Configure the SSL Simple(SSL+external) connection for SunOne Directory server

版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/chancein007/article/details/7306937
1.Open xca and create CA
1.1 new database and name the database as certs
1.2 enter the password to protect this server,the password as 12345678
1.3 Move to Certificates tab and click the New Certificate button on the left part.
1.4 A windows named Create x509 Certificate will prompt.
1.5 Click the Source tab on this windows
1.5.1 Template for the new certificate:[Default] CA
1.5.2 Signing->Create a self signed certificate with the serial:1
1.6 Click to Subject tab
1.6.1 OrganizationName:Example
1.6.2 OrganizationUnitName:Engineer, please note that on the directory server,
the ou=Engineer,o=techlogy,dc=example,dc=com existed before typing the above 2 values.
1.6.3 Click the Generate a new key button at the right-bottom part and
enter the name of new key as certkey.
1.6.4 Interal name:Cacert
1.7 Click the Extensions tab and select Type as "Certification Authority".
2. Generate SSL request on Sunone Directory server side
 2.1 Open Sunone Directory server management console
 2.2 Click the Tasks tab and then click the Manage Certificates button.
 2.3 Click Request..-->check the Request certificate Manually->Next
 2.4 Certificate Request Wizard will prompt.
     2.4.1 Servername: hostname,such as VM-AD-SUN-HENRY.example.com
     2.4.2 Let the left other items as empty, such as Organization,
     Organization Unit, City/Local, State/Province,Country/Region.
 2.5 The warning window will prompt: Empty Fields-One or More fields are empty...
     Do you want to continue? --Click Yes
 2.6 Enter the password to access the token, set the password value as "example1234".
 2.7 Click the "Save to file" button to save the request certification.
     set the default name as server.req.
 2.8 Remove the empty line on the server.req file.
3. Import the server.req to XCA and sign it.
3.1 Open XCA and move to Certificate signing requests tab.
3.2 Click the button of "Import" on the right.
3.3 Select the server certificate request and Click the right mouse and then click the "Sign"
3.4 Use this Certificate for Signing,select Cacert
3.5 Signature algorithm: SHA1
3.6 Template for the new cerficate: [Default]HTTPS_server
4. Generate Client cerification for SSL+External(This step can be ignored if we configure for SSL+Simple)
  4.1 Open XCA and go to Certificates tab
  4.2 Click the "New Certificate" button on the right.
  4.3 The "Create X509 Certificate" Window will prompt.
      4.3.1 Go to Source tab
            Signing--> Check "Use this Ceriticate for signing"--> Cacert
            Signature algorithm-->SHA1
            Template for the new certificate--> [Default]HTTPS_Client
      4.3.2 Go to Subject tab
            4.3.2.1 Internal name: clientcert
            4.3.2.2 Generate a new key: clientcertkey
            Keytype:RSA
            Keysize:1024bit
            4.3.2.3 Added the below information for the userDN:cn=admin,ou=administrators,ou=toplogymanagement,o=netscaperoot
            Type                  Content
            organizationName      netscaperoot
            organizationUnitName  toplogymanagement
            organizationUnitName  administrators
            commonName            admin 
            Please note that the order of these item should be on order.
      4.3.3 Set the other items as default. 
        
5. Export the signed certification
5.1 Export Cacert certification:
    5.1.1 Move the mouse on the Cacert and click the right mouse -->Export-->File
    5.1.2 Filename: Cacert.crt
          Export Format:PEM
    5.1.3 Filename: Cacert.cer
          Export Format:DER
5.2 Export Client certification:
    5.2.1 Move the mouse to the Clientcert and click the right mouse-->Export-->File
    5.2.2 Filename:
          Filename:clientcert.p12
          Export Format:PKCS#12
          Enter the password to encrypt the PKCS#12 file: example2012go!
5.3 Export Server certification:
    5.3.1 Move the mouse to the server certificate(VM-AD-SUN-HENRY.example.com) and click the right 
          mouse-->Export-->File     
    5.3.2 Filename:VM-AD-SUN-HENRY.example.com.crt
          Export Format:PEM
 
6.Install the signed server and CA ceritificate for sunone directory server.
6.1 Go to Sunone Directory Management console
6.2 Go to Manage Certificates-->Server certs-->Install...--> in this local file-->Browse-->
    select the full path VM-AD-SUN-HENRY.example.com.crt
6.3 Enter the password to access the token: example1234(this password was the same as 2.6)
6.4  Go to Manage Certificates-->CA certs-->Install...--> in this local file-->Browse-->Cacert.crt
7. Generate Keystore
  7.1 cd \
  7.2 keytool -import -v -alias Cacert -file C:\SSL-LDAP\Sunone\SSL-Simple\192.168.80.166\Cacert.cer -keystore C:\SSL-LDAP\Sunone\SSL-Simple\192.168.80.166\CAKeyStore
 
8. Configure Network and Encryption for Sunone Directory server
8.1 LDAP Directory server console-->Encryption tab
    8.1.1 Check "Enable SSL for this server"
    8.1.2 Check "Use this cipher family:RSA"
          Security Device: internal(Software)
          Certificate: Server-cert
    8.1.3 DSML Client Authentication: HTTP Basic(Use authentication in HTTP header).
    
8.2 Network tab
    8.2.1 Check "Both secure and non secure ports".
    8.2.2 Check "Enable DSML".
          Check only non secure port.




     











展开阅读全文

没有更多推荐了,返回首页