How To

How do I configure a CA Signed certificate for replication in a secured DS (All versions) with no downtime?

Last updated Feb 27, 2019

The purpose of this article is to provide information on replacing self-signed certificates with a CA Signed certificate for replication in DS. This article is tailored to those who have a secure environment (production mode enabled, secure communication for replication and encrypted backends) where downtime is not an option.


Overview

This article is only suitable if you have a secured environment (production mode enabled, secure communication for replication and encrypted backends) and downtime is not an option.

If this does not apply to you, there are alternative (simpler) processes available to you as follows:

This article covers the following replication topologies; follow the steps in one section only:

Configuring a CA Signed certificate for replication (DS+RS)

The following process is based on a DS+RS replication topology and refers to two DS+RS instances: ds1 and ds2.

After configuring replication and setting up encrypted backends, symmetric key entries are added to the "cn=admin data" backend (admin-backend.ldif). This process requires you to replace the self-signed certificate on the server that contains all the keys for the other instances first due to an issue reported in OPENDJ-5985 (Divergence of "cn=admin data" after setting up secure replication and encrypted backends), so the first step is to identify that server.

Determine which instance to setup first

  1. Search the "cn=admin data" backend on each server to determine which instance has the symmetric key entries (the instance with multiple symmetric keys is the first instance to set up):
    $ ./ldapsearch --hostname ds1.example.com --port 1636 --bindDn "cn=Directory Manager" --bindPassword password --baseDn "cn=admin data" --useSsl --trustAll ds-cfg-symmetric-key=* ds-cfg-symmetric-key
    
    dn: ds-cfg-key-id=0b269927-3d0a-4083-856f-e1c1340684cb,cn=secret keys,cn=admin data
    ds-cfg-symmetric-key: E58E088B2C80257264102449D60FA4EE:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:51BDC9BE849EBF885DCBDFC8AF22FD6EBE1B2FCF5F646B0CF6D498D78B06CB75731FE9DECDE57E5B810944D8A52DED42D9E410D17A519D55ADDD8661BE814F4E930A62D4E241B4ABEB6B0A932A9E23AA9FEB8627EAF8A9ADDFA14274C06701C69E70B28A9BDA49FD8D76023B23FCEE678EBA67304A592D5000BB7B78B1C007B5B95A62A9460F2B20D08F8AFDD3E72F444B4BA37ECEF62B585FB0882F90ACAE35C9CAED2FCD44EBD1D9C90907B8639BB675ED0E465A8E3AB832E0D2E0F0C2DA2BDA0EFF21FC4850B72EE5658A5A4F4497631DD9A0C766B0E3595E6F8B69D71D582E07010F5FE9490ABD7B3D7A1994F0174E0051C72B9819C57A02FE0C6AF96ECF
    $ ./ldapsearch --hostname ds2.example.com --port 1636 --bindDn "cn=Directory Manager" --bindPassword password --baseDn "cn=admin data" --useSsl --trustAll ds-cfg-symmetric-key=* ds-cfg-symmetric-key
    
    dn: ds-cfg-key-id=0b269927-3d0a-4083-856f-e1c1340684cb,cn=secret keys,cn=admin data
    ds-cfg-symmetric-key: E58E088B2C80257264102449D60FA4EE:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:51BDC9BE849EBF885DCBDFC8AF22FD6EBE1B2FCF5F646B0CF6D498D78B06CB75731FE9DECDE57E5B810944D8A52DED42D9E410D17A519D55ADDD8661BE814F4E930A62D4E241B4ABEB6B0A932A9E23AA9FEB8627EAF8A9ADDFA14274C06701C69E70B28A9BDA49FD8D76023B23FCEE678EBA67304A592D5000BB7B78B1C007B5B95A62A9460F2B20D08F8AFDD3E72F444B4BA37ECEF62B585FB0882F90ACAE35C9CAED2FCD44EBD1D9C90907B8639BB675ED0E465A8E3AB832E0D2E0F0C2DA2BDA0EFF21FC4850B72EE5658A5A4F4497631DD9A0C766B0E3595E6F8B69D71D582E07010F5FE9490ABD7B3D7A1994F0174E0051C72B9819C57A02FE0C6AF96ECF
    ds-cfg-symmetric-key: 768F6DCCC3A6F62D123C0F73F31919E7:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:79F09C2F339C67A0059E6EB9C774EFA70405A672E172752ABA092D7430FA725369EDADBF5155576BAC8E454E13D72D6950E16BBC088612CF2B49A59D20520DF76B3C981DE516AB51565FADB6D7970B589CDE6D535CF4B299D4D51C93094A4C9392A60744E1A6715F5BAFD4900FC660AA7A8758C6BB82A1D507371B1AFA576319DABDE40A1C3C0F7E0E4D2967807C3B99814C0B6690D105C6A7EE738D39C9689BE5E953BD58A1ED44AF50B6D5FF83E96DE45B11F6D8DC6F7BF47A5945B16CC79CEC5C50AF513EDFB970638952FCCEEF0BF7EE0A89D0FF658490ADF7F43CC0A36FAF4A3C36FF67F6B07732AEA565CAC65C0CA9492B9B571FE61DE6BE71B535F163
    
