2019-01-12 — ldap180 is the name of our test Directory Server instance.
Newer versions of this document reference another
instance ldap51 with DNS 389ds.example.biz.
2018-06-11 — v1.40: EC certs are supported; the nsSSL3Ciphers attr of cn=encryption,cn=config
is important to get right to support EC and TLSv1.3.
Add your trust anchors to the NSS database:
# $DIR is where the admin server or directory server instance are located
# E.g., /etc/dirsrv/admin-serv /etc/dirsrv/slapd-ldap180
# Initialize if necessary and save pin soemwhere
certutil -d $DIR -N # to initialize with new pin
# Smoke-tests
certutil -d $DIR -K # to list keys
certutil -d $DIR -L # to list certs
certutil -A -n root-ca -t CT,, -d $DIR -a -i ~user/root-ca.pem
certutil -A -n intermediate-ca -t CT,, -d $DIR -a -i ~user/intermediate.pem
## generate CSR
### RSA-2048
certutil -R -s 'CN=ldap180.example.com' -o example.req -k rsa -d $DIR -a
### EC prime256v1
certutil -R -s 'CN=ldap180.example.com ECDSA' -o example.req -k ec -q nistp256 -d $DIR -a
## import cert from stdin
certutil -A -n admin-serv -t u,u,u -d $DIR -a
# OR
certutil -A -n ldap180-serv -t u,u,u -d $DIR -a
When TLS is enabled, SLF4J is needed by JSS.
## Ensure slf4j is available:
$ rpm -q slf4j
slf4j-1.7.25-5.fc29.noarch
VERBOSE=1 CLASSPATH=/usr/share/java/slf4j/slf4j-api.jar:/usr/share/java/slf4j/slf4j-simple.jar /usr/bin/389-console
# you may be prompted to add the TLS trust anchors...
Java virtual machine used: /usr/share/java-utils/java-wrapper
classpath used: /usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc.jar:/usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-nmclf.jar:/usr/share/java/idm-console-nmclf_en.jar:/usr/share/java/389-console_en.jar:slf4j-api-1.7.25.jar:slf4j-simple-1.7.25.jar
main class used: com.netscape.management.client.console.Console
flags used:
options used:
arguments used:
# without SLF4J installed you will get a Java Exception here and the login
# window will hang :-(
[main] INFO org.mozilla.jss.CryptoManager - CryptoManager: loading JSS library
[main] INFO org.mozilla.jss.CryptoManager - CryptoManager: loaded JSS library from /usr/lib64/jss/libjss4.so
[main] INFO org.mozilla.jss.CryptoManager - CryptoManager: initializing NSS database at /home/user/.389-console/
Error without slf4j in the class path:
Exception in thread "main" java.lang.NoClassDefFoundError: org/slf4j/LoggerFactory
at org.mozilla.jss.CryptoManager.<clinit>(CryptoManager.java:52)
at com.netscape.management.client.util.UtilConsoleGlobals.initJSS(Unknown Source)
at com.netscape.management.client.comm.HttpsChannel.<clinit>(Unknown Source)
at com.netscape.management.client.comm.HttpManager.createChannel(Unknown Source)
at com.netscape.management.client.comm.CommManager.send(Unknown Source)
at com.netscape.management.client.comm.HttpManager.get(Unknown Source)
at com.netscape.management.client.console.Console.invoke_task(Unknown Source)
at com.netscape.management.client.console.Console.authenticate_user(Unknown Source)
at com.netscape.management.client.console.Console.<init>(Unknown Source)
at com.netscape.management.client.console.Console.main(Unknown Source)
Caused by: java.lang.ClassNotFoundException: org.slf4j.LoggerFactory
at java.net.URLClassLoader.findClass(URLClassLoader.java:382)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
... 10 more
CA Certs:
Admin Server cert:
This is a web app fronted by Apache HTTPD; after configuring the trust anchors and certificate
we need to add the NSS passphrase to /etc/dirsrv/admin-serv/pin.txt for unattended startup.
# pin.txt; where XXXXXXXX is the NSS db password
echo 'internal:XXXXXXXX' > /etc/dirsrv/admin-serv/pin.txt
# the following line in /etc/dirsrv/admin-serv/nss.conf
NSSPassPhraseDialog file:/etc/dirsrv/admin-serv/pin.txt
# the following lines are important in /etc/dirsrv/admin-serv/console.conf
NSSCipherSuite +ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha_384,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_128_sha_256,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha_384,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha
NSSProtocol TLSv1.2
For added TLSv1.3,
# the following lines are important in /etc/dirsrv/admin-serv/console.conf
NSSCipherSuite +aes_128_gcm_sha_256,+chacha20_poly1305_sha_256,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha_384,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_128_sha_256,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha_384,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha
NSSProtocol TLSv1.2,TLSv1.3
By default, the enabled ciphers don't work with TLSv1.3 or EC certificates.
