HP-UX Directory Server 8.1 administration server guide

Manuals Brands HP Manuals Software HP-UX Directory Server

HP-UX Directory Server administration server

guide

HP-UX Directory Server Version 8.1

HP Part Number: 5900-0312

Published: September 2009

Edition: 1

Summary of content (68 pages)

PAGE 1

HP-UX Directory Server administration server guide HP-UX Directory Server Version 8.
PAGE 2

© Copyright 2009 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
PAGE 3

Table of Contents 1 Introduction to HP-UX Directory Server.........................................................................5 2 Admin Server configuration...........................................................................................7 2.1 Directory Server file locations...........................................................................................................7 2.2 Starting and stopping the Admin Server........................................................................
PAGE 4

5 Support and other resources.......................................................................................51 5.1 Contacting HP.................................................................................................................................51 5.1.1 Information to collect before contacting HP...........................................................................51 5.1.2 How to contact HP technical support............................................................................
PAGE 5

1 Introduction to HP-UX Directory Server Identity management and directory services with HP-UX Directory Server use three components, working in tandem: • • • A Java-based management console An administration server which also functions as a web server An LDAP directory server Figure 1-1 Interactions between the Console, Admin Server, and Directory Server The Admin Server processes configuration requests for Directory Server instances and performs many common server tasks, such as stopping and starting s
PAGE 6

These databases can be kept in the same Directory Server instance, but it is also possible to break these services into separate Directory Server instances. In that case, a Directory Server instance's configuration is stored in a separate Directory Server, called the Configuration Directory Server, and user data is stored in the User Directory Server.
PAGE 7

2 Admin Server configuration The Admin Server is a separate server from the HP-UX Directory Server, although they work interdependently. The Admin Server processes, file locations, and configuration options are also separate. This chapter covers the Admin Server information, including starting and stopping the Admin Server, enabling SSL, viewing logs, and changing Admin Server configuration properties, such as the server port number. 2.
PAGE 8

When the Admin Server is successfully started or stopped from the Console, the server displays a message box stating that the server has either started or shut down. 2.2.2 Starting and stopping Admin Server from the command Line The following scripts start, stop, or restart the Admin Server: Start: /opt/dirsrv/sbin/start-ds-admin Stop: /opt/dirsrv/sbin/stop-ds-admin Restart: /opt/dirsrv/sbin/restart-ds-admin 2.
PAGE 9

Figure 2-1 Login box TIP: It is possible to send the Admin Server URL and port with the start script. For example: /opt/dirsrv/bin/hpds-idm-console -a http://localhost:9830 The -a option is a convenience, particularly for logging into a Directory Server for the first time. On subsequent logins, the URL is saved. If the Admin Server port number is not passed with the hpds-idm-console command, then the server prompts for it at the Console login screen. This opens the main Console window.
PAGE 10

Figure 2-2 The Admin Server console 2.4 Viewing logs Log files monitor activity for Admin Server and can help troubleshoot server problems. Admin Server logs use the Common Logfile Format, a broadly supported format that provides information about the server. Admin Server generates two kinds of logs: Access logs Access logs show requests to and responses from the Admin Server. By default, the file is located at /var/opt/dirsrv/admin-serv/log/access.
PAGE 11

2.4.2 Viewing logs in the command line The access log, by default, is at /var/opt/dirsrv/admin-serv/log/access. To view the access log, open it with a paging utility such as more. Access logs show connections to the Admin Server based on the IP address of the client, the username, and the method that the request was sent. Each line has the following format: ip_address - bind_DN [timestamp -0500] "GET|POST cgi" HTTP_response bytes Example logs are shown in Example 2-1 “Example access logs”.
PAGE 12

Example 2-2 Example error logs [Mon Dec 22 23:44:59 2009] [notice] [client 127.0.0.1] adm\ serv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1 [Mon Dec 22 23:44:59 2009] [notice] [client 127.0.0.1] adm\ serv_host_ip_check: host [localhost.localdomain] did not match pattern [*.example.com] -will scan aliases [Mon Dec 22 23:44:59 2008] [notice] [client 127.0.0.1] adm\ serv_host_ip_check: host alias [localhost] did not match pattern [*.example.
PAGE 13

