Menu Close

6.5. Installing Red Hat Directory Server

Certificate System uses Red Hat Directory Server to store system certificates and user data. You can install both Directory Server and Certificate System on the same or any other host in the network.


FIPS mode must be enabled on the RHEL host before you install Directory Server. To ensure FIPS mode is enabled:
# sysctl crypto.fips_enabled
If the returned value is 1, FIPS mode is enabled.

6.5.1. Preparing a Directory Server Instance for Certificate System

Perform the following steps to install Red Hat Directory Server:
  1. Make sure you have attached a subscription that provides Directory Server to the host.
  2. Enable the Directory Server repository:
    # subscription-manager repos --enable=dirsrv-11-for-rhel-8-x86_64-rpms
  3. Install the Directory Server and the openldap-clients packages:
    # dnf module install redhat-ds
    # dnf install openldap-clients
  4. Set up a Directory Server instance. For example:
    1. Create a setup configuration file, such as /tmp/ds-setup.inf with the following content:
      instance_name = name
      RootDN=cn=Directory Manager
    2. Create the instance using the dscreate with the setup configuration file:
      # dscreate from-file /tmp/ds-setup.inf
    For a detailed procedure, see the Red Hat Directory Server Installation Guide.

6.5.2. Enabling TLS Support in Directory Server

This section provides instructions on how to enable TLS between Certificate System and Directory Server. Every Certificate System component can communicate with the Directory Server instance using a TLS-encrypted connection where the Certificate System component is used to authenticate to the Directory Server via client-authentication (mutual authentication).
For details about enabling TLS support in Directory Server, see the Enabling TLS in Directory Server section in the Directory Server Administration Guide.
For details on how to request and issue a TLS server certificate for Directory Server, see the Using a Certificate Issued by Certificate System in Directory Server section in the Red Hat Certificate System Administration Guide.
As described in the Directory Server documentation, you can configure TLS either using a certificate issued by an external Certificate Authority (CA) or a temporary self-signed server certificate. However, after setting up the Certificate System CA, you can use this CA to issue a certificate and replace it with the one used when you set up Directory Server. How to Enable LDAPS for new Red Hat Certificate System Subsystems Using Examples Values


