AnsweredAssumed Answered

CA Directory Replication over SSL

Question asked by rusad02 Employee on Feb 24, 2016
Latest reply on Aug 16, 2017 by SatyendraSingh1

Hi all,

 

I am working to set up two CA Directory DSA's for replication over SSL. I am having issues though it seems with the extensions and certificate purposes that my signing certificate authority places on the certificates. I am using openssl to generate the rsa key and csr instead of the dxcertgen tool because I wanted to add a full OU structure.

When I sign the certificate with my signing root ca I use

 

openssl ca -config /root/ca/intermediate/openssl.cnf -extensions server_cert -notext -md sha256 -in dsaname.csr -out dsaname.cer.pem

In that openssl.cf file the server_cert extension field looks like this:

[ server_cert ]

# Extensions for server certificates (`man x509v3_config`).

basicConstraints = CA:FALSE

nsCertType = server

nsComment = "OpenSSL Generated Server Certificate"

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid,issuer:always

keyUsage = critical, digitalSignature, keyEncipherment

extendedKeyUsage = serverAuth, clientAuth

 

I am using

dxcertgen -n ca.cer importca

 

to input the public key of the signing CA into my trusted.pem.  I then issue the command

 

dxcertgen report

 

and it verifies that my personalities/dsaname.pem and Trusted Root certificates in trusted.pem are all valid. I have already configured the dsa configuration files to allow ssl-auth and am able to login to JXPLORER via SSL forcing SSL + Username + Password.

 

The problem I am running into is doing replication from dsaA to dsaB. I have copied the knowledge .dxc files from dsaA to dsaB and vice versa. Created the replicationGroup.dxg file and sourced both of the .dxi files in that group file and then sourced them in there dsaname.dxi file.

 

An example of the trust flags I have set in the knowledge/dsaname.dxc file is

set dsa "smsessionstore20" =

{

    prefix        = <o smsession><ou sessionstore>

    dsa-name      = <o smsession><ou sessionstore><cn "smsessionstore20">

    dsa-password  = "secret"

    address       = tcp "editedforPosting" port 11400, tcp "editedforPosting" port 11443

    disp-psap     = DISP

    snmp-port     = 11400

    console-port  = 11401

    auth-levels   = clear-password, ssl-auth

    dsa-flags     = multi-write

    trust-flags   = allow-check-password, trust-conveyed-originator, trust-dsa-triggered-operations

    link-flags    = ssl-encryption, ssl-encryption-remote

};

 

When I start the dsa's to test the replication I am getting the following errors in the dsa_warn.log

 

[9] 20160223.162036.425 WARN : ssld_ssl_request failed

[7] 20160223.162043.440 WARN : TLS/SSL handshake failed for call from 172.16.113.150:53214

[2] 20160223.162059.410 WARN : ERROR IN HANDSHAKE

[2] 20160223.162059.410 WARN : 7f32c80008f8-   15030100 020230    ......0

[2] 20160223.162059.410 WARN : 2:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1300:SSL alert number 48

 

[2] 20160223.162059.410 WARN : ssld_ssl_request failed

[2] 20160223.162059.410 WARN : TLS/SSL handshake failed for call from 172.16.113.150:36521

[0] 20160223.162137.460 WARN : MW-DISP not in sync for 'smsessionstore20'

[0] 20160223.162137.460 WARN : Attempting to send update to peer 'smsessionstore20'

[6] 20160223.162137.465 WARN : Verify error 26: unsupported certificate purpose

[6] 20160223.162137.465 WARN : SSL Error

[6] 20160223.162137.465 WARN : 6:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1185:

 

The dsa_alarm.log states

] 20160223.160532.679 DSA_I1240 DSA shutting down

[0] 20160223.160824.757 DSA_W2650 Cannot get Multiwrite last update time for 'smsessionstore20'

[0] 20160223.160824.759 DSA_I1220 DSA started: dxserver 12.0.17 (build 11557) Linux 64-Bit

[0] 20160223.160824.759 DSA_I3200 License: dxserver 12.0.17 (build 11557) Linux 64-Bit prefix ou=sessionstore,o=smsession entry total 6

[0] 20160223.160824.759 DSA_I1150 DXgrid file usage: Filesize 500000000 Used bytes 1120 (1%) Reclaimable bytes 6

[9] 20160223.160925.819 DSA_E2735 Multiwrite-DISP: Unable to synchronize with peer 'smsessionstore20'

[6] 20160223.161733.263 DSA_E2735 Multiwrite-DISP: Unable to synchronize with peer 'smsessionstore20'

[2] 20160223.162743.798 DSA_E2735 Multiwrite-DISP: Unable to synchronize with peer 'smsessionstore20'

[6] 20160223.163753.376 DSA_E2735 Multiwrite-DISP: Unable to synchronize with peer 'smsessionstore20'

 

After doing some research I found something on Oracle's website about Directory replication over SSL stating

To Configure Replication Operations for SSL

This procedure shows example commands for setting up replication on a replication topology with two masters.


Note –

This example shows a simple replication configuration, using a self-signed certificate as generated during instance creation. When setting up replication over SSL in a production environment, you will have better security if you use Certificate Authority trusted certificates instead.

Replication over SSL will fail if the supplier server certificate is an SSL server-only certificate that cannot act as a client during an SSL handshake.

 

 

 

What server type extensions do my certificates need to be issued for to allow the dsa replication over SSL? server or client? When I set to client certificates I am unable to log in with JXPLORER.

 

 

Thank you for the help,

 

Adam Rusniak

Outcomes