On 04/05/2017 10:04 AM, Paul Whitney wrote:
Is there something special that needs to be done to "initialize" the
new DB files that can be scripted (ansible) that will set the password
for the new server, then copy the DB files/pin.txt.?
After importing the keys, I apply these configuration settings:
dn: cn=RSA,cn=encryption,cn=config
changetype: modify
replace: nsSSLToken
nsSSLToken: internal (software)
-
replace: nsSSLPersonalitySSL
nsSSLPersonalitySSL: Server-Cert
-
replace: nsSSLActivation
nsSSLActivation: on
-
replace: objectClass
objectClass: top
objectClass: nsEncryptionModule
-
dn: cn=encryption,cn=config
changetype: modify
replace: nsTLS1
nsTLS1: on
-
replace: nsSSL3Ciphers
nsSSL3Ciphers:
-fortezza_null,-rsa_rc2_40_md5,-rsa_fips_des_sha,-rsa_rc4_128_m
d5,-rsa_3des_sha,-rsa_rc4_40_md5,-fortezza,-rsa_null_sha,-fortezza_rc4_128_sh
a,-rsa_des_sha,-rsa_fips_3des_sha,-rsa_null_md5,-all,+tls_rsa_aes_128_sha,+tl
s_rsa_aes_256_sha,+TLS_RSA_WITH_AES_128_GCM_SHA256,-tls_rsa_export1024_with_r
c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,+TLS_RSA_WITH_AES_128_GCM_SHA2
56
-
replace: nsKeyfile
nsKeyfile: alias/slapd-master1-key3.db
-
replace: nsCertfile
nsCertfile: alias/slapd-master1-cert8.db
-
dn: cn=config
changetype: modify
replace: nsslapd-security
nsslapd-security: on
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
