From 949e80d7b6b1b0603385ca2280bb8010ed81b7e7 Mon Sep 17 00:00:00 2001
From: Mark Craig <mark.craig@forgerock.com>
Date: Wed, 26 Jun 2013 07:40:35 +0000
Subject: [PATCH] Backport documentation fixes r9052, r9059, r9060, r9061
---
src/main/docbkx/admin-guide/chap-connection-handlers.xml | 62 ++++++++++++++++++++++++------
src/main/docbkx/install-guide/chap-upgrade.xml | 8 +--
src/main/docbkx/admin-guide/appendix-file-layout.xml | 12 ------
src/main/docbkx/admin-guide/chap-monitoring.xml | 4 +-
src/main/docbkx/install-guide/chap-install-cli.xml | 6 +-
5 files changed, 57 insertions(+), 35 deletions(-)
diff --git a/src/main/docbkx/admin-guide/appendix-file-layout.xml b/src/main/docbkx/admin-guide/appendix-file-layout.xml
index c62e940..6f9715d 100644
--- a/src/main/docbkx/admin-guide/appendix-file-layout.xml
+++ b/src/main/docbkx/admin-guide/appendix-file-layout.xml
@@ -162,18 +162,6 @@
</listitem>
</varlistentry>
<varlistentry>
- <term><filename>install.html</filename></term>
- <listitem>
- <para>Quick installation instructions in case you are offline</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><filename>install.txt</filename></term>
- <listitem>
- <para>Text version of <filename>install.html</filename></para>
- </listitem>
- </varlistentry>
- <varlistentry>
<term><filename>instance.loc</filename></term>
<listitem>
<para>Pointer to OpenDJ on the file system, useful in installations where
diff --git a/src/main/docbkx/admin-guide/chap-connection-handlers.xml b/src/main/docbkx/admin-guide/chap-connection-handlers.xml
index cd5e12d..a694f61 100644
--- a/src/main/docbkx/admin-guide/chap-connection-handlers.xml
+++ b/src/main/docbkx/admin-guide/chap-connection-handlers.xml
@@ -449,11 +449,29 @@
<procedure xml:id="new-self-signed-cert">
<title>To Create & Install a Self-Signed Certificate</title>
-
- <para>First you create and sign a server certificate that you place in
- a Java Key Store. Then you set up the Key Manager Provider and Trust Manager
- Provider to rely on your new server certificate in its key store.</para>
-
+
+ <para>If you choose to configure LDAP Secure Access when setting up OpenDJ
+ directory server, the setup program generates a key pair in the Java Key
+ Store <filename>/path/to/opendj/config/keystore</filename>, and self-signs
+ the public key certificate, which has the alias <literal>server-cert</literal>.
+ The password for the key store and the private key is stored in clear text
+ in the file <filename>/path/to/opendj/config/keystore.pin</filename>.</para>
+
+ <para>If you want to secure communications, but did not chose to configure
+ LDAP Secure Access at setup time, this procedure can help. The following
+ steps explain how to create and install a key pair with a self-signed
+ certificate in preparation to configure LDAPS or HTTPS. First you create a
+ key pair in a new Java Key Store, and then self-sign the certificate. Next,
+ you set up the Key Manager Provider and Trust Manager Provider to access
+ the new server certificate in the new key store.</para>
+
+ <para>If instead you want to <emphasis>replace the existing server key pair
+ with self-signed certificate</emphasis>, then first use <command>keytool
+ -delete -alias server-cert</command> to delete the existing keys before you
+ generate a new key pair with the same alias. You can also either reuse the
+ existing password in <filename>keystore.pin</filename>, or use a new password
+ as shown in the steps below.</para>
+
<step>
<para>Generate the server certificate using the Java
<command>keytool</command> command.</para>
@@ -465,6 +483,7 @@
-keystore /path/to/opendj/config/keystore
-storepass changeit
-keypass changeit</screen>
+
<para>In this example, OpenDJ is running on a system with fully qualified
host name <literal>opendj.example.com</literal>. The Java Key Store (JKS)
is created in the <filename>config</filename> directory where OpenDJ is
@@ -476,6 +495,9 @@
OpenDJ requires that you use the same password to protect both the
key store and also the private key.</para>
</note>
+
+ <para>Keep track of the password provided to the <option>-storepass</option>
+ and <option>-keypass</option> options.</para>
</step>
<step>
<para>Self-sign the server certificate.</para>
@@ -486,10 +508,19 @@
-storepass changeit</screen>
</step>
<step>
- <para>Configure the File Based Key Manager Provider for JKS to use the
- file name and key store PIN that you set up with the
