Manualshelf

HP-UX Directory Server 8.1 console guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server
61626364656667686970
6 Using SSL/TLS with the Console
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are protocols which set up secure,
encrypted communication between an SSL/TLS server and a client which connects to it. In
Directory Server, the Directory Server can be configured to communicate with LDAP over SSL,
LDAPS. Likewise, the Administration Server can be configured to run over secure HTTP (HTTPS)
rather than standard HTTP. Both the Directory Server and Administration Server are SSL servers.
The Console can be configured as an SSL client, which connects to the servers over SSL, and can
be configured so that all Console operations are over SSL.
6.1 Overview of SSL/TLS
Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) set rules that
govern authentication (identity verification) between two entities and set up encrypted
communication between servers and clients. For Directory Server and Administration Server,
TLS/SSL means that directory operations run over LDAPS (secure LDAP) and HTTPS (secure
HTTP), respectively.
Secure communication depends on the ability to hide and uncover information by disguising it
with complex codes. Both the TLS server (the application which is being contacted) and the TLS
client (the user or application which contacts the server) have to be able to understand the encoded
information.
1
Cryptography encrypts and protects information using recognized algorithms and ciphers, or
mathematical equations which can scramble information; sets of related algorithms and ciphers
are called cipher suites. The equations are also used to unscramble the information as long as a
server has the right information to decode the data; the decoder information is called a key. Keys
come in two halves:
The private key is held by only one entity and encrypts (wraps) the information.
The public key matches the private key and can be used to decrypt information wrapped
by the private key.
A certificate contains a public key that can be used to decrypt information, algorithms used for
a digital signature (similar to a fingerprint), and identity information for the server or user.
In server authentication (the TLS method allowed by the Directory Console), the server presents
a certificate (containing a public key, algorithms used for the digital signature, and server identity
information) to the client. The client may be validated (authenticated) to the server through
simple authentication, such as a username and password, or no authentication. With client
authentication, both the server and client present certificates proving their identity.
TLS/SSL communication has two major parts: the SSL/TLS handshake (where the server and
client authenticate their identities) and secure communication (the encrypted session between
the client and server). Authentication and encryption are performed using secure materials,
called certificates and keys.
The TLS handshake is when the server and client negotiate the parameters of the connection and
generate the keys which will be used for secure communication:
1. The TLS client initiates contact with the TLS server. The client sends information about its
TLS configuration to help the server negotiate the connection parameters:
The TLS/SSL version the client is using (all TLS/SSL versions are backward compatible)
A list of acceptable cipher suites
1. For HP-UX Directory Server, the Directory Server and Administration Server are the TLS servers, and the Directory
Console or a user through LDAP tools or browsers are the TLS client.
6.1 Overview of SSL/TLS 61