How To

How do I configure a CA Signed certificate for replication DS/OpenDJ (All versions) - [replication is enabled]?

Last updated Jan 7, 2020

The purpose of this article is to provide information on replacing self-signed certificates with a CA Signed certificate for replication in DS. This allows you to use a certificate other than a self-signed one for increased security. This article assumes replication is enabled.


Overview

The following process is only suitable for instances that are already replicating and assumes the instance only has the default DS/OpenDJ created self-signed ads-truststore certificates. If this is not true, please see How do I replace the certificates (key pair) used for replication in DS/OpenDJ (All versions? for the correct process.

In summary, the steps are:

  1. Perform the following steps on the first instance:
    1. Generate a Certificate Signing Request.
    2. Sign the CSR with the CA.
    3. Disable the LDAPS and LDAP connectors.
    4. Import the root, intermediate and server certificates.
    5. Import the CA signed server certificate.
    6. Create and apply an LDIF file to add a new instance key entry that contains the new certificate detail.
    7. Force replication to reconnect so that it uses the new certificates.
    8. Re-enable the LDAPS and LDAP connectors.
    9. Restart the server.
  2. Repeat step 1 on the other instance.

Configuring a CA Signed certificate for replication

You can configure a CA Signed certificate for replication as follows:

  1. Create a Certificate Signing Request (CSR) from ads-truststore. For example:
    $ keytool -certreq -alias ads-certificate -keystore ads-truststore -storepass:file ads-truststore.pin -keypass:file ads-truststore.pin -file ~/CA/certs/ds1_cert_req.csr
  2. Sign the CSR with the CA. For example:
    $ cd ~/CA/certs
    $ openssl x509 -req -in ds1_cert_req.csr -CA ../FECRootCA.pem -CAkey ../FECRootCA.key -extensions server_cert -days 375 -CAcreateserial -out ds1_cert.pem
  3. Disable the LDAPS and LDAP connectors to ensure instances only come online once the setup process is complete:
    • DS 6 and later:
      $ ./dsconfig set-connection-handler-prop --handler-name LDAPS --set enabled:false --hostname ds1.example.com --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
      $ ./dsconfig set-connection-handler-prop --handler-name LDAP --set enabled:false --hostname ds1.example.com --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
      
    • Pre-DS 6:
      $ ./dsconfig set-connection-handler-prop --handler-name "LDAPS Connection Handler" --set enabled:false --hostname ds1.example.com --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
      $ ./dsconfig set-connection-handler-prop --handler-name "LDAP Connection Handler" --set enabled:false --hostname ds1.example.com --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
      
  4. Import the root, intermediate (if present) and server certificates into the ads-truststore and verify. For example:
    $ cd config
    $ keytool -import -trustcacerts -alias ca-cert -keystore ads-truststore -storepass:file ads-truststore.pin -keypass:file ads-truststore.pin -file ~/CA/FECRootCA.pem
    $ keytool -list -storetype JKS -keystore ads-truststore -v -storepass:file ads-truststore.pin
    
  5. Import the CA signed server certificate and verify. For example:
    $ keytool -import -trustcacerts -alias ads-certificate -keystore ads-truststore -storepass:file ads-truststore.pin -keypass:file ads-truststore.pin -file ~/CA/certs/ds1_cert.pem
    $ keytool -list -storetype JKS -keystore ads-truststore -v -storepass:file ads-truststore.pin -alias ads-certificate
    
    Alias name: ads-certificate
    Creation date: 13-Feb-2019
    Entry type: PrivateKeyEntry
    Certificate chain length: 2
    Certificate[1]:
    Owner: CN=ds1, O=OpenDJ RSA Certificate
    Issuer: CN=fecCA, O=FEC, L=London, ST=London, C=UK
    Serial number: b9cf4f71c94eb24e
    Valid from: Wed Feb 13 13:39:23 GMT 2019 until: Sun Feb 23 13:39:23 GMT 2020
    Certificate fingerprints:
      MD5:  C5:B9:BB:08:50:E4:C4:9F:76:3C:9B:31:6D:C6:21:C8
      SHA1: F1:6F:54:23:CE:4D:1B:7C:F7:BC:DA:DC:F7:4E:67:74:3C:F8:9F:78
      SHA256: 92:42:6D:12:D2:F7:42:82:58:3D:65:36:95:FA:02:B2:05:E5:D3:BB:82:AC:E3:FE:7B:55:D2:38:16:7F:DA:DC
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 2048-bit RSA key
    Version: 1
    
  6. Extract a MD5 hash of the ads-truststore certificate without ":" characters. This hash is needed in step 8 to reflect the new certificate information in "cn=admin data":
    $ keytool -export -alias ads-certificate -keystore ads-truststore -storepass:file ads-truststore.pin -keypass:file ads-truststore.pin -file ads-new-cert.crt
    $ keytool -printcert -file ads-new-cert.crt | grep MD5 | awk '{print $2}'  | sed "s/://g"
    
