Manualshelf

HP CIFS Server 3.0i Administrator's Guide version A.02.03.03

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
71727374757677787980
The Kerberos v5 Client product requires that you install the patches on your HP-UX 11i v1 and
v2 systems. Refer to HP CIFS Server 3.0d Release Notes version A.02.02 for detailed patch information.
For the latest LDAP Integration software, download the product from the following web site:
http://www.hp.com/go/softwaredepot
Enter LDAP-UX Integration for HP-UX in the search field.
Strong Authentication Support
When you enable LDAP server signing with required signing for strong authentication support
on a Windows 2000/2003 ADS Domain Controller (DC), you can enable an extended operation
of Transport Layer Security (TLS) protocol called startTLS on an HP CIFS Server to provide
signing negotiation with a Windows ADS DC. The SSL/TLS protocol provides secure
communication between an HP CIFS Server and a Windows 2000/2003 ADS DC. You have
flexibility to use an un-encrypted port, 389, to establish an encrypted connection when using the
startTLS feature.
If you want to enable startTLS for strong authentication support, you must perform the following
tasks before you follow the instructions to run the kinit and net ads join commands as
described in “Step-by-step Procedure” (page 76) to join an HP CIFS Server to a Windows 2000/2003
ADS domain as a domain member server:
Install Certification Authority (CA) on a Windows ADS Server.
Download and install the certificate database files, cert8.db and key3.db on the HP CIFS
Server machine from a Windows CA Server.
Configure HP CIFS Server to enable the startTLS feature.
Steps to install Certification Authority (CA) on a Windows ADS Server
You need to install SSL/TLS Certification Authority (CA) on a Windows ADS Server before you
download the certificate database file, cert8.db and key3.db, on your HP CIFS Server machine.
If you have installed MS IIS Service, you must stop and restart MS IIS Service while installing
CA.
NOTE: If a previous CA has been installed on your Windows ADS Server and the CA services
do not work, you must remove them before you reinstall CA. For detailed information on how
to manually remove Windows Certificate Authority from a Windows 2000/2003 domain, refer
to a document from Microsoft at:
http://support.microsoft.com/kb/555151/en-us
The following steps show you how to install MS CA on a Windows ADS Server using MS
Certificate Service Installation Wizard:
1. Select Control Panel -> ADD-Remove Programs -> Add-Remove Windows Components
2. Check Certificate Service
3. Check Application Server
4. Click Next button
5. Select Enterprise Root Certificate Authority
6. Provide a common name (CN) for the system. It must be a fully qualified domain name.
7. Specify Certificate database settings log location. For example,
C:\Windows\system32\CertLog
8. To install CA services, you must temperately stop MS IIS Service if you have installed it.
Then, restart it after installation of CA services is completed.
9. Run Certificate Services in Administrator Tools to verify that installation of Windows
Certificate Authority succeeds
72 Windows 2000/2003 Domains