    In this example, ds2 is the first instance to set up because it has two symmetric keys configured in the "dn: ds-cfg-key-id=0b269927-3d0a-4083-856f-e1c1340684cb,cn=secret keys,cn=admin data" entry.

Set up the first instance (ds2 in this example)

  1. Create a Certificate Signing Request (CSR) from ads-truststore for the ds2 instance. For example:
    $ keytool -certreq -alias ads-certificate -keystore ads-truststore -storepass `cat ads-truststore.pin` -keypass `cat ads-truststore.pin` -file ~/CA/certs/ds2_cert_req.csr
  2. Sign the CSR with the CA. For example:
    $ cd ~/CA/certs
    $ openssl x509 -req -in ds2_cert_req.csr -CA ../FECRootCA.pem -CAkey ../FECRootCA.key -extensions server_cert -days 375 -CAcreateserial -out ds2_cert.pem
  3. Disable the LDAPS and LDAP connectors to ensure instances only come online once the setup process is complete:
    • DS 6 and later:
      $ ./dsconfig set-connection-handler-prop --handler-name LDAPS --set enabled:false --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
      $ ./dsconfig set-connection-handler-prop --handler-name LDAP --set enabled:false --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
      
    • Pre-DS 6:
      $ ./dsconfig set-connection-handler-prop --handler-name "LDAPS Connection Handler" --set enabled:false --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
      $ ./dsconfig set-connection-handler-prop --handler-name "LDAP Connection Handler" --set enabled:false --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
      
  4. Import the root, intermediate (if present) and server certificates into the ads-truststore and verify. For example:
    $ cd config
    $ keytool -import -trustcacerts -alias ca-cert -keystore ads-truststore -storepass `cat ads-truststore.pin` -keypass `cat ads-truststore.pin` -file ~/CA/FECRootCA.pem
    $ keytool -list -storetype JKS -keystore ads-truststore -v -storepass `cat ads-truststore.pin`
    
  5. Import the CA signed server certificate and verify. For example:
    $ keytool -import -trustcacerts -alias ads-certificate -keystore ads-truststore -storepass `cat ads-truststore.pin` -keypass `cat ads-truststore.pin` -file ~/CA/certs/ds2_cert.pem
    $ keytool -list -storetype JKS -keystore ads-truststore -v -storepass `cat ads-truststore.pin` -alias ads-certificate
    
    Alias name: ads-certificate
    Creation date: 13-Feb-2019
    Entry type: PrivateKeyEntry
    Certificate chain length: 2
    Certificate[1]:
    Owner: CN=ds2, O=OpenDJ RSA Certificate
    Issuer: CN=fecCA, O=FEC, L=London, ST=London, C=UK
    Serial number: b9cf4f71c94eb24e
    Valid from: Wed Feb 13 13:39:23 GMT 2019 until: Sun Feb 23 13:39:23 GMT 2020
    Certificate fingerprints:
      MD5:  C5:B9:BB:08:50:E4:C4:9F:76:3C:9B:31:6D:C6:21:C8
      SHA1: F1:6F:54:23:CE:4D:1B:7C:F7:BC:DA:DC:F7:4E:67:74:3C:F8:9F:78
      SHA256: 92:42:6D:12:D2:F7:42:82:58:3D:65:36:95:FA:02:B2:05:E5:D3:BB:82:AC:E3:FE:7B:55:D2:38:16:7F:DA:DC
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 2048-bit RSA key
    Version: 1
    
  6. Extract a MD5 hash of the ads-truststore certificate without ":" characters. This hash is needed in step 8 to reflect the new certificate information in "cn=admin data":
    $ keytool -export -alias ads-certificate -keystore ads-truststore -storepass `cat ads-truststore.pin` -keypass `cat ads-truststore.pin` -file ads-new-cert.crt
    $ keytool -printcert -file ads-new-cert.crt | grep MD5 | awk '{print $2}'  | sed "s/://g"
    