    DC54D2DAF3E1D7672779E55D59310A36
    
  7. Output the certificate details. These details are needed in step 8 to reflect the new certificate information in "cn=admin data":
    for line in `sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' ~/CA/certs/ds1_cert.pem  | sed "s/-----.* CERTIFICATE-----//" | sed "/^$/d"`; do printf "%s" "$line"; done; echo
    
    MIIC+jCCAeICCQC5z09xyU6yRzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVSzEPMA0GA1UECAwGTG9uZG9uMQ8wDQYDVQQHDAZMb25kb24xDDAKBgNVBAoMA0ZFQzEOMAwGA1UEAwwFZmVjQ0EwHhcNMTkwMjAyMDM1NzA1WhcNMjAwMjEyMDM1NzA1WjAxMR8wHQYDVQQKExZPcGVuREogUlNBIENlcnRpZmljYXRlMQ4wDAYDVQQDEwVub2RlMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIFh62L3hy1g9rHpnZy55P0QBx2XuItQk7DM0rHvWD56IZGbeD/65qKPS7oqNNLQck12rvCLCfVmoOdRqReNtGs947tZBQLh1K8WFddP28IOaW56O1G1koklGX6NALV5pbH0YHF0L+Im3aH4GJjUtW9Nh3OztGBuGL7vk/SoDwinAWA95Z7PlLaRvxGumJcXTkJGLrd12leyVnmVvfzGvtyodFMlfNZbdbAkp/Os/x0hOEUqapJgHhJAIM+BMZ2BOOBTyKLU+uYRmbJnY1R2YvqPH9dExG1bxhTZuhwFEE8Pkh6U7qvMJ3nvDQnD8T7ykuPeVOJoL8ZXQhrhN0RS2esCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAKahqOQfTwEvMyjCZL0oIkBYv3NlomLFY22LgHhWuEOBWo8PV0j1oPmAAsKHiefYJlg0jpVJwN6q6bOGBsvwcDbcISnLhKN1ya7J292oQx+Nz+jYcd9TACQ6c8y6DHVHxOqyXCIy3ca+4vE4RlAEDhaTZJ1Xq0Re4pX46dA2jtWsvjLRt9MVnVYH68cb06xZMsCSLcqPjsKX5QiOcpBfaLz+G+Tdg4ag9rtyZcev+jmZiuN5NKMWkSVpx2qJQGkk2Lz1Us+VtasU0uPfR9c6ycyU7g3ioWa4rvAoHnN7mnyN4taNatQU+FsGvAyu4hn5Lgll7gXFSmvzHwvCgXCwjpA==
    
  8. Create an LDIF file to add a new instance key entry that contains the new certificate detail: For example:
    vi /tmp/update_server_cert.ldif
    dn: ds-cfg-key-id=DC54D2DAF3E1D7672779E55D59310A36,cn=instance keys,cn=admin data
    changetype:add
    objectClass: top
    objectClass:ds-cfg-instance-key
    ds-cfg-key-id: DC54D2DAF3E1D7672779E55D59310A36
    ds-cfg-public-key-certificate;binary:: MIIC+jCCAeICCQC5z09xyU6yRzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVSzEPMA0GA1UECAwGTG9uZG9uMQ8wDQYDVQQHDAZMb25kb24xDDAKBgNVBAoMA0ZFQzEOMAwGA1UEAwwFZmVjQ0EwHhcNMTkwMjAyMDM1NzA1WhcNMjAwMjEyMDM1NzA1WjAxMR8wHQYDVQQKExZPcGVuREogUlNBIENlcnRpZmljYXRlMQ4wDAYDVQQDEwVub2RlMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIFh62L3hy1g9rHpnZy55P0QBx2XuItQk7DM0rHvWD56IZGbeD/65qKPS7oqNNLQck12rvCLCfVmoOdRqReNtGs947tZBQLh1K8WFddP28IOaW56O1G1koklGX6NALV5pbH0YHF0L+Im3aH4GJjUtW9Nh3OztGBuGL7vk/SoDwinAWA95Z7PlLaRvxGumJcXTkJGLrd12leyVnmVvfzGvtyodFMlfNZbdbAkp/Os/x0hOEUqapJgHhJAIM+BMZ2BOOBTyKLU+uYRmbJnY1R2YvqPH9dExG1bxhTZuhwFEE8Pkh6U7qvMJ3nvDQnD8T7ykuPeVOJoL8ZXQhrhN0RS2esCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAKahqOQfTwEvMyjCZL0oIkBYv3NlomLFY22LgHhWuEOBWo8PV0j1oPmAAsKHiefYJlg0jpVJwN6q6bOGBsvwcDbcISnLhKN1ya7J292oQx+Nz+jYcd9TACQ6c8y6DHVHxOqyXCIy3ca+4vE4RlAEDhaTZJ1Xq0Re4pX46dA2jtWsvjLRt9MVnVYH68cb06xZMsCSLcqPjsKX5QiOcpBfaLz+G+Tdg4ag9rtyZcev+jmZiuN5NKMWkSVpx2qJQGkk2Lz1Us+VtasU0uPfR9c6ycyU7g3ioWa4rvAoHnN7mnyN4taNatQU+FsGvAyu4hn5Lgll7gXFSmvzHwvCgXCwjpA==
    
    dn: cn=ds1.example.com:4444,cn=servers,cn=admin data
    changetype:modify
    replace: ds-cfg-key-id
    ds-cfg-key-id: DC54D2DAF3E1D7672779E55D59310A36
    
