LDAP-UX Client Services B.05.00 Administrator's Guide
2.4.6 Configuring the LDAP-UX Client Services with SSL or TLS support
The LDAP-UX Client Services supports either SSL (Secure Socket Layer) or TLS (Transport Layer
Security) to secure communication between LDAP clients and the LDAP directory server.
With SSL, an encrypted session is established on an encrypted port, 636. The LDAP-UX Client
Services supports SSL with a password as the credential, using either simple bind or SASL/GSSAPI,
or SASL/DIGEST-MD5 authentication to ensure confidentiality and data integrity between clients
and servers. (SASL/GSSAPI is only supported for LDAP-UX used with Windows ADS.) SSL
enables LDAP-UX clients to provide a secure way to protect the password over the network. In
addition, SSL/TLS can be used to validate the identity of the directory server if the privacy of
the server’s and CA’s private keys can be assured.The directory administrator can choose the
authentication mechanism, such as using a simple password stored in the directory server as a
hash syntax.
The LDAP-UX Client Services supports SSL communication with Microsoft Windows Server
2003 R2 and 2008 Active Directory Server (ADS), HP-UX Directory Server 8.1 (or later), and Red
Hat Directory Server 8.0. For detailed information about how to set up and configure your
directory server to enable SSL communication over LDAP, see the appropriate administrator's
guide at the following location:
http://www.hp.com/go/hpux-security-docs
Starting with LDAP-UX Client Services B.04.10, LDAP-UX Client Services supports a new
extension operation of TLS protocol called startTLS to secure communication between LDAP
clients and the LDAP directory server. By default, an encrypted session is established on an
un-encrypted port, 389. If an encrypted port is used, it will fail to establish the secure connection.
The TLS protocol provides administrators better flexibility for using TLS in their environment
by allowing the use of an un-encrypted LDAP port for communication between clients and
server. LDAP-UX supports TLS with password as the credential, using either simple bind or
SASL/GSSAPI, or SASL/DIGEST-MD5 authentication to ensure confidentiality and data integrity
between clients and servers.
The LDAP-UX Client Services supports TLS communication with Microsoft Windows Server
2003 R2 and 2008 Active Directory Server (ADS), HP-UX Directory Server 8.1 (or later), and Red
Hat Directory Server 8.0.
2.4.6.1 Configuration parameters
LDAP-UX Client Services provides the following parameter in the /etc/opt/ldapux/
ldapux_client.conf file to support TLS:
enable_startTLS
This integer variable controls whether the TLS feature is enabled or
disabled. The valid values of this parameter are 1 and 0. If you choose
to use TLS, set this parameter to 1. To disable TLS, set this variable to
0. By default, TLS is disabled. If the enable_startTLS parameter is
undefined or does not exist, it is processed as the TLS feature is disabled.
If you want to use SSL or TLS, you must perform the following tasks before you run the setup
program:
• Ensure that the certificate database files cert8.db and key3.db are on your client system.
For more information, see Section 2.4.6.2 (page 79).
• If you choose to use TLS, set the enable_startTLS parameter to 1 in the /etc/opt/
ldapux/lldapux_client.conf file. To use SSL, set enable_startTLS to 0. By default,
TLS is disabled.
2.4.6.2 Configuring the LDAP-UX client to use SSL or TLS
You can choose to enable SSL or TLS with LDAP-UX when you run the setup program. If you
attempt to use SSL or TLS, you must install the Certificate Authority (CA) certificate on your
2.4 Customized installation (setup) 79