    DC54D2DAF3E1D7672779E55D59310A36
    
  7. Output the certificate details. These details are needed in step 8 to reflect the new certificate information in "cn=admin data":
    for line in `sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' ~/CA/certs/ds2_cert.pem  | sed "s/-----.* CERTIFICATE-----//" | sed "/^$/d"`; do printf "%s" "$line"; done; echo
    
    MIIC+jCCAeICCQC5z09xyU6yRzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVSzEPMA0GA1UECAwGTG9uZG9uMQ8wDQYDVQQHDAZMb25kb24xDDAKBgNVBAoMA0ZFQzEOMAwGA1UEAwwFZmVjQ0EwHhcNMTkwMjAyMDM1NzA1WhcNMjAwMjEyMDM1NzA1WjAxMR8wHQYDVQQKExZPcGVuREogUlNBIENlcnRpZmljYXRlMQ4wDAYDVQQDEwVub2RlMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIFh62L3hy1g9rHpnZy55P0QBx2XuItQk7DM0rHvWD56IZGbeD/65qKPS7oqNNLQck12rvCLCfVmoOdRqReNtGs947tZBQLh1K8WFddP28IOaW56O1G1koklGX6NALV5pbH0YHF0L+Im3aH4GJjUtW9Nh3OztGBuGL7vk/SoDwinAWA95Z7PlLaRvxGumJcXTkJGLrd12leyVnmVvfzGvtyodFMlfNZbdbAkp/Os/x0hOEUqapJgHhJAIM+BMZ2BOOBTyKLU+uYRmbJnY1R2YvqPH9dExG1bxhTZuhwFEE8Pkh6U7qvMJ3nvDQnD8T7ykuPeVOJoL8ZXQhrhN0RS2esCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAKahqOQfTwEvMyjCZL0oIkBYv3NlomLFY22LgHhWuEOBWo8PV0j1oPmAAsKHiefYJlg0jpVJwN6q6bOGBsvwcDbcISnLhKN1ya7J292oQx+Nz+jYcd9TACQ6c8y6DHVHxOqyXCIy3ca+4vE4RlAEDhaTZJ1Xq0Re4pX46dA2jtWsvjLRt9MVnVYH68cb06xZMsCSLcqPjsKX5QiOcpBfaLz+G+Tdg4ag9rtyZcev+jmZiuN5NKMWkSVpx2qJQGkk2Lz1Us+VtasU0uPfR9c6ycyU7g3ioWa4rvAoHnN7mnyN4taNatQU+FsGvAyu4hn5Lgll7gXFSmvzHwvCgXCwjpA==
    
  8. Create an LDIF file to add a new instance key entry that contains the new certificate detail:
    • Add the DN, etc (in bold) to the file.
    • Replace the ds-cfg-key-id attribute (in three places) with the new MD5 hash value output in step 6.
    • Paste the certificate details output in step 7 as the value after ds-cfg-public-key-certificate;binary::
    For example:
    vi /tmp/update_server_cert.ldif
    dn: ds-cfg-key-id=DC54D2DAF3E1D7672779E55D59310A36,cn=instance keys,cn=admin data
    changetype:add
    objectClass: top
    objectClass:ds-cfg-instance-key
    ds-cfg-key-id: DC54D2DAF3E1D7672779E55D59310A36
    ds-cfg-public-key-certificate;binary:: MIIC+jCCAeICCQC5z09xyU6yRzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVSzEPMA0GA1UECAwGTG9uZG9uMQ8wDQYDVQQHDAZMb25kb24xDDAKBgNVBAoMA0ZFQzEOMAwGA1UEAwwFZmVjQ0EwHhcNMTkwMjAyMDM1NzA1WhcNMjAwMjEyMDM1NzA1WjAxMR8wHQYDVQQKExZPcGVuREogUlNBIENlcnRpZmljYXRlMQ4wDAYDVQQDEwVub2RlMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIFh62L3hy1g9rHpnZy55P0QBx2XuItQk7DM0rHvWD56IZGbeD/65qKPS7oqNNLQck12rvCLCfVmoOdRqReNtGs947tZBQLh1K8WFddP28IOaW56O1G1koklGX6NALV5pbH0YHF0L+Im3aH4GJjUtW9Nh3OztGBuGL7vk/SoDwinAWA95Z7PlLaRvxGumJcXTkJGLrd12leyVnmVvfzGvtyodFMlfNZbdbAkp/Os/x0hOEUqapJgHhJAIM+BMZ2BOOBTyKLU+uYRmbJnY1R2YvqPH9dExG1bxhTZuhwFEE8Pkh6U7qvMJ3nvDQnD8T7ykuPeVOJoL8ZXQhrhN0RS2esCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAKahqOQfTwEvMyjCZL0oIkBYv3NlomLFY22LgHhWuEOBWo8PV0j1oPmAAsKHiefYJlg0jpVJwN6q6bOGBsvwcDbcISnLhKN1ya7J292oQx+Nz+jYcd9TACQ6c8y6DHVHxOqyXCIy3ca+4vE4RlAEDhaTZJ1Xq0Re4pX46dA2jtWsvjLRt9MVnVYH68cb06xZMsCSLcqPjsKX5QiOcpBfaLz+G+Tdg4ag9rtyZcev+jmZiuN5NKMWkSVpx2qJQGkk2Lz1Us+VtasU0uPfR9c6ycyU7g3ioWa4rvAoHnN7mnyN4taNatQU+FsGvAyu4hn5Lgll7gXFSmvzHwvCgXCwjpA==
    
