LDAP-UX Client Services B.04.10 with Microsoft Windows Active Directory Server Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

NOTE: The -t "C,," represents the minimum trust attributes that may be assigned

to the CA certificate for LDAP-UX to successfully use SSL or TLS to connect to the LDAP

directory server. If you have other applications that use the CA certificate for other

functions, then you may wish to assign additional trust flags. See

http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html for additional information.

• Use the certutil command to add the LDAP server's certificate to the security

database:

For example, the following command adds the LDAP server's certificate,

my-server-cert, to the security database directory, /etc/opt/ldapux, with the

Base64-Encoded certificate request file, /tmp/mynew.cert:

/opt/ldapux/contrib/bin/certutil -A -n my-server-cert -t “P”,,”

-d /etc/opt/ldapux -a -i /tmp/mynew.cert

NOTE: The -t "p,," represents the minimum trust attributes that may be assigned

to the LDAP server's certificat for LDAP-UX to successfully use SSL or TLS to connect

to the LDAP directory server. See

http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html for additional information.

Adjusting the Peer Certificate Policy

With SSL/TLS, not only communication between clients (LDAP-UX) and servers (the LDAP

directory server) can be protected, but in addition, specific levels of assurance of the identities

of the clients and servers can be validated. This section describes how to adjust this validation

level.

The peer_cert_policy parameter in the /etc/opt/ldapux/ldapux_client.conf

configuration file is a string variable used to control the validation level. There are three valid

options for this parameter described below:

WEAK

Performs no validation of SSL or TLS certificates. Communication between the client

and server can be encrypted, however the client has no assurance that it is

communicating with a trusted server.

CERT

Verifies that the issuers of peer SSL or TLS certificates are trusted. Communication

between the client and server can be encrypted and the client has some assurance

that it is communicating with a trusted server. In this scenario, it is still possible for

the server to have a certificate that has been issued for a different server if methods

used to protect private keys of server certificates are not in place. CERT is the default

mode of operation with LDAP-UX.

CNCERT

Performs both the CERT check and also verifies that the common name or

subjectAltName values embedded in the certificate matches the address used to

connect to the LDAP server, as described in RFC 4513.

As mentioned above, the default mode of operation for LDAP-UX is CERT. Increasing certificate

validation level to CNCERT requires additional and specific configuration steps. If not properly

established, it can interfere with LDAP-UX and proper system operation. Because LDAP-UX can

be used for host-name resolution (similar to DNS), LDAP-UX normally stores the IP address of

LDAP servers in the configuration profile. This procedure assures that if LDAP-UX is asked to

resolve a host name, it can do so without first needing to resolve the host name of the LDAP

directory server (which could lead to a catch-22). However, since certificates normally embed

the host name or fully qualified host name and LDAP-UX only has the IP address of the host, it

is not possible for LDAP-UX to verify the host name on the certificate.

Configuring the LDAP-UX Client Services with SSL or TLS Support 53