2.4.4 Changing the log location in the command line The access and error log files' names and locations can be changed to rotate the files. This rotation has to be done manually to create new files if the existing log files become too large. The location can be changed if the default location in /var/opt/dirsrv/admin-serv/log does not meet the application needs. The Admin Server configuration is stored in two locations.
PAGE 14

3. Click the Network tab. 4. Enter the port number for the Admin Server instance in the Port field. The Admin Server port number has a default number of 9830. Click OK. Open the Tasks tab, and click the Restart Server button to restart the server and apply the changes. Close the Console, then restart the Console, specifying the new Admin Server port number in the connection URL. 5. 6. 7. 2.5.2 Changing the port number in the command line The port number for the Admin Server is 9830 by default.
PAGE 15

changetype:modify replace:nsServerPort nsServerPort:10030 Click Enter twice to submit the operation, then Control+C to close ldapmodify. 2. Open the Admin Server configuration directory. cd /etc/opt/dirsrv/admin-serv 3. Edit the Listen parameter in the console.conf file. Listen 0.0.0.0:10030 4. Restart the Admin Server. /opt/dirsrv/sbin/restart-ds-admin 2.6 Setting host restrictions Connection restrictions specify which hosts are allowed to connect to the Admin Server.
PAGE 16

The * wildcard can be used to specify a group of hosts. For instance, *.example.com allows all machines in the example.com domain to access the instance. Entering 205.12.*. allows all hosts whose IP addresses begin with 205.12 to access the instance. When specifying IP address restrictions, include all three separating dots. If you do not, the Admin Server returns an error message. 7. 8. Click OK to close the Add... dialog box, then click the Save button to save the new host.
PAGE 17

o=NetscapeRoot changetype:modify replace:nsAdminAccessAddresses nsAdminAccessAddresses:72.5.*.* Click Enter twice to submit the operation, then Ctrl-C to close ldapmodify. The nsAdminAccessAddresses value can use wildcards to allow ranges. For example, to allow all IP addresses: nsAdminAccessAddresses:* To allow only a subset of addresses on a local network: nsAdminAccessAddresses:192.168.123.* 3. To set host name or domain-based restrictions, edit the nsAdminAccessHosts attribute.
PAGE 18

NOTE: The Admin Server administrator username and password are stored in the /etc/opt/dirsrv/ admin-serv/admpw file. For example: admin:{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g= The password is encrypted and cannot be changed directly in the admpw file. The username can be changed in this file, but cannot be used to log into the Console unless the password is updated in the Console first.
PAGE 19

2.8.1 Requesting and installing a server certificate The Admin Server Console has a tool, the Certificate Request Wizard, which generates a valid certificate request to submit to any certificate authority (CA). 1. In the Admin Server Console, select the Tasks tab, and click Manage Certificates. 2. Create a certificate request. a. Select the Server Certs tab, and click the Request button. Click Next. b. Enter the Requester Information in the blank text fields, then click Next. 2.
PAGE 20

• Server Name. The fully qualified host name of the Directory Server as it is used in DNS and reverse DNS lookups; for example, server.example.com. The server name is critical for client-side validation to work, which prevents man-in-the-middle attacks. IMPORTANT: This must be a valid host name that can be resolved correctly by all Admin Server clients, or TLS/SSL will not work. • Organization. The legal name of the company or institution.
PAGE 21

The Next button is grayed out until a password is supplied. 3. The Request Submission dialog box provides two ways to submit a request: directly to the CA (if there is one internally) or manually. To submit the request manually, select Copy to Clipboard or Save to File to save the certificate request which will be submitted to the CA. 2.
PAGE 22

To submit the request to a CA manually, either email it or use the web form for the CA, if one is available. Copy the certificate request information and submit it using the appropriate method.
PAGE 23

d. e. f. Check that the certificate information displayed is correct, and click Next. Name the certificate, and click Next. Provide the password that protects the private key. This password is the same as the one provided in step c. After installing the server certificate, configure the Admin Server to trust the CA which issued the server's certificate. 2.8.
PAGE 24

2. 24 Go to the CA Certs tab, and click Install.
PAGE 25

3. If the CA's certificate is saved to a file, enter the path in the field provided. Alternatively, copy and paste the certificate, including the headers, into the text box. Click Next. 2.
PAGE 26