Don't adjust in the the console with
Encryption->Settings... as you will lose this setting.
dn: cn=encryption,cn=config
changetype: modify
delete: nsSSL3Ciphers
dn: cn=encryption,cn=config
changetype: modify
add: nsSSL3Ciphers
nsSSL3Ciphers: -all,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_AES_128_GCM_SHA256,+TLS_AES_256_GCM_SHA384,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Verify:
ldapsearch -D 'cn=Directory Manager' -W -b "cn=config" -o ldif-wrap=no | grep nsslapd-security
nsslapd-security: on
ldapsearch -D 'cn=Directory Manager' -W -b "cn=config" -o ldif-wrap=no | grep nssslenabled
nssslenabledciphers: TLS_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nssslenabledciphers: TLS_AES_256_GCM_SHA384::AES-GCM::AEAD::256
nssslenabledciphers: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nssslenabledciphers: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::256
nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::256
nssslenabledciphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nssslenabledciphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nssslenabledciphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nssslenabledciphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384::AES::SHA384::256
nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384::AES::SHA384::256
echo 'Internal (Software) Token:XXXXXXXX' > /etc/dirsrv/slapd-ldap180/pin.txt
systemctl restart dirsrv@ldap180
# ss -apnt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 0 *:9830 *:*
LISTEN 0 0 :::636 :::*
LISTEN 0 0 :::389 :::*
## testing LDAPS :636, STARTTLS
ldapsearch -D "cn=Directory Manager" -W -H ldaps://ldap180.example.com -b "cn=config" cn=RSA
ldapsearch -D "cn=Directory Manager" -W -H ldap://ldap180.example.com -ZZ -b "cn=config" cn=RSA
# RSA, encryption, config
dn: cn=RSA,cn=encryption,cn=config
nsSSLToken: internal (software)
nsSSLPersonalitySSL: ldap-rsa
nsSSLActivation: on
objectClass: top
objectClass: nsEncryptionModule
cn: RSA
TLSv1.2 TLSv1.3 to Apache mod_nss:
$ openssl s_client -connect 389ds.example.biz:9830 -tls1_2 -CAfile truststore.pem
<...stuff...>
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1745 bytes and written 321 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
Session-ID: 0A8440ED85B730591C813418D22180C77B8010B6B369B9BE565D3764473748CC
Session-ID-ctx:
Master-Key: B591798760C35D2EF65B56E55648C1B459E90D3C505F959C861AC4E6E4906D8B730C26C89F7B36C5FC2E2EC7B0C6C97F
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1547345539
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
$ openssl s_client -connect 389ds.example.biz:9830 -tls1_3 -CAfile truststore.pem
<...stuff...>
1aJEMxqCkjAcBgNVHREEFTATghEzODlkcy5leGFtcGxlLmJpejATBgNVHSUEDDAK
BggrBgEFBQcDATAKBggqhkjOPQQDAgNJADBGAiEA91YGzIumynIGV+xlKU0zJ1T+
W35jNLdFMp4yiS95D+QCIQDg3/5ps4fOHCYSEIyWmnyJVG6JrGv5aOdvyBRi9th7
UQ==
-----END CERTIFICATE-----
subject=DC = biz, DC = example, CN = 389ds.example.biz
issuer=DC = biz, DC = example, CN = Intermediate CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1779 bytes and written 307 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
TLSv1.2 TLSv1.3 to JSS
$ openssl s_client -connect 389ds.example.biz:636 -tls1_3 -CAfile truststore.pem
<...stuff...>
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1775 bytes and written 307 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
$ openssl s_client -connect 389ds.example.biz:636 -tls1_2 -CAfile truststore.pem
<...stuff...>
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1740 bytes and written 321 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
Session-ID: 0989F017AA0DDF6C90A0A7C8A563A39AD682FE3BBE051177D8C718D626A6A88F
Session-ID-ctx:
Master-Key: 9864EB49F538F77052441327D08BD761A1E7EC18AD253D9F4FC98A5BFEA01E39370E109C5CA38D09AD660E40C6604A8A
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1547345707
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
#### Using STARTTLS
$ openssl s_client -connect 389ds.example.biz:389 -tls1_3 -CAfile truststore.pem -starttls ldap
<...stuff...>
UQ==
-----END CERTIFICATE-----
subject=DC = biz, DC = example, CN = 389ds.example.biz
issuer=DC = biz, DC = example, CN = Intermediate CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1871 bytes and written 338 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
$ openssl s_client -connect 389ds.example.biz:389 -tls1_2 -CAfile truststore.pem -starttls ldap
<...stuff...>
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1836 bytes and written 352 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
Session-ID: 0989C19096C3478F385A8E52295E8BA9054C62EA8D14FE2D51365E5B88DAF319
Session-ID-ctx:
Master-Key: AF65528F82B3F5ADDE8FBB689B8640E223C0340F0D9CEF4BCAD73945384AB68B8165139A0B33EABD9EF00BFB94439C74
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1547345802
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---