12-02-2005 01:24 AM
I install the depot, and copy the key3.db and cert7.db to /etc/opt/ldapux.
When I run /opt/ldapux/config/setup, if I specifiy port 636 then the setup program just hangs. If I leave the default port number of 389 I can run all of the setup program.
636 does not appear in /etc/services.
What do I need to do to enable SSL?
12-02-2005 01:35 AM
Copy the /etc/services entry from 443 to 636 to start.
Make sure the ssl.conf file listens on port 636 and there are no other firewall products messing with the product.
Restart networking or the whole box and try again.
Owner of ISN Corporation
12-02-2005 01:41 AM
There is no entry for 443 in /etc/services and there are no files called ssl.conf
There must be something not loaded or started that the writer of the document assumed would be loaded.
I expect it will be something really obvious, but I don't really know where to start looking.
12-02-2005 02:56 AM
When I try to connect using
"telnet hostname 636" I get "Unable to connect to remote host: Connection refused"
I think that something very basic is missing. The answer is going to be something simple like "run this command" or "install this depot".
12-02-2005 03:46 AM
I suspect SSL is not installed in your server. Check by running
#swlist -l product openssl
If not installed , download it from
http://software.hp.com and install the depot on the server using swinstall.
Port 636 could only be used with you are using SSL protocol.
12-04-2005 10:47 PM
I have not been through any configuration of SSL. It is unlikely that my predecessor would have done this without any documentation on it.
I still think that there is something very simple that I must be missing.
12-04-2005 11:18 PM
www.openssl.org for more information.
12-05-2005 04:30 AM
You don't specifiy port 636 as part of the initial setup program. You generally need to make an initial connection to port 389 to your LDAP server, and then when asked if you want to use SSL, you will say yes.
In addition, simply copying the certs from the LDAP server is not enough. You also have to run /opt/ldapux/contrib/bin/certutil to actually import the certs to your HP-UX system. My experience is this must be done on each client system; simply copying them from one client to another won't work. When importing certs from our Novell eDirectory, I need to run both of these commands:
â /opt/ldapux/contrib/bin/certutil -N -d /etc/opt/ldapuxâ and â /opt/ldapux/contrib/bin/certutil -A -n ldap -t â TC,C,Câ -u C -d /etc/opt/ldapux -i /etc/opt/ldapux/file.derâ to get the certificates properly imported. Your specific options may vary, but the man page (located under /opt/ldapux/share/man) provides some good detail.
When the certs are properly installed, the setup program will ask if you want to use SSL (but after you have first specified a connection on port 389). After you say yes to SSL, then you are able to specify port 636.
I've attached the documentation I developed for our environment, but since it is specific for Novell eDirectory, you are likely to have to make some changes.