-
Notifications
You must be signed in to change notification settings - Fork 104
How to Setup OpenDJ with BCFKS FIPS Key Store Type support
Maxim Thomas edited this page Sep 20, 2023
·
3 revisions
cat > /tmp/opendj.keystore.pin
Password
EOF
keytool -genkey -alias server-cert -keyalg rsa -dname "CN=example.com,O=OpenDJ RSA Self-Signed Certificate" \
-keystore /etc/certs/opendj.bcfks -storetype BCFKS -validity 3650 -providername BCFIPS \
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-providerpath /tmp/libs/bc-fips-1.0.2.3.jar:/tmp/libs/bcpkix-fips-1.0.7.jar \
-keypass:file /tmp/opendj.keystore.pin -storepass:file /tmp/opendj.keystore.pin \
-keysize 2048 -sigalg SHA256WITHRSA
keytool -selfcert -alias server-cert -keystore /etc/certs/opendj.bcfks -storetype BCFKS -validity 3650 \
-providername BCFIPS -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-providerpath /tmp/libs/bc-fips-1.0.2.3.jar:/tmp/libs/bcpkix-fips-1.0.7.jar -storepass:file /tmp/opendj.keystore.pin
keytool -genkey -alias admin-cert -keyalg rsa -dname "CN=example.com,O=Administration Connector RSA Self-Signed Certificate" \
-keystore /etc/certs/opendj.bcfks -storetype BCFKS -validity 3650 -providername BCFIPS \
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-providerpath /tmp/libs/bc-fips-1.0.2.3.jar:/tmp/libs/bcpkix-fips-1.0.7.jar \
-keypass:file /tmp/opendj.keystore.pin -storepass:file /tmp/opendj.keystore.pin \
-keysize 2048 -sigalg SHA256WITHRSA
keytool -selfcert -alias admin-cert -keystore /etc/certs/opendj.bcfks -storetype BCFKS -validity 3650 \
-providername BCFIPS -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-providerpath /tmp/libs/bc-fips-1.0.2.3.jar:/tmp/libs/bcpkix-fips-1.0.7.jar -storepass:file /tmp/opendj.keystore.pin
Check keystore
keytool -list -storetype BCFKS -providername BCFIPS -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /tmp/libs/bc-fips-1.0.2.1.jar:/tmp/libs/bcpkix-fips-1.0.5.jar -keystore /etc/certs/opendj.bcfks -storepass:file /tmp/opendj.keystore.pin
Output:
Keystore type: BCFKS
Keystore provider: BCFIPS
admin-cert, Sep 20, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 0D:62:B3:85:7C:58:27:4F:00:D3:68:DE:83:50:92:C8:DB:5F:0D:81:4D:14:77:47:C6:C2:D2:B1:05:D2:CB:B0
server-cert, Sep 20, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): B4:BC:55:1F:48:28:43:19:0F:0D:D8:06:F8:53:A5:AE:40:B1:EC:DE:99:0C:E4:F1:2E:F7:3D:56:14:ED:BA:F7
Your keystore contains 2 entries
10:55:35 04/15/22 Running: /opt/opendj/setup --no-prompt --cli --propertiesFilePath /opt/opendj/opendj-setup.properties.bcfks --acceptLicense --doNotStart
...
useBcfksKeystore =/etc/certs/opendj.bcfks
keyStorePasswordFile =/tmp/opendj.keystore.pin
...
/opt/opendj/setup --no-prompt --cli --propertiesFilePath /opt/opendj/opendj-setup.properties.bcfks --acceptLicense --doNotStart
In order to run OpenDJ tools we need to specify additional parameters: --trustStorePath /opt/opendj/config/admin-truststore --trustStorePasswordFile /opt/opendj/config/keystore.pin
In order to use OpenDJ tools without additional parameters we can import OpenDJ trustore into sysatem PKCS11 trustore
keytool -importkeystore -destkeystore NONE -deststoretype PKCS11 -deststorepass changeit -srckeystore /opt/opendj/config/truststore -srcstoretype JKS -srcstorepass:file /opt/opendj/config/keystore.pin -noprompt
OpenDJ is an LDAPv3 compliant directory service, which has been developed for the Java platform, providing a high performance, highly available, and secure store for the identities managed by your organization. Its easy installation process, combined with the power of the Java platform makes OpenDJ the simplest, fastest directory to deploy and manage.