    • Add the DN, etc (in bold) to the file.
    • Replace the ds-cfg-key-id attribute (in three places) with the new MD5 hash value output in step 6.
    • Paste the certificate details output in step 7 as the value after ds-cfg-public-key-certificate;binary::
  9. Apply the changes using one of the following ldapmodify commands depending on your version:
    • DS 5 and later:
      $ ./ldapmodify --port 4444 --hostname ds1.example.com --bindDn "cn=Directory Manager" --bindPassword password --useSsl --trustAll /tmp/update_server_cert.ldif
      
    • Pre-DS 5:
      $ ./ldapmodify --port 4444 --hostname ds1.example.com --bindDn "cn=Directory Manager" --bindPassword password --useSsl --trustAll --filename /tmp/update_server_cert.ldif
      
  10. Force replication to reconnect so that it uses the new certificates:
    $ ./dsconfig set-synchronization-provider-prop --port 4444 --hostname ds1.example.com --bindDn "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --set enabled:false --no-prompt --trustAll
    $ ./dsconfig set-synchronization-provider-prop --port 4444 --hostname ds1.example.com --bindDn "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --set enabled:true --no-prompt --trustAll
    
  11. Re-enable the LDAP and LDAPS connection handlers:
    • DS 6 and later:
      $ ./dsconfig set-connection-handler-prop --handler-name LDAPS --set enabled:true --hostname ds1.example.com --port 4444 --bindDn "cn=Directory Manager" --trustAll --bindPassword password --no-prompt
      $ ./dsconfig set-connection-handler-prop --handler-name LDAP --set enabled:true --hostname ds1.example.com --port 4444 --bindDn "cn=Directory Manager" --trustAll --bindPassword password --no-prompt
      
    • Pre-DS 6:
      $ ./dsconfig set-connection-handler-prop --handler-name "LDAPS Connection Handler" --set enabled:true --hostname ds1.example.com --port 4444 --bindDn "cn=Directory Manager" --trustAll --bindPassword password --no-prompt
      $ ./dsconfig set-connection-handler-prop --handler-name "LDAP Connection Handler" --set enabled:true --hostname ds1.example.com --port 4444 --bindDn "cn=Directory Manager" --trustAll --bindPassword password --no-prompt
      
  12. Verify everything is working correctly by modifying a user's description, checking you can see the updated description on both instances and checking the certificates. For example:
    $ ./ldapmodify --hostname ds1.example.com --port 1636 --bindDn "cn=Directory Manager" --bindPassword password --useSsl --trustAll
    dn:uid=user.0,ou=people,dc=example,dc=com
    changetype:modify
    replace:description
    description: ds1 test
    
    # Processing MODIFY request for uid=user.0,ou=people,dc=example,dc=com
    # MODIFY operation successful for DN uid=user.0,ou=people,dc=example,dc=com
    $ ./ldapsearch --hostname ds1.example.com --port 1636 --baseDn dc=example,dc=com --bindDn "cn=Directory Manager" --bindPassword password --useSsl --trustAll uid=user.0 description
    
    dn: uid=user.0,ou=people,dc=example,dc=com
    description: ds1 test
    $ ./ldapsearch --hostname ds2.example.com --port 1636 --baseDn dc=example,dc=com --bindDn "cn=Directory Manager" --bindPassword password --useSsl --trustAll uid=user.0 description
    
    dn: uid=user.0,ou=people,dc=example,dc=com
    description: ds1 test
    $ openssl s_client -connect ds1.example.com:8989 -showcerts
    
  13. Restart the instance and verify it starts without any errors:
    $ ./stop-ds --restart
    
  14. Repeat steps 1 to 13 on the other instance.

See Also

FAQ: SSL certificate management in DS/OpenDJ

Replication in DS/OpenDJ

How do I use externally created SSL keys with DS/OpenDJ (All versions)?

Administration Guide › Changing Server Certificates

Related Training

ForgeRock Directory Services Core Concepts (DS-400)

Related Issue Tracker IDs

OPENDJ-5985 (Divergence of "cn=admin data" after setting up secure replication and encrypted backends)

OPENDJ-5235 (Allow external certificates to be used for replication during setup)



Copyright and TrademarksCopyright © 2020 ForgeRock, all rights reserved.
Loading...