command "dxcertgen certs" will automatically create a PEM certificate for each DSA present on the system and add the root CA signing certificate into the trusted.pem file for you.
    >dxcertgen certs 
      Setting root certificate and public/private keys for signing... 
       Exporting certificate 'dxcertgen' from 
       C:\Program Files\CA\Directory\dxserver\config\ssld\javakeystores\cacerts...  
     Writing root certificate to trusted.pem... 
     Generating DXserver personalities from server files... 
     Generating a new personality certificate for democorp... 
     Generating a 1024-bit RSA public/private key pair... 
     ...++++++ 
     .....................................++++++ 
     Generating an x509 v3 certificate... 
     Signing certificate with trusted root CA's private key... 
     Writing personality certificate to  
     C:\Program Files\CA\Directory\dxserver\config\ssld\personalities\democorp.pem... 
     Done. 
  • The SSL DSA configuration should be stored in a DXC configuration file in the DXHOME/config/ssld folder.

    Example: DXHOME/config/ssld/Democorp-SSL.dxc
    set ssl = { 
       cert-dir = "config/ssld/personalities" 
       ca-file = "config/ssld/trusted.pem"  
     }; 
  • The Democorp DSAs initialization file in DXHOME/config/servers needs to source the Democorp-SSL.dxc file.
    # access controls 
    clear access;
    source "../access/default.dxc"; 
    # ssl
    source "../ssld/Democorp-SSL.dxc"; 
    # replication agreements (rarely used)
    # source "../replication/";
  • Stop and start your Democorp DSA.
    >dxserver stop democorp 
      democorp stopping 
     . 
     democorp stopped 
     
     >dxserver start democorp 
      democorp starting 
     .. 
     democorp started 
  • Bind to your democorp DSA using an SSL connection.

    Figure 1

    The bind process will produce the following certificate validation warning:

    Figure 2

    Accept the connection and you will see the bind complete.

  • Tracing the Democorp DSA with "set trace=dsa;" trace level, you will see all communications.
    <- #0 (SSL) LDAP SEARCH-REQ          # This is an inbound LDAP application search using SSL 
          invoke-id = 6 credit = 4 
     Base object: 
            <countryName utf8 "au"> 
            <organizationName utf8 "democorp"> 
     Don't Search Aliases 
     Controls: 
            manage-dsa-it 
     ...... 
     
     -> #0 (SSL) LDAP SEARCH-CONFIRM            # This is an outbound search response from the DSA 
             invoke-id = 6 credit = 1 
       Entry: 1 
               <countryName "au"> 
               <organizationName "democorp"> 
       Contents: (none)