HP-UX Directory Server 8.1 administrator guide
5. In the Cipher Preference dialog box, specify which ciphers for the Directory Server to use
by selecting them from the list, and click OK.
Unless there is a security reason not to use a specific cipher, select all the ciphers, except for
none,MD5.
6. In the Encryption tab, click Save.
CAUTION:
Avoid selecting the none,MD5 cipher because the server will use this option if no other
ciphers are available on the client, instead of refusing the connection. The none,MD5 cipher
is not secure because encryption does not occur.
12.7 Using certificate-based authentication
Directory Server allows certificate-based authentication for the command line tools (which are
LDAP clients) and for server-to-server connections (replication and chaining).
NOTE:
A single configuration parameter, nsslapd-certdir, in cn=config in dse.ldif lists the
directory containing the key, certificate, and security files. The directory name should be unique
and specific to the server. For example, the /etc/opt/dirsrv/slapd-instance_name
directory contains the key and certificate databases only for the Directory Server instance called
instance_name. That directory will not contain key and certificate databases for any other
server or client, nor will any of the key, certificate, or other security-related files for
instance_name be located in any other directory.
Directory Server used to keep separate configuration attributes for the key and certificate
databases. With the change to Filesystem Hierarchy Standard, the certificate and key configuration
attributes have been consolidated into a single attribute, nsslapd-certdir, and the key and
certificate files are stored in the /etc/opt/dirsrv/slapd-instance_name directory.
Previous versions of Directory Server used a single directory, /var/opt/netscape/server7/
alias, for all security-related files for all servers, and required a unique prefix, such as
slapd-instance-, for the key, certificate, and security-related files. The Directory Server used
the attributes nsCertFile and nsKeyFile to give the locations for the key and certificate
databases.
When a server receives a request from a client, it can ask for the client's certificate before
proceeding.
After checking that a client certificate chain ends with a trusted CA, the server can optionally
determine which user is identified by the client certificate, then look up that user's entry in the
directory. Each certificate has the name of the identity it verifies in a subject name, called the
subject DN. The server authenticates the user by comparing the information in the subject DN
with the DN of the user's directory entry.
In order to locate user entries in the directory, a server must know how to interpret the subject
names of certificates from different CAs. The mapping between the subject names of the certificates
and the user DNs is defined in the certmap.conf file. This file provides three kinds of
information for each listed CA:
• It maps the distinguished name (DN) in the certificate to a branch point in the LDAP
directory.
• It specifies which DN values from the certificate (user name, email address, and so on) the
server should use for the purpose of searching the directory.
• It specifies whether the server should go through an additional verification process. This
process involves comparing the certificate presented for authentication with the certificate
490 Managing SSL