eDirectory 9: extracting the Organizational CA's public key to connect to LDAPS using OpenSSL (not iManager)

  • 7021067
  • 06-Jul-2017
  • 06-Apr-2018

Environment

NetIQ eDirectory 9
NetIQ iManager 3
OpenSSL 1.x

Situation

Normally iManager is used to export certificates in eDirectory to a PKCS7 file.  Sometimes iManager may not be available so an alternative is required.

There is some confusion over which key to export.

Resolution

The following steps for Linux use:
- OpenSSL to view\extract the key
- VI to create the pem file
- eDirectory's ldapsearch utility to test it 
If on Windows cygwin is an option.



1. Dump Certificates


Use the OpenSSL client to display the certificates associated to the secure LDAPS port (636).  The same procedure can be used for HTTPS.  NOTE: you must be logged in as root to execute the command.

# openssl s_client -showcerts -connect 192.168.211.132:636

CONNECTED(00000003)
depth=1 OU = Organizational CA, O = HVTREE-1A
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/O=HVTREE-1A/CN=hvsrv-1a.lab.novell.com
   i:/OU=Organizational CA/O=HVTREE-1A
-----BEGIN CERTIFICATE-----
MIIG2TCCBcGgAwIBAgIUEDkWoywfrPdN/mOBTrSwOIQ91kYwDQYJKoZIhvcNAQEL
BQAwMDEaMBgGA1UECxMRT3JnYW5pemF0aW9uYWwgQ0ExEjAQBgNVBAoTCUhWVFJF
RS0xQTAeFw0xNzA3MDUxODE2MTZaFw0xOTA3MDUxODE2MTZaMDYxEjAQBgNVBAoT
CUhWVFJFRS0xQTEgMB4GA1UEAxMXaHZzcnYtMWEubGFiLm5vdmVsbC5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUYLsYgQSakjkR9/wIundtqDeh
oP6lOT871e1mR5d1jkt4gKlL+LD9dRtmgMtkL2zAgSbxdcJvHWHZ9ZJVvx33ipFF
GrOY/e//Sp3x+Fs+S+47lH+zLccHl7wB8EIfLBGfqG8NL5YNQRdaJci53eMCVcho
PDTNHvKCw2teIm5RMoh3L8J2/1MPedWcFSCqOU5mLso9rsPLXamkvCa1xiQhnpWq
CLmFWHsVXazt10Nzk4ZcCHBTJllIpQ7FOK29aMQYKapXKMdMWPql3x/wW2RjR2gP
GyWHTMINWdlIGriw966xTDxL0BspvHXWBb11CeJLTgeU9OIA5+Fq9SarXAJ/AgMB
AAGjggPjMIID3zAdBgNVHQ4EFgQU+fWitjj2KWPuZNnZyl0MCeWoGAkwHwYDVR0j
BBgwFoAUA+AhWPHbcryk3gZTfAdp3sa4LVkwKAYDVR0RBCEwH4cEwKjThIIXaHZz
cnYtMWEubGFiLm5vdmVsbC5jb20wCwYDVR0PBAQDAgWgMIIBzAYLYIZIAYb4NwEJ
BAEEggG7MIIBtwQCAQABAf8THU5vdmVsbCBTZWN1cml0eSBBdHRyaWJ1dGUodG0p
FkNodHRwOi8vZGV2ZWxvcGVyLm5vdmVsbC5jb20vcmVwb3NpdG9yeS9hdHRyaWJ1
dGVzL2NlcnRhdHRyc192MTAuaHRtMIIBSKAaAQEAMAgwBgIBAQIBRjAIMAYCAQEC
AQoCAWmhGgEBADAIMAYCAQECAQAwCDAGAgEBAgEAAgEAogYCARcBAf+jggEEoFgC
AQICAgD/AgEAAw0AgAAAAAAAAAAAAAAAAwkAgAAAAAAAAAAwGDAQAgEAAgh/////
/////wEBAAIEBvDfSDAYMBACAQACCH//////////AQEAAgQG8N9IoVgCAQICAgD/
AgEAAw0AQAAAAAAAAAAAAAAAAwkAQAAAAAAAAAAwGDAQAgEAAgh//////////wEB
AAIEEf+qZzAYMBACAQACCH//////////AQEAAgQR/6pnok4wTAIBAgIBAAICAP8D
DQCAAAAAAAAAAAAAAAADCQCAAAAAAAAAADASMBACAQACCH//////////AQEAMBIw
EAIBAAIIf/////////8BAQAwggGUBgNVHR8EggGLMIIBhzAtoCugKYYnaHR0cDov
LzE5Mi4xNjguMjExLjEzMjo4MDI4L2NybC9vbmUuY3JsMGGgX6BdhltsZGFwOi8v
MTkyLjE2OC4yMTEuMTMyOjM4OS9DTj1PbmUsQ049T25lJTIwLSUyMENvbmZpZ3Vy
