LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

LDAP-UX Client and configure your LDAP directory server to support SSL or TLS before you

run the setup program.

NOTE: If you already have the certificate database files cert8.db and key3.db on your client

for your HP-UX applications, you can simply create a symbolic link /etc/opt/ldapux/

cert8.db that points to cert8.db, and /etc/opt/ldapux/key3.db that points to key3.db.

2.4.6.2.1 Steps to create certificate database files using the certutil utility

The following steps show how you can create the security database files, cert8.db and key3.db

on your client system using the Certificate Database Tool command line utility (certutil):

1. Retrieve the certificate. The procedure for this varies, depending on several factors. If your

organization is using either a certificate management system internal to the organization,

or a third-party certificate authority, you will usually use a web browser to download a

Certificate Authority (CA) certificate. The certificate is downloaded in one of two forms:

ASCII-encoded PEM form, or binary DER form.

In PEM form the certificate looks similar to this:

--------------- BEGIN CERTIFICATE -------------------------------

-MIICJjCCAY+gAwIBAgIBJDANBgkghkiG9w0BAQQFADBxMQswCQYDVQQGEwJVUzEL

MAkga1UECBMCQ2ExEjAQBgNVBAcTCWN1cGVvsG1ubzEPMA0GA1UEChmgAhaUy29T

MRIwEAYDVQQLEw1RR1NMLUxkYXAxHDAaBgNVBAMTE0N1cnRpzmljYXR1IE1hbmFn

4I2vvzz2i1Ubq+Ajcf1y8sdafuCmqTgsGUYjy+J1weM061kaWOt0HxmXmrUdmenF

skyfHyvEGj8b5w6ppgIIA8JOT7z+F0w+/mig=

--------------- END CERTIFICATE ----------------------------------

As an alternative to installing the CA certificate, you can install and trust the LDAP server’s

own certificate rather than the CA certificate that is issued with the LDAP server’s certificate.

Because LDAP-UX only accepts connections to the LDAP server for which the server

certificate is valid, this alternative establishes a more narrow scope of trust. So, if you plan

to connect to multiple LDAP servers, you must install multiple server certificates.

Additionally, because server certificates tend to have a validity range shorter than that of

CA certificates, you may find yourself needing to update the certificate more often.

2. Use the rm command as in the following example to remove the old database files /etc/

opt/ldapux/cert8.db and /etc/opt/ldapux/key3.db:

# rm -f /etc/opt/ldapux/cert8.db /etc/opt/ldapux/key3.db

3. Create new certificate database files, using the command shown in the following example.

# /opt/ldapux/contrib/bin/certutil -d /etc/opt/ldapux –N

The certutil tool will prompt you to enter a password to protect the private key database.

If you will not be storing any private keys in the certificate database files, press Enter to

leave the password empty . LDAP-UX does not require a private key; however, if you plan

to use these certificate database files with other applications that make use of a private key,

you should set a password.

4. Add the downloaded CA certificate to the certificate database created in the preceding step.

If the CA certificate was downloaded in binary DER form, use the following command:

# /opt/ldapux/contrib/bin/certutil -d /etc/opt/ldapux -A -n "CA

cert" -t “CT,,” -i cacert.der

If the CA certificate was downloaded in ASCII-encoded PEM form, use the –a (ASCII) option

as in the following example:

# # /opt/ldapux/contrib/bin/certutil -d /etc/opt/ldapux -A -n "CA

cert" -t “CT,,” -i cacert.pem -a

If the certificate is a server certificate, use the “P,,” trust flag:

80 Installing and configuring LDAP-UX Client Services