HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

481

482

483

484

485

486

487

488

489

490

NOTE:

On SSL-enabled servers, be sure to check the file permissions on certificate database files, key

database files, and PIN files to protect the sensitive information they contain. Because the server

does not enforce read-only permissions on these files, check the file modes to protect the sensitive

information contained in these files.

The files must be owned by the Directory Server user, such as the default nobody. The key and

cert databases should be owned by the Directory Server user and should typically have read/write

access for the owner with no access allowed to any other user (mode 0600). The PIN file should

also be owned by the Directory Server user and set to read-only by this user, with no access to

anyone other user (mode 0400).

12.4.1 Enabling TLS/SSL only in the Directory Server

1. Obtain and install CA and server certificates.

2. Set the secure port for the server to use for TLS/SSL communications.

The encrypted port number must not be the same port number used for normal LDAP

communications. By default, the standard port number is 389, and the secure port is 636.

a. Change the secure port number in the Configuration>Settings tab of the Directory

Server Console.

b. Restart the Directory Server. It restarts over the regular port.

3. In the Directory Server Console, select the Configuration tab, then select the top entry in

the navigation tree in the left pane. Select the Encryption tab in the right pane.

4. Select the Enable SSL for this Server checkbox.

5. Check the Use this Cipher Family checkbox.

6. Select the certificate to use from the drop-down menu.

7. Click Cipher Settings.

The Cipher Preference dialog box opens. By default, all ciphers are selected.

8. Set the preferences for client authentication.

• Do not allow client authentication

With this option, the server ignores the client's certificate. This does not mean that the

bind will fail.

• Allow client authentication

This is the default setting. With this option, authentication is performed on the client's

request. For more information about certificate-based authentication, see “Using

certificate-based authentication”.

• Require client authentication

With this option, the server requests authentication from the client.

If TLS/SSL is only enabled in the Directory Server and not the Directory Server Console, do

not select Require client authentication checkbox.

NOTE:

To use certificate-based authentication with replication, the consumer server must be

configured either to allow or to require client authentication.

9. To verify the authenticity of requests, select the Check hostname against name in

certificate for outbound SSL connections option. The server does this verification by

12.4 Starting the server with TLS/SSL enabled 483