YXRpb24sQ049Q1JMJTIwQ29udGFpbmVyLENOPVNlY3VyaXR5MC6gLKAqhihodHRw
czovLzE5Mi4xNjguMjExLjEzMjo4MDMwL2NybC9vbmUuY3JsMGKgYKBehlxsZGFw
czovLzE5Mi4xNjguMjExLjEzMjo2MzYvQ049T25lLENOPU9uZSUyMC0lMjBDb25m
aWd1cmF0aW9uLENOPUNSTCUyMENvbnRhaW5lcixDTj1TZWN1cml0eTBfoF2gW6RZ
MFcxDDAKBgNVBAMTA09uZTEcMBoGA1UEAxMTT25lIC0gQ29uZmlndXJhdGlvbjEW
MBQGA1UEAxMNQ1JMIENvbnRhaW5lcjERMA8GA1UEAxMIU2VjdXJpdHkwDQYJKoZI
hvcNAQELBQADggEBADrSwfA38UJLaVA65KeUigeQ99psiDs3KZKzUHVBZ7Tok/yB
sVa8GZ66tlCAKSD+eTYj9jRcFh1Q92ZurXdmNBLGf08ZdChjsRVs94XspRP9P/wI
kqZLcWRZz02o8AobK08mnf1zkLAwNMNhOT5Evml6o2hoVLy4IDJEdrAiia8l6cPw
PfdSPMUDwf9hDj7IwEEA1w8+lGarDWS931AwcNNEOZ2uS5izovRniJmzAnSYYXyV
PrySMfg1F8GpnsnNXGJFR+8UrJO8HWCLL6J6dRI+cazZLphRed2xnbLIrW8zjyty
yBJ4b1p3RPGOFv+9yKKThsGB3xyXgfGv8I1s4YY=
-----END CERTIFICATE-----
 1 s:/OU=Organizational CA/O=HVTREE-1A
   i:/OU=Organizational CA/O=HVTREE-1A
-----BEGIN CERTIFICATE-----
MIIFHzCCBAegAwIBAgIUJv5rs+Or3CerEqxJkQBnohpqjMMwDQYJKoZIhvcNAQEL
BQAwMDEaMBgGA1UECxMRT3JnYW5pemF0aW9uYWwgQ0ExEjAQBgNVBAoTCUhWVFJF
RS0xQTAeFw0xNzA3MDMyMDE2MTZaFw0yNzA3MDMyMDE2MTZaMDAxGjAYBgNVBAsT
EU9yZ2FuaXphdGlvbmFsIENBMRIwEAYDVQQKEwlIVlRSRUUtMUEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaH3HKrDZIAGjkNRY2KbmN5jjoaiJy3uLm
pimh+XDxQw9VnmTIcwcM0S/sJdO/6ZImh9wqAm2iiItYiqD7oQjX7KiBs21WqKyr
DI9xELst0/HY3OU/Tac4QIZffNdtWVBMgJAG0oJqLGDGWGIPe3tTjtoodtrKFHcd
rLmxF1NDEA8gQS8jKrH9yFkmx9wF2O4QG+NYL4aJBn9X/gpoy+zPF3pr0fOLfZPa
unUDDQLNrzsAEjsjvScxjFaCBRoCzx4DQYLkajkVsDeXLPtK0H2thuIgcbrxwpHh
M0b896HLhpKjJFVTQizC1/5AE6esWIC5/jGL29BRjhguckHUFQdFAgMBAAGjggIv
MIICKzAdBgNVHQ4EFgQUA+AhWPHbcryk3gZTfAdp3sa4LVkwHwYDVR0jBBgwFoAU
A+AhWPHbcryk3gZTfAdp3sa4LVkwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYw
ggHMBgtghkgBhvg3AQkEAQSCAbswggG3BAIBAAEB/xMdTm92ZWxsIFNlY3VyaXR5
IEF0dHJpYnV0ZSh0bSkWQ2h0dHA6Ly9kZXZlbG9wZXIubm92ZWxsLmNvbS9yZXBv
c2l0b3J5L2F0dHJpYnV0ZXMvY2VydGF0dHJzX3YxMC5odG0wggFIoBoBAQAwCDAG
AgEBAgFGMAgwBgIBAQIBCgIBaaEaAQEAMAgwBgIBAQIBADAIMAYCAQECAQACAQCi
BgIBGAEB/6OCAQSgWAIBAgICAP8CAQADDQCAAAAAAAAAAAAAAAADCQCAAAAAAAAA
ADAYMBACAQACCH//////////AQEAAgQG8N9IMBgwEAIBAAIIf/////////8BAQAC
BAbw30ihWAIBAgICAP8CAQADDQBAAAAAAAAAAAAAAAADCQBAAAAAAAAAADAYMBAC
AQACCH//////////AQEAAgQR/6pnMBgwEAIBAAIIf/////////8BAQACBBH/qmei
TjBMAgECAgIA/wIBAAMNAID//////////////wMJAID/////////MBIwEAIBAAII
f/////////8BAf8wEjAQAgEAAgh//////////wEB/zANBgkqhkiG9w0BAQsFAAOC
AQEAhx5ut3BsLPgTdMc0cfEjHXLenAXSuhd/SCbdKwzGl7/b/aNRcoRKL0OLPckS
GC5glHQYWtMy4oPUVuGPoFc3ZG12KbALZ8LcBFs4KJdCjOOJ0qwDDAIoZH766wuV
ChicUSH9Lbh+1Ag8/IMteoS6oaad9obAzsmZ0QKqHOb5LlJm3IP2572ArFYUZdg/
wI/h8OyI7Q17V4axRuY/Ch23hctXjL6VMVOyMjIg35v26/nv7+mvmzVddXugEBXh
9EVBfCnnKVMIlKUM1QudUZbPE6SVlsJryv5rxxj0RoBe4Ko7X3v6uL/CbUvz+I01
mzhOZxavJ5w+wSZf43jPz69MFQ==
-----END CERTIFICATE-----

