Create SSL Certificate on Cluster Ressources
I want to create an SSL Certificate for Cluster ressources.
I have two servers in cluster mode. Those servers are iPrint servers.
If a server failed, the iPrint ressources migrate to the other server and that's work fine for all printers except printers with SSL Authentication.
Those printers stop working and iPrint client send the message " unable to authenticate to the printer ". If the failed server came up again, the message disappear and eveything works fine again.
I want to know if it's possible to create SSL Certificate and associate it to the cluster ressource and not the server?
Thanks in advance....
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Your Novell Product Support Forums Team
The setup of the cluster load and unload script for clustering ldap is as simple as adding and removing the secondary IP for the ldap resource. The setup of the ldap service is a different matter.
First off, create an LDAP group for the resource. Setup the attribute/class map the way that you want the resource to behave such that whatever node the resource is on at the moment, it will answer with the same information.
Secondly, the ldap service will only read the cert information pointed to by the ldap server object. Since you can only mint a cert off the server object and associate it with its' respective ldap server object, you cannot easily just create one cert for this resource. You need to identify beforehand all the possible combinations your ldap apps could authenticate to the ldap server. You then mint a cert for every node in the cluster that is going to potentially host this resource and assign the main DNS A name as the primary name and add the other names as Secondary naming.
For example, I have a 7 node cluster and for each node I minted a cert with the main name of the resource (BRIPNLDAP01) and then added in the IP address for that DNS name and then the IP/DNS of the individual node for that cert. In effect, it turned out to be something like 7 or 8 secondary names for each cert as you need to be aware of how the resource is going to connect (fully qualified dns versus relative, ie cn=server.domain.com,o=org or cn=server,o=org). Since you can't change a cert once it has been minted, you need to spend a lot of time at this step identifying how clients might connect cause you don't want to have to go back and re-mint all these certs.
Once you have this cert mess figured out, you can bounce a secure ldap server/secondary ip address around your cluster and not have the apps complain.
P.S. You also need to export the trusted root of your tree's CA into the keystore of your app.
For those that want the cert to travel with the cluster resource, this is what I did
For cluster: MAIN-CLUSTER
Cluster Resource: SERVICES
Resource IP: 10.242.1.34
Create a directory on the root of the cluster resource
Create & alter services.conf which contains
[ req ]
default_bits = 2048
default_keyfile = services.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
commonName = common_name
[ req_ext ]
subjectAltName = @alt_names
DNS.1 = MAIN-CLUSTER-SERVICES-SERVER.office.mydomain.com.au
IP.2 = 10.242.1.34
openssl req -new -nodes -sha256 -config services.conf -out services.csr < Create request
Insert short cluster name eg MAIN-CLUSTER-SERVICES-SERVER
openssl req -in services.csr -noout -text < Check Request
Use iManager to create the certificate & export
openssl x509 -noout -text -in services.b64 < Check Cert
For some things you may need to export the Tree root and as TREE.b64
Then cat services.b64 TREE.b64 > services-chain.b64 (Edit it and add a linefeed between the 2 certs
Then you will have a cert that has
subject = CN=MAIN-CLUSTER-SERVICES-SERVER
alt subject = DNS:MAIN-CLUSTER-SERVICES-SERVER.office.pegasustech.com.au, IP Address:10.242.1.34
Which i think is what you are looking for.