4. 5. Click Next to move through the panels that show the CA certificate information and the certificate name. Select the purpose of trusting this certificate authority; it is possible to select both options: • Accepting connections from clients (Client Authentication). The server checks that the client's certificate has been issued by a trusted certificate authority. • Accepting connections to other servers (Server Authentication).
PAGE 27

6. Click Done. After installing the CA certificate, it is listed in the CA Certificates tab in the Console. NOTE: If a CA certificate is incorrectly generated, it is listed in the Server Certificates tab in the Console rather than the CA Certificates tab. The certificate still works as a CA certificate, even though it is listed in the wrong tab.
PAGE 28

4. 5. 6. 7. Select the Enable SSL for this server checkbox. Select the Use this cipher family: RSA checkbox. Choose the security device where the key is stored. By default, the key is stored in the local key database, Internal (Software-based). If the key is stored on an external device (such as a smart card), select that device from the menu. Choose the server certificate to use with SSL. The certificates available in the token certificate database are listed in the drop-down menu. 8.
PAGE 29

9. Set whether to require client authentication to the Admin Server. Client authentication means that the server checks that the client's certificate has been issued by a trusted CA. 10. Click Save. 2.8.
PAGE 30

NOTE: To find out what the Admin Server user ID is, run grep in the Admin Server configuration directory: cd /etc/opt/dirsrv/admin-serv grep \^User console.conf 3. In the /etc/opt/dirsrv/admin-serv directory, edit the nss.conf file to point to the location of the new password file. # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout.
PAGE 31

• • • 5. The LDAP Host is the host name of the Configuration Directory Server machine. The LDAP Port is the port number to use for the Directory Server instance. The regular LDAP port is 389; the default LDAPS (secure) port number is 636. Check the Secure Connection checkbox to use the secure port. Before checking this box, make sure that the Configuration Directory Server has enabled SSL. Click Save. 2.9.
PAGE 32

The Use Default User Directory radio button uses the default user directory associated with the domain. To use multiple Directory Server instances or to use a different instance, select the Set User Directory radio button and set the required information: • The LDAP Host and Port field specifies the location of the user directory instance. It is possible to configure multiple locations for the user directory for authentication and other directory functions; separate each location with a space.
PAGE 33

3 Admin express 3.1 Managing servers in Admin Express Admin Express provides a quick, simple web-based gateway to do basic management of servers. There are three tasks that can be performed through Admin Express: • • • Stopping and starting the server Checking the server access, error, and audit logs Monitoring the progress and information for replication betweehn Directory Servers 3.1.1 Opening Admin Express The Admin Server services pages URL is the Admin Server host and port. For example: http://ldap.
PAGE 34

Figure 3-2 Checking logs 3.1.4 Viewing server information The Server Info link on the Admin Express page opens a page with the basic description of the server instance, such as the build number, installation date, and server port number. This is the same information displayed in the Console when an instance is selected. Figure 3-3 Checking server information The Directory Server information is located in the /etc/opt/dirsrv/slapd-instance_name/dse.ldif file; the Admin Server information is located in .
PAGE 35

status of replication, including updates in progress, current changes sequence numbers, and the lag between when a change is made on the supplier and when that change is sent to the consumer. Monitoring replication is set up using a simple configuration file which specifies which server to monitor and what supplier and consumer replicas to include in the status page.
PAGE 36

Figure 3-4 Viewing replication status 5. Click OK. The Replication Status page shows the status for sending updates to every consumer listed in the configuration file. Figure 3-5 Viewing replication status 36 Table Description Table header The table header shows the replica ID of the supplier replica, the replicated suffix root (such as dc=example,dc=com), and the maximum change state number (CSN) on the supplier.
PAGE 37

3.2 Configuring Admin Express Admin Express can be edited for the page appearance, but most functionality is controlled through the web server or the Admin Server configuration and should be edited through those servers, not by editing the configuration files directly. 3.2.

PAGE 38

Figure 3-6 Intro page elements All the formatting for the page is set inline. The text files are inserted using the INCLUDEIFEXISTS directive. Services for Administrators

PAGE 39

3.2.2.2 Files for the replication status appearance There are two pages for monitoring the replication status. The first is for the configuration page, which requires two files: • • The body of the page, /opt/dirsrv/share/html/monreplication.html The heading of the page, /opt/dirsrv/share/html/htmladmin.

