HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

471

472

473

474

475

476

477

478

479

480

12 Managing SSL

To provide secure communications over the network, HP-UX Directory Server includes the

LDAPS communications protocol. LDAPS is the standard LDAP protocol, running over Transport

Layer Security (TLS, formerly Secure Sockets Layer or SSL). Directory Server also allows

spontaneous secure connections over otherwise-insecure LDAP ports, using the Start TLS LDAP

extended operation.

This chapter describes how to use TLS/SSL with Directory Server.

Topics include:

• “Introduction to SSL in the Directory Server” (page 471)

• “Obtaining and installing server certificates” (page 473)

• “Using certutil” (page 479)

• “Starting the server with TLS/SSL enabled” (page 482)

• “Using external security devices” (page 487)

• “Setting security preferences” (page 487)

• “Using certificate-based authentication” (page 490)

• “Managing certificates for the Directory Server” (page 498)

12.1 Introduction to SSL in the Directory Server

The Directory Server supports TLS/SSL to secure communications between LDAP clients and

the Directory Server, between Directory Servers that are bound by a replication agreement, or

between a database link and a remote database. Directory Server can use TLS/SSL with simple

authentication (bind DN and password) or with certificate-based authentication.

Directory Server's cryptographic services are provided by Mozilla Network Security Services

(NSS), a library of TLS/SSL and base cryptographic functions. NSS includes a software-based

cryptographic token that is FIPS 140-2 certified.

Using TLS/SSL with simple authentication ensures confidentiality and data integrity. There are

two major benefits to using a certificate — smart card, token, or software-based — to authenticate

to the Directory Server instead of a bind DN and password:

• Improved efficiency

When using applications that prompt once for the certificate database password, then use

that certificate for all subsequent bind or authentication operations, it is more efficient than

continuously providing a bind DN and password.

• Improved security

The use of certificate-based authentication is more secure than non-certificate bind operations

because certificate-based authentication uses public-key cryptography. Bind credentials

cannot be intercepted across the network. If the certificate or device is lost, it is useless

without the PIN, so it is immune from third-party interference like phishing attacks.

The Directory Server is capable of simultaneous TLS/SSL and non-SSL communications. This

means that you do not have to choose between TLS/SSL or non-SSL communications for the

Directory Server; both can be used at the same time. Directory Server can also utilize the Start

TLS extended operation to allow TLS/SSL secure communication over a regular (insecure) LDAP

port.

12.1.1 Enabling SSL: Summary of steps

To configure the Directory Server to use LDAPS, follow these steps:

12.1 Introduction to SSL in the Directory Server 471