    dn: cn=ds2.example.com:4444,cn=servers,cn=admin data
    changetype:modify
    replace: ds-cfg-key-id
    ds-cfg-key-id: DC54D2DAF3E1D7672779E55D59310A36
    
  9. Use ldapmodify to import the LDIF file:
    $ ./ldapmodify --port 4444 --hostname ds2.example.com --bindDn "cn=Directory Manager" --bindPassword password --useSsl --trustAll /tmp/update_server_cert.ldif
    
  10. Force replication to reconnect so that it uses the new certificates:
    $ ./dsconfig set-synchronization-provider-prop --port 4444 --hostname ds2.example.com --bindDn "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --set enabled:false --no-prompt --trustAll
    $ ./dsconfig set-synchronization-provider-prop --port 4444 --hostname ds2.example.com --bindDn "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --set enabled:true --no-prompt --trustAll
    
  11. Re-enable the LDAP and LDAPS connection handlers:
    • DS 6 and later:
      $ ./dsconfig set-connection-handler-prop --handler-name LDAPS --set enabled:true --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --trustAll --bindPassword password --no-prompt
      $ ./dsconfig set-connection-handler-prop --handler-name LDAP --set enabled:true --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --trustAll --bindPassword password --no-prompt
      
    • Pre-DS 6:
      $ ./dsconfig set-connection-handler-prop --handler-name "LDAPS Connection Handler" --set enabled:true --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --trustAll --bindPassword password --no-prompt
      $ ./dsconfig set-connection-handler-prop --handler-name "LDAP Connection Handler" --set enabled:true --hostname ds2.example.com --port 4444 --bindDn "cn=Directory Manager" --trustAll --bindPassword password --no-prompt
      
  12. Verify everything is working correctly by modifying a user's description, checking you can see the updated description on both instances and checking the certificates. For example:
    $ ./ldapmodify --hostname ds2.example.com --port 1636 --bindDn "cn=Directory Manager" --bindPassword password --useSsl --trustAll
    dn:uid=user.0,ou=people,dc=example,dc=com
    changetype:modify
    replace:description
    description: ds2 test
    
    # Processing MODIFY request for uid=user.0,ou=people,dc=example,dc=com
    # MODIFY operation successful for DN uid=user.0,ou=people,dc=example,dc=com
    $ ./ldapsearch --hostname ds1.example.com --port 1636 --baseDn dc=example,dc=com --bindDn "cn=Directory Manager" --bindPassword password --useSsl --trustAll uid=user.0 description
    
    dn: uid=user.0,ou=people,dc=example,dc=com
    description: ds2 test
    $ ./ldapsearch --hostname ds2.example.com --port 1636 --baseDn dc=example,dc=com --bindDn "cn=Directory Manager" --bindPassword password --useSsl --trustAll uid=user.0 description
    
    dn: uid=user.0,ou=people,dc=example,dc=com
    description: ds2 test
    $ openssl s_client -connect ds2.example.com:8989 -showcerts
    
  13. Restart ds2 and verify it starts without any errors:
    $ ./stop-ds --restart
    

Set up the other instance (ds1 in this example)