PAGE 40

web applications. These can be edited in the Perl script or by uncommenting the stylesheet reference and supplying a CSS file. For example: # print the HTML header print "Content-type: text/html\n\n"; print "\n"; print "Replication Status\n"; # print "

PAGE 41

The viewdata.html file is very simple, using only the two directives to insert the server data, plsut other directives to insert other information. For the Admin Server, the SHOW_DATA directive takes the information from the /etc/opt/dirsrv/admin-serv/local.conf file. For the Directory Server, it takes the data from the /etc/opt/dirsrv/slapd-instance_name/dse.ldif file. The ID_TITLE is the name of the server instance.

PAGE 42

.... " --> 3.2.3 Admin Express directives The Admin Express directives are HTML comments that are interpreted by the CGI scripts; these directives are used to set form fields and to pull data from the server configuration and log files. Table 3-2 Admin Express directives Directive Description Example ACCESS_LOG Inserts the server log file.

PAGE 43

Table 3-2 Admin Express directives (continued) Directive Description Example STRING_TO_VIEW Inserts a form field to use to set the search string for the logs. SUBMIT Inserts a three-button set: to save or submit the form; to reset the form; and to open a help topic. 3.

PAGE 44

PAGE 45

4 Admin Server command-line tools The Admin Server has command-line utilities which make it easier to manage the Admin Server without having to launch the Admin Console. This chapter explains where to find and how to use the Admin Server tools. 4.1 sec-activate The sec-activate tool activates and deactivates SSL for the Admin Server. • • “Location” “Syntax” Location The sec-activate tool is located in the /opt/dirsrv/lib/cgi-bin directory.

PAGE 46

Where task is one of the commands listed in Table 4-1 “Task commands for modutil” and option is from Table 4-2 “Options for modutil”. Each modutil command can take one task and one option. Tasks and options You can use the modutil tool to perform a number of different tasks. These tasks are specified through the use of commands and options. Commands specify the task to perform. Options modify a task command. NOTE: Each modutil command can take one task and one option.

PAGE 47

Table 4-1 Task commands for modutil (continued) Tasks Description Allowed options -jar JARfile Adds a new PKCS #11 module to the -installdir database. The module must be installation_directory contained in the named JAR file. -tempdir temporaryFolder The JAR file identifies all files to install, the module name, and mechanism flags. It should also contain any files to be installed on the target machine, including the PKCS #11 module library and other files, such as documentation.

PAGE 48

Table 4-2 Options for modutil (continued) Option Description -mechanisms mechanismList Specifies the security mechanisms for which a particular module is the default provider. The mechanismList is a colon-separated list of mechanism names. Enclose this list in quotation marks if it contains spaces. The module becomes a default provider for the listed mechanisms when those mechanisms are enabled.

PAGE 49

• • • • “Enabling a slot” “Enabling FIPS compliance” “Adding a cryptographic module” “Changing the password on a token” Creating database files To create a set of security management database files in a directory: modutil -create -dbdir /etc/opt/dirsrv/admin-serv WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation.

PAGE 50

modutil -fips true WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q ' to abort, or to continue: FIPS mode enabled. Adding a cryptographic module To add a new cryptographic module to the database: modutil -dbdir "/etc/opt/dirsrv/admin-serv" -add "Cryptorific Module" \ -libfile "/crypto.

PAGE 51

5 Support and other resources 5.1 Contacting HP 5.1.1 Information to collect before contacting HP Be sure to have the following information available before you call contact HP: • • • • • • Software product name Hardware product model number Operating system type and version Applicable error message Third-party hardware or software Technical support registration number (if applicable) 5.1.

PAGE 52

• HP-UX Directory Server administration server guide The Admin Server is a support server that drives access to the Directory Server Console , provides a web server for Directory Server web applications, and stores some Directory Server configuration. This guide covers how to manage the Admin Server through the Console, through the command line, and through the web services. It also covers basic Admin Server concepts.

PAGE 53

5.2.3 Troubleshooting resources • You can search a technical knowledge database available on the HP IT Resource Center (ITRC) website at: http://itrc.hp.com/ • To seek solutions to problems, you can post messages on the ITRC Forums page at the following website (select the HP-UX area in the Areas of peer problem solving section): http://forums.itrc.hp.com/ 5.3 Typographic conventions This document uses the following typographical conventions: Book title The title of a book.

PAGE 54

PAGE 55

Glossary A access control instruction See ACI. access control list See ACL. access rights In the context of access control, specify the level of access granted or denied. Access rights are related to the type of operation that can be performed on the directory. The following rights can be granted or denied: read, write, add, delete, search, compare, selfwrite, proxy and all.

PAGE 56

bind distinguished name See bind DN. bind DN Distinguished name used to authenticate to Directory Server when performing an operation. bind rule In the context of access control, the bind rule specifies the credentials and conditions that a particular user or client must satisfy in order to get access to directory information. branch entry An entry that represents the top of a subtree in the directory.

PAGE 57

CoS definition entry Identifies the type of CoS you are using. It is stored as an LDAP subentry below the branch it affects. CoS template entry Contains a list of the shared attribute values. See also template entry. D daemon A background process on a Unix machine that is responsible for a particular system task. Daemon processes do not need human intervention to continue functioning. DAP Directory Access Protocol. The ISO X.500 standard protocol that provides client access to the directory.

PAGE 58

file type The format of a given file. For example, graphics files are often saved in GIF format, while a text file is usually saved as ASCII text format. File types are usually identified by the file extension (for example, .GIF or .HTML). filter A constraint applied to a directory query that restricts the information returned. filtered role Allows you to assign entries to the role depending upon the attribute contained by each entry. You do this by specifying an LDAP filter.

PAGE 59

L LDAP Lightweight Directory Access Protocol. Directory service protocol designed to run over TCP/IP and across multiple platforms. LDAP client Software used to request and view LDAP entries from an LDAP Directory Server. See also browser. LDAP Data Interchange Format See LDAP Data Interchange Format. LDAP URL Provides the means of locating Directory Servers using DNS, then completing the query through LDAP. A sample LDAP URL is ldap://ldap.example.com.

PAGE 60

are automatically replicated to the other server. In case of conflict, a time stamp is used to determine which server holds the most recent version. multiplexor The server containing the database link that communicates with the remote server. N n + 1 directory problem The problem of managing multiple instances of the same information in different directories, resulting in increased hardware and personnel costs. name collisions Multiple entries with the same distinguished name.

PAGE 61

presence index Allows searches for entries that contain a specific indexed attribute. protocol A set of rules that describes how devices on a network exchange information. protocol data unit See PDU. proxy authentication A special form of authentication where the user requesting access to the directory does not bind with its own DN but with a proxy DN. proxy DN Used with proxied authorization.

PAGE 62

S SASL An authentication framework for clients as they attempt to bind to a directory. Also Simple Authentication and Security Layer . schema Definitions describing what types of information can be stored as entries in the directory. When information that does not match the schema is stored in the directory, clients attempting to access the directory may be unable to display the proper results. schema checking Ensures that entries added or modified in the directory conform to the defined schema.

PAGE 63

superuser The most privileged user available on Unix machines. The superuser has complete access privileges to all files on the machine. Also called root. supplier Server containing the master copy of directory trees or subtrees that are replicated to replica servers. supplier server In the context of replication, a server that holds a replica that is copied to a different server is called a supplier for that replica.

PAGE 64

PAGE 65

Index A C access log changing location and name in the command line, 13 in the Console, 12 defined, 10 viewing in command line, 11 viewing in Console, 10 access settings for Admin Server, 17 Admin Express configuring, 37 directives, 42 file locations, 37 files, 37 for replication status, 39 for server information page, 40 for the server logs page, 41 for the welcome page, 37 opening, 33 replication monitoring, 34 starting and stopping servers, 33 viewing server information, 34 viewing server logs, 33 Admi

PAGE 66

M U modutil commands add, 46 changepw, 46 create, 46 default, 46 delete, 46 disable, 46 enable, 46 fips, 46 force, 46 jar, 46 list, 46 undefault, 46 options dbdir, 47 installdir, 47 libfile, 47 mechanisms, 47 newpwfile, 47 nocertdb, 47 pwfile, 47 slot, 47 tempdir, 47 overview and syntax, 45 usage examples, 48 using JAR information file with, 48 user directory settings, 31 P password file Admin Server, 29 passwords, 17 port number, 13 changing in the command line, 14 changing in the Console, 13 R replic