Certificate Re-creation Script for OES2018, OES2015 and OES11

2 Likes

certificate-creation-4.1.zip

This script is not needed when using "ndsconfig upgrade" to create the certificates.  "ndsconfig upgrade" will create the needed certificate files on the server.

The Certificate Re-creation script recreates the certificates on OES2018, OES2015, and OES11 servers using a Personal Information Exchange File. With an additional parameter it will also restart all the necessary services. The following information is obtained in the script execution process.

Platforms Supported:


OES2018, OES2015, and OES11 are currently supported.

Script Process:

 

  1. Prechecks (Only executes when the -c switch is used).  Prechecks are done to verify if the current certificates are good.

     

  2. The following files are backed up with the date and time appended.
    /etc/ssl/servercerts/servercert.pem
    /etc/ssl/servercerts/serverkey.pem
    /var/lib/novell-lum/x.x.x.x.der
    /etc/opt/novell/SSCert.pem //OES1
    /etc/opt/novell/certs/SSCert.pem //OES2 and later

     

  3. Creation of new Certificates
    /etc/ssl/servercerts/serverkey.pem
    /etc/ssl/servercerts/servercert.pem
    /etc/opt/novell/SSCert.pem //OES1
    /etc/opt/novell/SSCert.der //OES1
    /etc/opt/novell/certs/SSCert.pem //OES2 and later
    /etc/opt/novell/certs/SSCert.der //OES2 and later
    /var/lib/novell-lum/x.x.x.x.der

     

  4. Postchecks (Only executes when the -c switch is used).  Postchecks are done to verify if the new certificates are good.

     

  5. Reloads services (optional but recommended)
    owcimond (only in OES1 and OES2)
    sfcb (oes11 and later)
    nldap
    namcd
    apache2

     

Option 1 - Recreate Certificates with "ndsconfig upgrade":

 

  1. Delete current eDirectory certificates.
    1. In iManager, go to NetIQ Certificate Access -> Server Certificates.
    2. Select the server you plan on recreating the certificates on (looks like a magnifying glass)
    3. Select all certificates in the list and click delete.

       

  2. Delete the SAS Service object.
    1. In iManager, go to NetIQ Certificate Access -> SAS Service Object.
    2. Select the server you plan on deleting the SAS Service object on (looks like a magnifying glass).
    3. Check the box next to the SAS Service object and click delete.

       

  3. Open a terminal as the root user and run "ndsconfig upgrade -j" (-j skips the health check). This will create new eDirectory certificates for this server.  If the CA does not exist, it will first create the CA with this server as the host.

     

  4. Restart services.
    1. LDAP
      • nldap -u
      • nldap -l
    2. Apache2
      • rcapache2 restart
    3. Namcd.  This should be run on any server where nam.conf has preferred-server set to this server.
      • namconfig -k
      • rcnamcd restart

         

Option 2 - Recreate Certificates with iManager, Export, and Run the Script:

 

  1. Delete the current eDirectory certificates.
    1. In iManager, go to NetIQ Certificate Access -> Server Certificates.
    2. Select the server you plan on recreating the certificates on (looks like a magnifying glass)
    3. Select all certificates in the list and click delete.

       

  2. Delete the SAS Service Object.
    1. In iManager, go to NetIQ Certificate Access -> SAS Service Object.
    2. Select the server you plan on deleting the SAS Service object on (looks like a magnifying glass).
    3. Check the box next to the SAS Service object and click delete.

       

  3. Create the Certificates in iManager.  Create default certificates with these steps or manually create the SSL CertificateDNS certificate with the desired settings.
    1. In iManager, got to NetIQ Certificate Server -> Create Default Certificates.
    2. Select the server for which to create the certificates.
    3. Make sure the IP address and DNS name are correct and click Next.
    4. Click Finish.

       

  4. Export the Personal Information Exchange File using iManager.
    1. In iManager, go to NetIQ Certificate Access -> Server Certificates
    2. Select the correct server
    3. Check the SSL CertificateDNS object
    4. Click Export.
    5. Select SSL CertificateDNS from the dropdown.
    6. Check "Export private key" and "Include all certificates in the certification path if available."
    7. Assign the private key a password. This will be used to protect the private key while it is being transferred. This password will be removed in a future step.
    8. Save the resulting pkcs12 file (Personal Information Exchange format) to a secure location on your server. The default file name is cert.pfx
    9. Copy the pfx file to the server.

