Anonymous_User Absent Member.
Absent Member.
2607 views

Any way to use a key/certificate pair not from a bckend srv?


I am trying to figure out how to make the nlpd to use a listener
certificate that was created specifically for the DNS name of the server
it is running on, and not the one that is exported by nlpexportcert from
one of the backend eDir servers. It does not seem to work when
specifying:

<certificate-file-name>nlpd.pem</certificate-file-name>

where nlpd.pem contains both the server key and the certificate in it.
The error message that is logged in nlpd.log is:

Stopping proxy service... reason=0x81510101

which is:

Cause: TLS initialization failed either because of the back-end server
or the client.
Action: Check for correct TLS/SSL certificates and their permissions and
if they are present in the locations specified in the configuration.

Not sure if this is possible, but would appreciate any ideas.


--
ablovatskia
------------------------------------------------------------------------
ablovatskia's Profile: https://forums.netiq.com/member.php?userid=288
View this thread: https://forums.netiq.com/showthread.php?t=48538

0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Any way to use a key/certificate pair not from a bckend srv?

Just to be clear, since I am less familiar with LDAP Proxy than I am with
eDirectory and SSL in general, is this certificate to be used for the
client-to-LDAPProxy connection, or for the LDAPProxy-to-eDirectory
connection? I am guessing, based on the need to use the nlpexportcert
tool, that it is for the latter, and in that case I am curious why you
would want to use another certificate since that will likely fail and,
even if it did work, provide no value (that I can see anyway... but I"m
not very creative) for the work.

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Any way to use a key/certificate pair not from a bckend srv?


Yes, it is for the client-to-LDAPProxy connection.

I would like to use a certificate that is issued to the DNS name of the
server that is running the proxy, so when the client checks the
connection hostname against the name on the certificate they match.
Forcing the use of the certificate from another server (in this case an
eDir backend server) is kind of strange product "feature" to me...


--
ablovatskia
------------------------------------------------------------------------
ablovatskia's Profile: https://forums.netiq.com/member.php?userid=288
View this thread: https://forums.netiq.com/showthread.php?t=48538

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.