Hi
I am setting up my sync repl to use certificates, my problem is I don't want to leave my private key for the server un encrypted.
the file pointed to by TLSCertificateKeyFile is is just read at slapd load up time, ie can i unencrypt the file start slapd and then remove the un encrypted file ?
Alex
Hi
THought I would re ask, do certificates only get read at start up, I store my cert's with password, can i unpassword protect and then start slapd and then remove the unpassworded cert private file ?
will this be okay until such a time as slapd get restart ?
Alex
---------- Forwarded message ---------- From: Alex Samad alex@samad.com.au Date: Sat, Jan 16, 2010 at 6:03 PM Subject: tls private key To: openldap-technical@openldap.org
Hi
I am setting up my sync repl to use certificates, my problem is I don't want to leave my private key for the server un encrypted.
the file pointed to by TLSCertificateKeyFile is is just read at slapd load up time, ie can i unencrypt the file start slapd and then remove the un encrypted file ?
Alex
Alexander,
I don't know if they only get read at startup or not... but it does bring up the question: Why?
Protect the file with chmod 440 permissions (with root/root or ldap/ldap or whatever the user/group you use to run slapd).
If there are others with root permission to this box that shouldn't or you don't want to have access to these files - you /really should/ fix that issue first. Then trust the file system permissions to do their job.
Sadly, I suspect though that you're dead set on keeping the certs password protected, and won't be doing the above.
However, you could always just /try/ - if it works, then you know the answer. Just get used to restarting/starting slapd being a needless PITA.
Thanks, - chris
-----Original Message----- From: openldap-technical-bounces+chris.jacobs=apollogrp.edu@OpenLDAP.org [mailto:openldap-technical-bounces+chris.jacobs=apollogrp.edu@OpenLDAP.org] On Behalf Of Alexander Samad Sent: Monday, March 22, 2010 11:21 PM To: openldap-technical@openldap.org Subject: Fwd: tls private key
Hi
THought I would re ask, do certificates only get read at start up, I store my cert's with password, can i unpassword protect and then start slapd and then remove the unpassworded cert private file ?
will this be okay until such a time as slapd get restart ?
Alex
---------- Forwarded message ---------- From: Alex Samad alex@samad.com.au Date: Sat, Jan 16, 2010 at 6:03 PM Subject: tls private key To: openldap-technical@openldap.org
Hi
I am setting up my sync repl to use certificates, my problem is I don't want to leave my private key for the server un encrypted.
the file pointed to by TLSCertificateKeyFile is is just read at slapd load up time, ie can i unencrypt the file start slapd and then remove the un encrypted file ?
Alex
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
On Wed, Mar 24, 2010 at 4:02 AM, Chris Jacobs Chris.Jacobs@apollogrp.edu wrote:
Alexander,
Just Alex :) (getting used to google mail) Alexander reminds me of being in trouble from the parents
I don't know if they only get read at startup or not... but it does bring up the question: Why?
I would like to have another layer of protection on the machine / certificates. I would have thought it would have been a quick and easy question - yes I could go and read the src, but.
Protect the file with chmod 440 permissions (with root/root or ldap/ldap or whatever the user/group you use to run slapd).
yep I do, root.openldap (debian)
If there are others with root permission to this box that shouldn't or you don't want to have access to these files - you /really should/ fix that issue first. Then trust the file system permissions to do their job.
so why allow for encrypted private keys :)
Sadly, I suspect though that you're dead set on keeping the certs password protected, and won't be doing the above.
The above is already done.
However, you could always just /try/ - if it works, then you know the answer. Just get used to restarting/starting slapd being a needless PITA.
not sure where you got the idea I haven't already done this ?
And I am note sure why its bad to look for another layer of security
Thanks,
- chris
-----Original Message----- From: openldap-technical-bounces+chris.jacobs=apollogrp.edu@OpenLDAP.org [mailto:openldap-technical-bounces+chris.jacobs=apollogrp.edu@OpenLDAP.org] On Behalf Of Alexander Samad Sent: Monday, March 22, 2010 11:21 PM To: openldap-technical@openldap.org Subject: Fwd: tls private key
Hi
THought I would re ask, do certificates only get read at start up, I store my cert's with password, can i unpassword protect and then start slapd and then remove the unpassworded cert private file ?
will this be okay until such a time as slapd get restart ?
Alex
---------- Forwarded message ---------- From: Alex Samad alex@samad.com.au Date: Sat, Jan 16, 2010 at 6:03 PM Subject: tls private key To: openldap-technical@openldap.org
Hi
I am setting up my sync repl to use certificates, my problem is I don't want to leave my private key for the server un encrypted.
the file pointed to by TLSCertificateKeyFile is is just read at slapd load up time, ie can i unencrypt the file start slapd and then remove the un encrypted file ?