       

  5. Run the Certificate Creation Script.
    1. Download certificate-creation-4.1.tbz
    2. Open a Terminal as the root user.
    3. Extract the script from the tarball.
      • tar –xjvf certificate-creation-4.1.tbz
    4. Make the script executable.
      • chmod 755 certificate-creation.sh
    5. Run the certificate-creation.sh script.
      • ./certificate-creation-4.1.sh -f /directory/fileName.pfx -l -r

       

  6. Restart services.
    1. Namcd.  This should be run on any server where nam.conf has preferred-server set to this server.
      • namconfig -k
      • rcnamcd restart

         

Fixes and Enhancements:

 

Version 4.1

  • servercert.pem now includes Trusted Certificate
  • Fixed the format of SSCert.pem

Version 4.0

  • Added support for OES2015 and OES2018.
  • Fixed a few false success conditions.

Version 3.1

  • The Pre and Post checks are now optional. It only executes when the -c switch is used.
  • The script no longer tries to restart owcimomd in OES11. owcimomd no longer is used in OES11.

Version 3.0

  • No longer displays the password when ldapsearch throws an error

Version 2.0

  • This script will now do pre and post checks to see if the certificates are good or bad
  • Color was also added for easier reading

Version 1.1

  • The script will now check if your are root
  • OES2 x86_64 is now supported
  • A relative path to the .pfx file can now be used.


Note: Using a –h will display other parameter options...

 

Labels:

Collateral
How To-Best Practice
Support Tip
Comment List
Anonymous
  • THANKS! This is gold, I just used the option "Recreate Certificates with "ndsconfig upgrade" very handy. Much quicker than doing via iManager.
  • Hello,

    I used option 2 but that does not re-create the SAS service object.  Is the SAS service object required?

     

    Thanks,

    Andrew Shearer

  • Great script, used this many times. Needs to be updated for OES2015 though...

    This server in not SUSE Linux Enterpriser Server 9 or 10

    #=========== Results Summary ====================================#
    All creations of the certificates SUCCEEDED


    ...but of course nothing actually got updated.
  • Does eDirectory Certificate Server self-provisioning eliminate the need for this script? It seems that this script does a lot more than just have the CA re-key itself. I've had self-provisioning on for some time and I don't see how it corrects all the other eDirectory servers and services that rely on these certificates?

    Can someone set me straight. Thanks.
  • Can you run this script (this process) against the server that has your CA? How about running it against the server running iManager?
  • Nevermind. Reread the script and realized that -l and -r are mandatory, therefore nldap will be restarted by the -l option. Help text is misleading in that it states that the -r option will cause a reload of nldap which it doesn't.

    Cheers,

    Ron
  • Hi,

    Thanks for the script. There are two errors with respect to the -r option to reload services.

    1. the help text has a typo, it says 'nlap'. It should say 'nldap'.

    2. the code section for reloadServices does not contain anything to reload the nldap service. It should contain something like:


    echo 'Restarting LDAP service..................................#'
    nldap -u
    nldap -l


    Not sure how this would relate to using the -l option which recreates the LUM cert and restarts the nldap service. If one used both options then nldap would be restarted twice I guess....

    Cheers,

    Ron
  • I would like to see this script moved to an official repo and become officially supported. It is basically a must have on OES servers.
  • I have been using the script quite a bit lately and noticed that the rcowcimomd was attempting to run even though I'm on OES 11.1 and 11.2.

    I updated the script so that it can check for version 11 or higher instead of just version 11.

    Here is the diff


    456a457
    >
    461a463,472
    > # return 0 if program version is equal or greater than check version
    > # fitnr.com/bash-comparing-version-strings.html - Louis Marascio
    > check_version()
    > {
    > local version=$1 check=$2
    > local winner=$(echo -e "$version\n$check" | sed '/^$/d' | sort -nr | head -1)
    > [[ "$winner" = "$version" ]] && return 0
    > return 1
    > }
    >
    464,473c475,486
    < printf "\n"
    < echo '#===========Reloading Services==========================================#'
    < if [ $oesVersion != "11" ]; then
    < echo 'Restarting owcimomd.................................#'
    < rcowcimomd restart
    < fi
    < echo 'Restarting namcd....................................#'
    < rcnamcd restart
    < echo 'Restarting apache2..................................#'
    printf "\n"
    > echo '#===========Reloading Services==========================================#'
    > if check_version "$oesVersion" "11"; then
    > echo "OES version is 11 or higher"
    > else
    > echo 'OES 10 Restarting owcimomd..........................#'
    > rcowcimomd restart
    > fi
    > echo 'Restarting namcd....................................#'
    > rcnamcd restart
    > echo 'Restarting apache2..................................#'
    > rcapache2 restart
    475c488
    printf "\n"
    477d489
    <
Related Discussions
Recommended