FedFsInstallNsdbCertificates0.9

From Linux NFS

(Difference between revisions)
Jump to: navigation, search
(LDAP server configuration)
Line 13: Line 13:
== Introduction ==
== Introduction ==
-
A ''[[FedFsGlossary#Namespace_Database|Namespace Database]]'', or NSDB, is the repository for fileset location information in a ''[[FedFsGlossary#FedFs_Domain|FedFS domain]]''.  At its core, an NSDB is simply an LDAP server with an NSDB Container Entry, or NCE, for short.  FedFS data is stored as children of this entry.
+
A [[FedFsGlossary#Namespace_Database|Namespace Database]], or NSDB, is the repository for fileset location information in a [[FedFsGlossary#FedFs_Domain|FedFS domain]].  At its core, an NSDB is simply an LDAP server with an NSDB Container Entry, or NCE, for short.  FedFS data is stored as children of this entry.
In this article, we show how to create and distribute x.509 LDAP server certificates.  With these certificates, NSDB clients (fileservers or NSDB administrative tools) can use TLS when communicating with NSDBs.
In this article, we show how to create and distribute x.509 LDAP server certificates.  With these certificates, NSDB clients (fileservers or NSDB administrative tools) can use TLS when communicating with NSDBs.
Line 19: Line 19:
== LDAP server configuration ==
== LDAP server configuration ==
-
For now, this bit is specific to OpenLDAP on Fedora.  More to come.  This should move to the OpenLDAP configuration article.
+
For now, this bit is specific to OpenLDAP on Fedora.  More to come.
On your NSDB LDAP server, the following steps will create an LDAP server and CA certificate:
On your NSDB LDAP server, the following steps will create an LDAP server and CA certificate:
Line 53: Line 53:
  replace: olcTLSVerifyClient
  replace: olcTLSVerifyClient
  olcTLSVerifyClient: never
  olcTLSVerifyClient: never
 +
 +
dn: cn=config
 +
changetype: modify
 +
replace: olcSecurity
 +
olcSecurity: tls=1
Run this command:
Run this command:
Line 61: Line 66:
== Passing out the server's x.509 certificate ==
== Passing out the server's x.509 certificate ==
 +
 +
The CA cert created above (in the file /etc/pki/tls/cert.pem) can now be distributed to fileservers that participate in your FedFS domain.  The fileservers then use this certificate to authenticate your NSDB when performing junction resolution.
 +
 +
Suppose the name of your LDAP server is nsdb.example.net.  After copying the file containing the certificate to /tmp/cert.pem on your fileserver, use this command on the fileserver to install the certificate:
 +
 +
# nsdbparams update -f /tmp/cert.pem nsdb.example.net
 +
 +
This operation copies the certificate material to a private directory, and saves the location of the copy in the fileserver's NSDB connection parameter database.  Now, whenever the fileserver resolves a FedFS junction, it will use this certificate to establish a secure connection to nsdb.example.net.
 +
 +
To complete this task, copy the certificate and run the nsdbparams on each fileserver that will contain FedFS junctions.

Revision as of 21:35, 9 January 2013

Contents

Project: fedfs-utils

[ Project Home | News | Downloads | Docs | Mailing Lists | Source Control | Issues ]


Introduction

A Namespace Database, or NSDB, is the repository for fileset location information in a FedFS domain. At its core, an NSDB is simply an LDAP server with an NSDB Container Entry, or NCE, for short. FedFS data is stored as children of this entry.

In this article, we show how to create and distribute x.509 LDAP server certificates. With these certificates, NSDB clients (fileservers or NSDB administrative tools) can use TLS when communicating with NSDBs.

LDAP server configuration

For now, this bit is specific to OpenLDAP on Fedora. More to come.

On your NSDB LDAP server, the following steps will create an LDAP server and CA certificate:

# cd /etc/pki/tls/certs
# rm -f slapd.pem
# make slapd.pem

Respond to each prompt as appropriate. Allow slapd to read the PEM file:

# chown ldap.ldap slapd.pem
# chmod 440 slapd.pem

Now enable slapd to find the key. On your NSDB LDAP Server, edit /tmp/ldif and add only the following lines:

dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/pki/tls/cert.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/tls/certs/slapd.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapd.pem

dn: cn=config
changetype: modify
replace: olcTLSVerifyClient
olcTLSVerifyClient: never
dn: cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Run this command:

# ldapmodify -x -D cn=Manager -W -f /tmp/ldif

Replace "cn=Manager" with your server's administrator DN, and supply an appropriate password when prompted.

Passing out the server's x.509 certificate

The CA cert created above (in the file /etc/pki/tls/cert.pem) can now be distributed to fileservers that participate in your FedFS domain. The fileservers then use this certificate to authenticate your NSDB when performing junction resolution.

Suppose the name of your LDAP server is nsdb.example.net. After copying the file containing the certificate to /tmp/cert.pem on your fileserver, use this command on the fileserver to install the certificate:

# nsdbparams update -f /tmp/cert.pem nsdb.example.net

This operation copies the certificate material to a private directory, and saves the location of the copy in the fileserver's NSDB connection parameter database. Now, whenever the fileserver resolves a FedFS junction, it will use this certificate to establish a secure connection to nsdb.example.net.

To complete this task, copy the certificate and run the nsdbparams on each fileserver that will contain FedFS junctions.

Personal tools