  1. Repeat steps 1 to 10 in above process on ds1 replacing the hash, etc of the new CA signed cert for ds1 in the examples.
  2. Search the "cn=admin data" backend on ds2 to retrieve the symmetric key information: 
    $ ./ldapsearch --hostname ds2.example.com --port 1636 --bindDn "cn=Directory Manager" --bindPassword password --baseDn "cn=admin data" --useSsl --trustAll ds-cfg-symmetric-key=* ds-cfg-symmetric-key 
    
    dn: ds-cfg-key-id=0b269927-3d0a-4083-856f-e1c1340684cb,cn=secret keys,cn=admin data 
    ds-cfg-symmetric-key: DC54D2DAF3E1D7672779E55D59310A36:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:3B18195C0A832D35812487E25036391BD6B791BCE1BB78A6FD78421690044D94D8344D0A6E5B3C2FFD661473B43355314F8F40FA2B36A951092CA9BF484D7BA303741766CEC9932C0541B14712117C9298245C5BEB0405E4DF0165AB8BC8D3F56DA33582A366A040A00550CEB7654FC99E8EBE1F16140E3944189DF781612D31CE935F5393488D8AF3DCD841465395799916EA491C8C3477E59253C6D72D1B727D955A207CC407424A260F0238A0970027C2DDAE5BB60FA798CFBE7B8A2A7B4167C658A66317B0928581E9AFF99569A5274DB22DC8AB4E78C94E71EDAA55ACDFB2240135F49C1175226BC79F7C04CA5F7CA3A46D1B9B141FF47B04971D34CDD5
  3. Add the ds2 symmetric key information returned in the previous step to the secret keys entry on ds1 (this is necessary to ensure the backend is accessible and re-initialization is not needed):
    $ ./ldapmodify --hostname ds1.example.com --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --useSsl --trustAll
    
    dn: ds-cfg-key-id=0b269927-3d0a-4083-856f-e1c1340684cb,cn=secret keys,cn=admin data
    changetype:modify
    add:ds-cfg-symmetric-key
    ds-cfg-symmetric-key: DC54D2DAF3E1D7672779E55D59310A36:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:3B18195C0A832D35812487E25036391BD6B791BCE1BB78A6FD78421690044D94D8344D0A6E5B3C2FFD661473B43355314F8F40FA2B36A951092CA9BF484D7BA303741766CEC9932C0541B14712117C9298245C5BEB0405E4DF0165AB8BC8D3F56DA33582A366A040A00550CEB7654FC99E8EBE1F16140E3944189DF781612D31CE935F5393488D8AF3DCD841465395799916EA491C8C3477E59253C6D72D1B727D955A207CC407424A260F0238A0970027C2DDAE5BB60FA798CFBE7B8A2A7B4167C658A66317B0928581E9AFF99569A5274DB22DC8AB4E78C94E71EDAA55ACDFB2240135F49C1175226BC79F7C04CA5F7CA3A46D1B9B141FF47B04971D34CDD5
    
  4. Continue with steps 11 to 13 in above process.

Configuring a CA Signed certificate for replication (Standalone RS)

The following process is based on a standalone RS topology. It is the same steps as the above process apart from an additional first step. In summary:

  1. Import the root and intermediate (if present) certificates into the ads-truststore of both RS servers and verify before starting to update the first node. For example:
    • On RS1:
      $ cd config 
      $ keytool -import -trustcacerts -alias ca-cert -keystore ads-truststore -storepass `cat ads-truststore.pin` -keypass `cat ads-truststore.pin` -file ~/CA/FECRootCA.pem 
      $ keytool -list -storetype JKS -keystore ads-truststore -v -storepass `cat ads-truststore.pin`
    • On RS2:
      $ cd config
      $ keytool -import -trustcacerts -alias ca-cert -keystore ads-truststore -storepass `cat ads-truststore.pin` -keypass `cat ads-truststore.pin` -file ~/CA/FECRootCA.pem
      $ keytool -list -storetype JKS -keystore ads-truststore -v -storepass `cat ads-truststore.pin`
  2. Determine which instance to setup first per steps in above process.
  3. Set up the first instance per steps in above process.
  4. Set up the other instance per steps in above process.

See Also

FAQ: SSL certificate management in DS/OpenDJ

Replication in DS/OpenDJ

How do I use externally created SSL keys with DS/OpenDJ (All versions)?

Administration Guide › Changing Server Certificates

Related Training

N/A

Related Issue Tracker IDs

OPENDJ-5985 (Divergence of "cn=admin data" after setting up secure replication and encrypted backends)



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...