Manualshelf

LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
51525354555657585960
Table Of Contents
/opt/ldapux/contrib/bin/certutil -A -n my-ca-cert -t "C,," -d
/etc/opt/ldapux -a -i /tmp/mynew.cert
NOTE: The -t "C,," represents the minimum trust attributes that may be assigned
to the CA certificate for LDAP-UX to successfully use SSL or TLS to connect to the LDAP
directory server. If you have other applications that use the CA certificate for other
functions, then you may wish to assign additional trust flags. See
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html for additional information.
Use the certutil command to add the LDAP server's certificate to the security
database:
For example, the following command adds the LDAP server's certificate,
my-server-cert, to the security database directory, /etc/opt/ldapux, with the
Base64-Encoded certificate request file, /tmp/mynew.cert:
/opt/ldapux/contrib/bin/certutil -A -n my-server-cert -t P,,
\
-d /etc/opt/ldapux -a -i /tmp/mynew.cert
NOTE: The -t "p,," represents the minimum trust attributes that may be assigned
to the LDAP server's certificat for LDAP-UX to successfully use SSL or TLS to connect
to the LDAP directory server. See
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html for additional information.
Adjusting the Peer Certificate Policy
With SSL/TLS, not only communication between clients (LDAP-UX) and servers (the LDAP
directory server) can be protected, but in addition, specific levels of assurance of the identities
of the clients and servers can be validated. This section describes how to adjust this validation
level.
The peer_cert_policy parameter in the /etc/opt/ldapux/ldapux_client.conf
configuration file is a string variable used to control the validation level. There are three valid
options for this parameter described below:
WEAK
Performs no validation of SSL or TLS certificates. Communication between the client
and server can be encrypted, however the client has no assurance that it is
communicating with a trusted server.
CERT
Verifies that the issuers of peer SSL or TLS certificates are trusted. Communication
between the client and server can be encrypted and the client has some assurance
that it is communicating with a trusted server. In this scenario, it is still possible for
the server to have a certificate that has been issued for a different server if methods
used to protect private keys of server certificates are not in place. CERT is the default
mode of operation with LDAP-UX.
CNCERT
Performs both the CERT check and also verifies that the common name or
subjectAltName values embedded in the certificate matches the address used to
connect to the LDAP server, as described in RFC 4513.
As mentioned above, the default mode of operation for LDAP-UX is CERT. Increasing certificate
validation level to CNCERT requires additional and specific configuration steps. If not properly
established, it can interfere with LDAP-UX and proper system operation. Because LDAP-UX can
be used for host-name resolution (similar to DNS), LDAP-UX normally stores the IP address of
LDAP servers in the configuration profile. This procedure assures that if LDAP-UX is asked to
resolve a host name, it can do so without first needing to resolve the host name of the LDAP
directory server (which could lead to a catch-22). However, since certificates normally embed
Configuring the LDAP-UX Client Services with SSL or TLS Support 53