CA Directory r12.0 SP2 - DXnewdsa updated to cater for the new SSL configuration.

book

Article ID: 52666

calendar_today

Updated On:

Products

DIRECTORY SECURITY MISC CODES SINGLE SIGN ON - LEGACY CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

Description:

Within r12.0 SP2, the SSLD functionality is now fully integrated into the DSA itself. This means that there is no external SSLD binary. As there is no SSLD binary, the process for configuring the SSL functionality is now via a DXC configuration file. The utility to create new DSAs "dxnewdsa" has been updated to reflect this change in configuration. This technical document demonstrates how to create a new DSA using dxnewdsa and illustrates how the SSL configuration has changed.

Solution:

When running dxnewdsa, you will see that the process of configuring the SSL functionality within the DSA has changed. This technical document illustrates how the SSL configuration has changed.

  1. Create a DSA using the dxnewdsa command

    dxnewdsa -s 100 testDSA 20389 c=AU

  2. Review the DXHOME/config/servers/testDSA.dxi file, noting the new inclusion of an SSL configuration file. By default this is defined as DXHOME/ssld/default.dxc
    # access controlsclear access;source "../access/default.dxc";# sslsource "../ssld/default.dxc";# replication agreements (rarely used)# source "../replication/";
  3. Opening the DXHOME/ssld/default.dxc configuration file, you will see the following configuration settings defined by default.
    # CA Directory - DXserver/config/ssld # This is a read-only default configuration file. If you need to make changes, # copy this file and reference the new file from servers/.dxi# # default CA Directory ssl configuration# - 'dxcertgen certs' can be used to create a basic set of certificates set ssl = {   # folder containing DSA personality certs   cert-dir = "config/ssld/personalities"    # trusted root CA that signed DSA certificates   ca-file = "config/ssld/trusted.pem"        # SSL options#  cipher = "ALL:!EXPORT40:!ADH" # supported ciphers - syntax on OpenSSL website#  protocol = tls                # enable TLS only (default of fips set)#  fips = true                   # enables FIPS 140-2 compliant encryption    # HSM options#  lib = "<str>"                 # path to PKCS11 library supplied by HSM vendor#  pin = "<str>"                 # HSM pin#  slot =                   # slot to use for HSM based encryption};

As you can see when you use dxnewdsa, the SSL functionality is enabled by default. In order to fully utilize the SSL functionality, you will need to:

  1. Create your DSA personality certs and update the trusted.pem file with the root signing certificates. You can use the "dxcertgen certs" to create these if you wish.

    The dxcertgen command will:

    • Automatically generate a root CA keypair and certificate

    • Generate a keypair for each DSA found

    • Sign each DSA certificate with the root CA

    • Write the DSA personality certificates to the config/ssld/personalities folder

    • Update the trusted.pem with the root CA certificate.

  2. Duplicate the DXHOME/config/ssld/default.dxc file to create a custom ssld configuration file. Update the custom ssl configuration file to make any changes required.

  3. Update the DSAs DXHOME/config/servers/dsaname.dxi file with the changed ssl configuration file name.

  4. Stop and start the DSA in order to refresh the configuration.

Environment

Release:
Component: ETRDIR