Manualshelf

LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
31323334353637383940
#
# No Bundle(s) on hpt079:/tmp/ca-cup.hp.com.depot
# Product(s):
#
LDAPUX-MYDOMAIN-CA A.01.00 LDAP-UX mydomain.example.com domain CA Certificate
NOTE: SSL/TLS protocols support a variety of different cryptographic algorithms (ciphers) for
use in authentication operations between server and client, certificate transmissions, and session
key establishment. If a cipher is found to be flawed and subject to attack, administrators of HP-UX
and the directory server would need to know about their vulnerability. Ciphers can be disbled
in the directory server. For information about SSL/TLS ciphers and which ones are supported
by LDAP-UX, see Section 2.4.6.3 (page 82).
Some organizations may wish to pre-distribute this certificate product by pre-installing it on an
Ignite-UX image or on other media that can be used to distribute and install new instances of
HP-UX.
As part of generating the server certificate, the guided installation creates a pin.txt file to hold
the password it uses for retrieving the server certificate's private key. The guided installation
requires access to the private key to automatically start up the newly-created directory server.
The private key validates the directory servers identity.
The private key is stored in the /etc/opt/dirsvr/slapd-domain-instanceName/key3.db
file. The pin.txt file that holds the private key password is stored in the same directory. (The
instanceName of the first directory server created on a host will always be
domain-name-prefix-master, where domain-name-prefix is the prefix of the DNS domain
name.)
WARNING! The root user, or any user that can bypass file system access controls, can read the
pin.txt file. Any user that has access to the pin.txt, cert8.db, and key3.db files can use
them to impersonate a directory server. Therefore, ensure that you restrict access to the accounts
of the root user and users that can bypass file system access restrictions.
For security purposes, you can consider removing the pin.txt file and requiring that the private
key password be manually entered whenever the directory server is restarted. However, requiring
manual password entry at every start-up can have drawbacks. For example, consider the impact
for server availability after a reboot or power failure.
The CA certificate generated when the guided installation creates the first directory server (the
master instance) is stored in the /etc/opt/dirsvr/slapd-domain-master/cacert.pk12
file. The password to protect that file is stored in
/etc/opt/dirsvr/slapd-domain-master/pk12-passwd.txt .
WARNING! Any user that can access the pk12-passwd.txt file and the cacert.pk12 file
can create a new directory server with sufficient trust to be considered part of the LDAP-UX
domain. Such a user can control what data is visible to the HP-UX hosts. Any host with a server
certificate signed by the CA certificate will be considered a trusted directory server. Be sure to
restrict access to privileged accounts that can bypass file access restrictions on the local host.
2.3.3 Domains in LDAP-UX environments
The LDAP-UX domain is one of several types of domains discussed in this manual. The following
list helps you understand the significance of each domain.
LDAP-UX domain — the realm of users, groups, and hosts defined by the LDAP-UX
configuration profile and managed by the LDAP directory server. All hosts configured to
point to the same LDAP-UX configuration profile are considered part of that domain. The
guided installation creates a LDAP-UX domain when setting up a new directory server
environment. In an existing LDAP-UX (B.05.00 or later) environment, the guided installation
36 Installing and configuring LDAP-UX Client Services