Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

Sync from "Extern...

XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.2
Affects Version/s: None
Component/s: 389-ds-base
Labels:
- CEE.neXT
- CEE.nxt

Severity:
Moderate
Epic Link:
IDM-3126

AssignedTeam:
rhel-idm-ds

Story Points:
0
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
None

Preliminary Testing:
None
Test Coverage:

Automated

Release Note Type:
Enhancement
Release Note Text:

Hide
Feature, enhancement:On line server certificate refresh
Reason: allow to automatize the certificate renewal without having to stop the service
Result: Administrator could generate the new certificate(s) then replace them, then use "dsconf instancveName config refresh-certs" to start using the new certificates.
Beware although the existing ldap connection are not explicitly closed
if the CA certificate has changed, the existing ldaps connections tend to get closed with SERVER_DOWN error because it expects the old certificate but the server renegotiate the encryption using the new certificate

Show
Feature, enhancement:On line server certificate refresh Reason: allow to automatize the certificate renewal without having to stop the service Result: Administrator could generate the new certificate(s) then replace them, then use "dsconf instancveName config refresh-certs" to start using the new certificates. Beware although the existing ldap connection are not explicitly closed if the CA certificate has changed, the existing ldaps connections tend to get closed with SERVER_DOWN error because it expects the old certificate but the server renegotiate the encryption using the new certificate
Release Note Status:
Proposed
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
PX Review Complete:
PX Scheduling Request:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Goal

Problem Statement Support updating/renewing TLS certificate without restarting slapd
- Presently we require a service restart for the update: https://docs.redhat.com/en-us/documentation/red_hat_directory_server/12/pdf/securing_red_hat_directory_server/Red_Hat_Directory_Server-12-Securing_Red_Hat_Directory_Server-en-US.pdf
  Sections 1.3 and 1.4

Explanation of Cu case:
I'm hoping however that it would be possible for RHDS to support some method of reloading the TLS certificate/key without stopping and restarting the service. If not via something simple like SIGHUP, perhaps a task entry like reloading the schema could trigger slapd to reload the TLS key & certificate and then use it for new client connections.

(This would enable something using a ACME renewal process to call a helper script to easily update the certificate and make it active without needing to coordinate the process across the pool of load-balanced replicas and wait to drain connections from the instance.)

Acceptance criteria

A list of verification conditions, successful functional tests, or expected outcomes in order to declare this story/task successfully completed.

Renew certificate
Have alternatives for admins other than the currently expected, # dsctl instance_name restart

links to

Upstream issue #6951

Assignee:: IdM DS Dev

Reporter:: Jeremy Absher

Developer:: IdM DS Dev

QA Contact:: IdM DS QE

Doc Contact:: Evgenia Martyniuk

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2025/03/13 8:08 PM

Updated:: 2025/10/10 7:34 PM

Stale Date:: 2026/08/25

Details

Description

Goal

Acceptance criteria

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide