HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

12 Managing SSL..........................................................................................................471

12.1 Introduction to SSL in the Directory Server................................................................................471

12.1.1 Enabling SSL: Summary of steps.........................................................................................471

12.1.2 Command line functions for Start TLS................................................................................472

12.1.2.1 Troubleshooting Start TLS...........................................................................................472

12.2 Obtaining and installing server certificates.................................................................................473

12.2.1 Step 1: Generate a certificate request...................................................................................474

12.2.2 Step 2: Send the certificate request......................................................................................477

12.2.3 Step 3: Install the certificate.................................................................................................478

12.2.4 Step 4: Trust the certificate authority...................................................................................478

12.2.5 Step 5: Confirm that the new certificates are installed........................................................479

12.3 Using certutil...............................................................................................................................479

12.3.1 Creating Directory Server certificates through the command line.....................................479

12.3.2 certutil usage........................................................................................................................481

12.4 Starting the server with TLS/SSL enabled...................................................................................482

12.4.1 Enabling TLS/SSL only in the Directory Server...................................................................483

12.4.2 Enabling TLS/SSL in the Directory Server, Administration Server, and console................484

12.4.3 Creating a password file for the Directory Server...............................................................486

12.4.4 Creating a password file for the Administration Server.....................................................486

12.5 Using external security devices...................................................................................................487

12.6 Setting security preferences.........................................................................................................487

12.6.1 Available ciphers..................................................................................................................488

12.6.2 Selecting the encryption cipher...........................................................................................489

12.7 Using certificate-based authentication........................................................................................490

12.7.1 Configuring Directory Server to accept certificate-based authentication from LDAP

clients.............................................................................................................................................491

12.7.2 Mapping DNs to certificates................................................................................................492

12.7.3 Editing the certmap.conf file...............................................................................................495

12.7.4 Example certmap.conf mappings........................................................................................495

12.7.5 Allowing and requiring client authentication to the console..............................................496

12.7.6 Connecting to the Directory Server with certificate-based authentication.........................498

12.8 Managing certificates for the Directory Server............................................................................498

12.8.1 Renewing certificates...........................................................................................................498

12.8.2 Changing the CA trust options............................................................................................498

12.8.3 Changing security device passwords..................................................................................499

12.8.4 Managing certificate lists.....................................................................................................499

13 Managing SASL.......................................................................................................501

13.1 Overview of SASL in Directory Server........................................................................................501

13.1.1 About SASL identity mapping............................................................................................502

13.1.2 Default SASL mappings for Directory Server.....................................................................504

13.1.3 Authentication mechanisms for SASL in Directory Server.................................................505

13.1.4 About Kerberos with Directory Server................................................................................505

13.1.4.1 About principals and realms.......................................................................................505

13.1.4.2 About the KDC server and keytabs.............................................................................506

13.2 Configuring SASL identity mapping...........................................................................................507

13.2.1 Configuring SASL identity mapping from the console.......................................................507

13.2.2 Configuring SASL identity mapping from the command line...........................................508

13.3 Configuring SASL authentication at Directory Server startup...................................................509

13.4 Using an external keytab.............................................................................................................509

14 Monitoring server and database activity..............................................................511

14.1 Viewing and configuring log files...............................................................................................511

14 Table of Contents