---
Server certificate
subject=/O=HVTREE-1A/CN=hvsrv-1a.lab.novell.com
issuer=/OU=Organizational CA/O=HVTREE-1A
---
No client certificate CA names sent
---
SSL handshake has read 3404 bytes and written 565 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: E8D748C2F2F1A3C37C31C465DE01AD50457B13C462357D59EFFDEB1DB75D7882
    Session-ID-ctx:
    Master-Key: 73C99AF1F44C5F4FD572829F8E4DBEE56A0219543C1E0BB60B7C2FA14C596E27C7331BFE0F3B0AFB582800E3524BA40E
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 33 c6 b8 3d 98 1d 8e f0-ff 46 a9 65 19 5c a3 16   3..=.....F.e.\..
    0010 - 74 c2 3d 9f 94 d5 70 14-fc c8 a4 d6 12 38 48 d1   t.=...p......8H.
    0020 - d6 01 dc fa 49 fe 48 22-99 2c cc 7e b6 c2 7b 84   ....I.H".,.~..{.
    0030 - f7 99 4f f7 e2 6d 1a cc-23 19 b9 c1 ec aa 54 fe   ..O..m..#.....T.
    0040 - 4f da 79 9c 2a d3 2f 2a-60 80 4a 59 29 0f 05 f4   O.y.*./*`.JY)...
    0050 - f3 e0 90 0b e6 67 a4 82-9a 1d 2c 0d e1 f8 ef 84   .....g....,.....
    0060 - 25 f8 0d e1 cb e5 26 8d-7e bb af 26 74 0f 9a dc   %.....&.~..&t...
    0070 - fb 7b 31 cb 98 af 62 36-11 2e ec 46 4b d1 87 c2   .{1...b6...FK...
    0080 - 7a 12 2a e9 16 5e 26 fd-bf dc 7e df 89 fe f3 75   z.*..^&...~....u
    0090 - cf 81 9f 89 e2 c4 47 20-d5 e9 02 00 72 1c 72 f7   ......G ....r.r.
    00a0 - 6f 41 41 ee c3 c0 e5 7b-b8 a4 d5 bf 7c 08 4c fd   oAA....{....|.L.

    Start Time: 1500587952
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---


From this example we can see there are two certificates involved in the chain
1. For the server itself: 0 s:/O=HVTREE-1A/CN=hvsrv-1a.lab.novell.com
2. Which is, in turn, signed by the tree's RootCA certificate.


2. Extract RootCA Certificate

Utilities such as ldapsearch can only trust the server certificate if they trust the RootCA who signed it.  Therefore, it is the RootCA portion above that is required. 

Start up a VI session then copy and paste everything in the bolded section above into a file and save it with a .pem extension.  This is the type of certificate file ldapsearch uses.  In this example the file will be saved as cert.pem.


3. Test Certificate

The following command will use the RootCA's certificate as described above to trust and initiate the LDAPS handshakes:
LDAPTLS_CACERT=/tmp/certs/cert3.pem /opt/novell/eDirectory/bin/ldapsearch -H ldaps://x.x.x.x:636 -D cn=admin,o=novell -w novell -b o=novell cn=admin

This time instead of seeing ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) the following will be shown:


# extended LDIF
#
# LDAPv3
# base <o=emg> with scope subtree
# filter: cn=admin
# requesting: ALL
#

# admin, novell
dn: cn=admin,o=novell
uid: admin
messageServer: cn=90svr1,o=novell
sn: admin
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: ndsLoginProperties
objectClass: Top
loginTime: 20170726021725Z
cn: admin
ACL: 2#subtree#cn=admin,o=novell#[All Attributes Rights]
ACL: 6#entry#cn=admin,o=novell#loginScript
ACL: 2#entry#[Public]#messageServer
ACL: 6#entry#cn=admin,o=novell#printJobConfiguration

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1



Feedback service temporarily unavailable. For content questions or problems, please contact Support.