- <command>keytool</command> command.</para>
- <screen>$ dsconfig
+ <para>Configure the File Based Key Manager Provider for JKS to access the
+ Java Key Store with key store/private key password.</para>
+
+ <para>In this example, the alias is <literal>server-cert</literal> and the
+ password is <literal>changeit</literal>.</para>
+
+ <para>If you are replacing a key pair with a self-signed certificate,
+ reusing the <literal>server-cert</literal> alias and password stored in
+ <filename>keystore.pin</filename>, then you can skip this step.</para>
+
+ <screen>$ echo changeit > /path/to/opendj/config/keystore.pin
+$ chmod 600 /path/to/opendj/config/keystore.pin
+$ dsconfig
set-key-manager-provider-prop
--hostname opendj.example.com
--port 4444
@@ -497,14 +528,17 @@
--bindPassword password
--provider-name JKS
--set enabled:true
- --set key-store-pin:changeit
- --remove key-store-pin-file:config/keystore.pin
+ --set key-store-file:config/keystore
+ --set key-store-pin-file:config/keystore.pin
--trustAll
--no-prompt</screen>
</step>
<step>
<para>Configure the File Based Trust Manager Provider for JKS to use the
key store and PIN as well.</para>
+
+ <para>If you skipped the previous step, you can also skip this step.</para>
+
<screen>$ dsconfig
set-trust-manager-provider-prop
--hostname opendj.example.com
@@ -514,11 +548,13 @@
--provider-name JKS
--set enabled:true
--set trust-store-file:config/keystore
- --set trust-store-pin:changeit
+ --set trust-store-pin-file:config/keystore.pin
--trustAll
--no-prompt</screen>
+
<para>At this point, OpenDJ directory server can use your new self-signed
- certificate, for example for StartTLS and LDAPS connection handlers.</para>
+ certificate, for example for StartTLS and LDAPS or HTTPS connection
+ handlers.</para>
</step>
</procedure>
</section>
diff --git a/src/main/docbkx/admin-guide/chap-monitoring.xml b/src/main/docbkx/admin-guide/chap-monitoring.xml
index 4b74f67..b0b4b22 100644
--- a/src/main/docbkx/admin-guide/chap-monitoring.xml
+++ b/src/main/docbkx/admin-guide/chap-monitoring.xml
@@ -28,7 +28,7 @@
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
xmlns:xlink='http://www.w3.org/1999/xlink'
- >
+ xmlns:xinclude='http://www.w3.org/2001/XInclude'>
<title>Monitoring, Logging, & Alerts</title>
<para>This chapter describes the monitoring capabilities that OpenDJ
@@ -37,7 +37,7 @@
<indexterm><primary>Monitoring</primary></indexterm>
<para>OpenDJ Control Panel provides basic monitoring capabilities under
- Monitoring > Connection Handler, Monitoring > Connection Handler, and
+ Monitoring > General Information, Monitoring > Connection Handler, and
Monitoring > Manage Tasks. This chapter covers the other options for
monitoring OpenDJ.</para>
diff --git a/src/main/docbkx/install-guide/chap-install-cli.xml b/src/main/docbkx/install-guide/chap-install-cli.xml
index 293f812..6974eeb 100644
--- a/src/main/docbkx/install-guide/chap-install-cli.xml
+++ b/src/main/docbkx/install-guide/chap-install-cli.xml
@@ -503,9 +503,9 @@
<para>Before you install OpenDJ, install a Java runtime environment if none
is installed yet.</para>
- <screen>$ java -version
-java version ...
-OpenJDK Runtime Environment ...</screen>
+ <screen>$ su
+Password:
+# rpm -ivh jdk-*.rpm</screen>
</step>
<step>
diff --git a/src/main/docbkx/install-guide/chap-upgrade.xml b/src/main/docbkx/install-guide/chap-upgrade.xml
index df9004e..1581491 100644
--- a/src/main/docbkx/install-guide/chap-upgrade.xml
+++ b/src/main/docbkx/install-guide/chap-upgrade.xml
@@ -34,13 +34,11 @@
<para>This chapter covers upgrade from OpenDJ 2.4.5 and later versions.</para>
- <para>For upgrades from earlier versions, upgrade first to OpenDJ
- <?eval ${stableServerVersion}?>, and then follow the procedures in this
- chapter. See <link xlink:show="new"
+ <para>For upgrades from earlier versions, upgrade first to at least OpenDJ
+ 2.4.5, and then follow the procedures in this chapter. See <link xlink:show="new"
xlink:href="https://wikis.forgerock.org/confluence/display/OPENDJ/OpenDJ+Installation+Guide#OpenDJInstallationGuide-UpgradingOpenDJDirectoryServer"
>Upgrading OpenDJ Directory Server</link> in the OpenDJ Wiki for details on
- upgrading to OpenDJ <?eval ${stableServerVersion}?> from earlier
- versions.</para>
+ upgrading to OpenDJ 2.4.5 from earlier versions.</para>
<procedure xml:id="before-you-upgrade">
<title>Before You Upgrade</title>
--
Gitblit v1.10.0