When performing this TLS LDAP procedure, the final goal is to have the connection over TLS client authentication. During the process, we have to move along step by step, with intermediate goals. One such goal is to simply set TLS server authentication running first. At the end, the process will double-back to get full client authentication operational.
  1. Stop the Directory Server instance to avoid concurrent changes to the NSS database:
    # systemctl stop dirsrv@instance_name.service
  2. Store the Directory Manager's password in the /etc/dirsrv/instance_name/password.txt file. For example:
    # echo password > /etc/dirsrv/slapd-instance_name/password.txt
    # chown dirsrv.dirsrv /etc/dirsrv/slapd-instance_name/password.txt
    # chmod 400 /etc/dirsrv/slapd-instance_name/password.txt
  3. Store the Directory Manager's password in the /etc/dirsrv/instance_name/pin.txt file. For example:
    # echo "Internal (Software) Token:password" > /etc/dirsrv/slapd-instance_name/pin.txt
    # chown dirsrv.dirsrv /etc/dirsrv/slapd-instance_name/pin.txt
    # chmod 400 /etc/dirsrv/slapd-instance_name/pin.txt
  4. Set the NSS database password:
    # certutil -W -d /etc/dirsrv/slapd-instance_name/ -f /etc/dirsrv/slapd-instance_name/password.txt
  5. Create a temporary self-signed certificate for Directory Server:
    $ cd /etc/dirsrv/slapd-instance_name
    $ openssl rand -out noise.bin 2048
    $ certutil -S \
    	-x \
    	-d . \
    	-f password.txt \
    	-z noise.bin \
    	-n "DS Certificate" \
    	-s "CN=$HOSTNAME" \
    	-t "CT,C,C" \
    	-m $RANDOM \
    	-k rsa \
    	-g 2048 \
    	-Z SHA256 \
    	--keyUsage certSigning,keyEncipherment
  6. Verify whether the Directory Server certificate entry is available in the NSS database:
    # certutil -L -d /etc/dirsrv/slapd-instance_name/
  7. Export the certificate:
    # certutil -L -d /etc/dirsrv/slapd-instance_name -n "DS Certificate" -a > ds.crt
  8. Verify the Directory Server certificate is self-signed:
    # certutil -L -d /etc/dirsrv/slapd-instance_name -n "DS Certificate"
    Issuer: ""
    Subject: ""
  9. Start the Directory Server instance:
    # systemctl start dirsrv@instance_name
  10. Enable secure connection:
    # ldapmodify -x -p 389 -h $HOSTNAME -D "cn=Directory Manager" -w password << EOF
    dn: cn=config
    changetype: modify
    replace: nsslapd-security
    nsslapd-security: on
    dn: cn=RSA,cn=encryption,cn=config
    changetype: add
    objectclass: top
    objectclass: nsEncryptionModule
    cn: RSA
    nsSSLPersonalitySSL: DS Certificate
    nsSSLToken: internal (software)
    nsSSLActivation: on
  11. Optionally, set a different LDAPS port than the default (636).
    1. For example, to set the LDAPS port to 11636:
      ldapmodify -x -p 389 -h $HOSTNAME -D "cn=Directory Manager" -w password << EOF
      dn: cn=config
      changetype: modify
      replace: nsslapd-secureport
      nsslapd-secureport: 11636
    2. Set the SELinux policy for this non-standard port:
      # semanage port -a -t ldap_port_t -p tcp 11636
  12. Restart the Directory Server instance:
    # systemctl restart dirsrv@instance_name
  13. Verify in the /var/log/dirsrv/slapd-instance_name/errors file that Directory Server started in TLS mode:
    [30/Jun/2016:00:23:31 +0200] - SSL alert: Security Initialization: Enabling default cipher set.
    [30/Jun/2016:00:23:31 +0200] - SSL alert: Configured NSS Ciphers
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_RSA_WITH_AES_128_CBC_SHA: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_RSA_WITH_AES_256_CBC_SHA: enabled
    [30/Jun/2016:00:23:31 +0200] - SSL alert:       TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
    [30/Jun/2016:00:23:31 +0200] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
    [30/Jun/2016:00:23:31 +0200] - 389-Directory/ B2016.166.1911 starting up
  14. Verify the TLS connection using the openldap-clients and NSS database:
    $ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-instance_name \
    	ldapsearch -H ldaps://$HOSTNAME:11636 \
    	-x -D "cn=Directory Manager" -w Secret.123 \
    	-b "dc=example,dc=org" -s base "(objectClass=*)"

6.5.3. Preparing for Configuring Certificate System

In Section 7.3, “Understanding the pkispawn Utility”, if you chose to set up TLS between Certificate System and Directory Server, use the following parameters in the configuration file you pass to the pkispawn utility when installing Certificate System:


We need to first create a basic TLS server authentication connection. At the end, during post-installation, we will return and make the connection require a client authentication certificate to be presented to Directory Server. At that time, once client authentication is set up, the pki_ds_password would no longer be relevant.
pki_ds_bind_dn=cn=Directory Manager
The value of the pki_ds_database parameter is a name used by the pkispawn utility to create the corresponding subsystem database on the Directory Server instance.
The value of the pki_ds_hostname parameter depends on the install location of the Directory Server instance. This depends on the values used in Section 6.5.1, “Preparing a Directory Server Instance for Certificate System” and Section 6.5.2, “Enabling TLS Support in Directory Server”.
When you set pki_ds_secure_connection=True, the following parameters must be set:
  • pki_ds_secure_connection_ca_pem_file: Sets the fully-qualified path including the file name of the file which contains an exported copy of the Directory Server's CA certificate. This file must exist prior to pkispawn being able to utilize it.
  • pki_ds_ldaps_port: Sets the value of the secure LDAPS port Directory Server is listening to. The default is 636.