HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

481

482

483

484

485

486

487

488

489

490

8. Click Cipher Settings.

The Cipher Preference dialog box opens. By default, all ciphers are selected.

9. Set the preferences for client authentication.

• Do not allow client authentication

With this option, the server ignores the client's certificate. This does not mean that the

bind will fail.

• Allow client authentication

This is the default setting. With this option, authentication is performed on the client's

request. For more information about certificate-based authentication, see “Using

certificate-based authentication”.

• Require client authentication

With this option, the server requests authentication from the client.

NOTE:

To use certificate-based authentication with replication, then configure the consumer server

either to allow or to require client authentication.

10. To verify the authenticity of requests, select the Check hostname against name in

certificate for outbound SSL connections option. The server does this verification by

matching the host name against the value assigned to the common name (cn) attribute of

the subject name in the being presented for authentication.

By default, this feature is disabled. If it is enabled and if the host name does not match the

cn attribute of the certificate, appropriate error and audit messages are logged. For example,

in a replicated environment, messages similar to these are logged in the supplier server's

log files if it finds that the peer server's host name does not match the name specified in its

certificate:

[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime error -12276 -

Unable to communicate securely with peer: requested domain name does not match the server's

certificate.)

[DATE] NSMMReplicationPlugin - agmt="cn=agmt1" (host2:389): Replication

bind with SSL client authentication failed: LDAP error 81 (Can't contact DAP server)

HP recommends enabling this option to protect Directory Server's outbound TLS/SSL

connections against a man-in-the-middle (MITM) attack.

11. Check the Use SSL in the Console box. Click Save.

12. In the Administration Server Console, select the Configuration tab. Select the Encryption

tab, check the Enable SSL checkbox, and fill in the appropriate certificate information.

13. In the Configuration DS tab, change the port number to the new Directory Server secure

port information. See “Changing Directory Server port numbers” for more information. Do

this even if the default port of 636 is used. Check the Secure Connection checkbox.

14. In the User DS tab, select the Set User Directory radio button, and fill in the Directory

Server secure port information, the LDAP URL, and the user database information. Check

the Secure Connection checkbox.

15. Save the new TLS/SSL settings and Configuration DS and User DS information in the

Administration Server Console.

16. Restart the Directory Server. The server must be restarted from the command line.

/opt/dirsrv/slapd-instance_name/restart-slapd

When the server restarts, it prompts for the PIN or password to unlock the key database.

This is the same password used when the server certificate and key were imported into the

database.

12.4 Starting the server with TLS/SSL enabled 485