Alex
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktRZMcACgkQkZz88chpJ2MJYQCeIJ5FtSLGRpQJpr1Gco0NSjr8 VlYAnRmvR+YgJTplXoiX9Xsp+JgQH5VH =iN8i -----END PGP SIGNATURE-----
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Alex, encrypting the private key really isn't necessary and I highly doubt it would work for your application nor be worth the hassel. Securing via file permisssions as mentioned previously is really the best way to tackle this. Think of 'other layers of protection' being firewalls, intrusion detection, restricted logins, chroot jails, etc., etc... Encryption really works best for UDP like transportation like email where you cannot guarantee the recipient is the only person able to 'see' the document ;)
On Mar 25, 2010, at 6:32 PM, Alexander Samad alex@samad.com.au wrote:
On Wed, Mar 24, 2010 at 4:02 AM, Chris Jacobs Chris.Jacobs@apollogrp.edu wrote:
Alexander,
Just Alex :) (getting used to google mail) Alexander reminds me of being in trouble from the parents
I don't know if they only get read at startup or not... but it does bring up the question: Why?
I would like to have another layer of protection on the machine / certificates. I would have thought it would have been a quick and easy question - yes I could go and read the src, but.
Protect the file with chmod 440 permissions (with root/root or ldap/ ldap or whatever the user/group you use to run slapd).
yep I do, root.openldap (debian)
If there are others with root permission to this box that shouldn't or you don't want to have access to these files - you /really should/ fix that issue first. Then trust the file system permissions to do their job.
so why allow for encrypted private keys :)
Sadly, I suspect though that you're dead set on keeping the certs password protected, and won't be doing the above.
The above is already done.
However, you could always just /try/ - if it works, then you know the answer. Just get used to restarting/starting slapd being a needless PITA.
not sure where you got the idea I haven't already done this ?
And I am note sure why its bad to look for another layer of security
Thanks,
- chris
-----Original Message----- From: openldap-technical-bounces+chris.jacobs=apollogrp.edu@OpenLDAP.org [mailto:openldap-technical-bounces +chris.jacobs=apollogrp.edu@OpenLDAP.org] On Behalf Of Alexander Samad Sent: Monday, March 22, 2010 11:21 PM To: openldap-technical@openldap.org Subject: Fwd: tls private key
Hi
THought I would re ask, do certificates only get read at start up, I store my cert's with password, can i unpassword protect and then start slapd and then remove the unpassworded cert private file ?
will this be okay until such a time as slapd get restart ?
Alex
---------- Forwarded message ---------- From: Alex Samad alex@samad.com.au Date: Sat, Jan 16, 2010 at 6:03 PM Subject: tls private key To: openldap-technical@openldap.org
Hi
I am setting up my sync repl to use certificates, my problem is I don't want to leave my private key for the server un encrypted.
the file pointed to by TLSCertificateKeyFile is is just read at slapd load up time, ie can i unencrypt the file start slapd and then remove the un encrypted file ?
Alex
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktRZMcACgkQkZz88chpJ2MJYQCeIJ5FtSLGRpQJpr1Gco0NSjr8 VlYAnRmvR+YgJTplXoiX9Xsp+JgQH5VH =iN8i -----END PGP SIGNATURE-----
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
HI
On Fri, Mar 26, 2010 at 12:09 PM, Tyler Gates tgates81@gmail.com wrote:
Alex, encrypting the private key really isn't necessary and I highly doubt it would work for your application nor be worth the hassel. Securing via file permisssions as mentioned previously is really the best way to tackle this. Think of 'other layers of protection' being firewalls, intrusion detection, restricted logins, chroot jails, etc., etc...
yep go those, firewalls, permissions etc.
I am not sure why every one is against me trying to use another layer of protection, just because I permission it as root.root 440, doesn't mean its safe. I could make it safer, but unecrypting the private key, starting slapd and removing the unecrypted file.
Or thing of it another way, my private key could be on a usb key, that i insert into the machine on start up and remove once slapd has started.
I have seen secure machine compromised before, somebody installed cvs forgot to change the cvs userid password, root hack and a remote user had access to the system. Some times people do silly things
on my laptop - I encrypt the fs and the swap space and my gpg key have userid/passwords and my certs have userid password protection, like to do the same for my ldap setup as well :)
I understand the reasons for encrypting and signing packets or information, just asking if slapd needs access to the private key after it has read the file on startup.
Encryption really works best for UDP like transportation like email where you cannot guarantee the recipient is the only person able to 'see' the document ;)
[snip]
openldap-technical@openldap.org
-
Alex Samad -
Alexander Samad
-
Chris Jacobs -
Tyler Gates