> Is there something special that needs to be done to "initialize" the
> new DB files that can be scripted (ansible) that will set the password
> for the new server, then copy the DB files/pin.txt.?
After importing the keys, I apply these configuration settings:
dn: cn=RSA,cn=encryption,cn=config
changetype: modify
replace: nsSSLToken
nsSSLToken: internal (software)
-
replace: nsSSLPersonalitySSL
nsSSLPersonalitySSL: Server-Cert
-
replace: nsSSLActivation
nsSSLActivation: on
-
replace: objectClass
objectClass: top
objectClass: nsEncryptionModule
-
dn: cn=encryption,cn=config
changetype: modify
replace: nsTLS1
nsTLS1: on
-
replace: nsSSL3Ciphers
nsSSL3Ciphers:
-fortezza_null,-rsa_rc2_40_md5,-rsa_fips_des_sha,-rsa_rc4_128_m
d5,-rsa_3des_sha,-rsa_rc4_40_md5,-fortezza,-rsa_null_sha,-fortezza_rc4_128_sh
a,-rsa_des_sha,-rsa_fips_3des_sha,-rsa_null_md5,-all,+tls_rsa_aes_128_sha,+tl
s_rsa_aes_256_sha,+TLS_RSA_WITH_AES_128_GCM_SHA256,-tls_rsa_export1024_with_r
c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,+TLS_RSA_WITH_AES_128_GCM_SHA2
56
-
replace: nsKeyfile
nsKeyfile: alias/slapd-master1-key3.db
-
replace: nsCertfile
nsCertfile: alias/slapd-master1-cert8.db
-
dn: cn=config
changetype: modify
replace: nsslapd-security
nsslapd-security: on
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
No comments:
Post a Comment