HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

481

482

483

484

485

486

487

488

489

490

matching the host name against the value assigned to the common name (cn) attribute of

the subject name in the being presented for authentication.

By default, this feature is disabled. If it is enabled and if the host name does not match the

cn attribute of the certificate, appropriate error and audit messages are logged. For example,

in a replicated environment, messages similar to these are logged in the supplier server's

log files if it finds that the peer server's host name does not match the name specified in its

certificate:

[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime error -12276 -

Unable to communicate securely with peer: requested domain name does not match the server's

certificate.)

[DATE] NSMMReplicationPlugin - agmt="cn=agmt1" (host2:389): Replication

bind with SSL client authentication failed: LDAP error 81 (Can't contact LDAP server)

HP recommends enabling this option to protect Directory Server's outbound TLS/SSL

connections against a man-in-the-middle (MITM) attack.

10. Click Save.

11. Restart the Directory Server. The Directory Server must be restarted from the command

line.

/opt/dirsrv/slapd-instance_name/restart-slapd

When the server restarts, it prompts for the PIN or password to unlock the key database.

This is the same password used when the server certificate and key were imported into the

database.

To restart the Directory Server without the password prompt, create a PIN file or use a

hardware crypto device. For information on how to create a PIN file, see “Creating a password

file for the Directory Server”.

For more information about the commands to start, stop, and restart the Directory Server,

see “Starting and stopping servers”.

12.4.2 Enabling TLS/SSL in the Directory Server, Administration Server, and console

1. Obtain server certificates and CA certs, and install them on the Directory Server. This is

described in “Obtaining and installing server certificates”.

2. Obtain and install server and CA certificates on the Administration Server. This is a similar

process as for the Directory Server.

NOTE:

It is important that the Administration Server and Directory Server have a CA certificate in

common so that they can trust the other's certificates.

3. If the default port number of 636 is not used, change the secure port setting.

a. Change the secure port number in the Configuration>Settings tab of the Directory

Server Console, and save.

b. Restart the Directory Server. It restarts over the regular port.

/opt/dirsrv/slapd-instance_name/restart-slapd

For more information about the commands to start, stop, and restart the Directory

Server, see “Starting and stopping servers”.

4. In the Configuration tab of the Directory Server Console, highlight the server name at the

top of the table, and select the Encryption tab.

5. Select the Enable SSL checkbox.

6. Check the Use this Cipher Family checkbox.

7. Select the certificate to use from the drop-down menu.

484 Managing SSL