LDAP-UX Client Services B.05.00 Administrator's Guide
# # /opt/ldapux/contrib/bin/certutil -d /etc/opt/ldapux -A -n "server
cert" -t “P,,” -i servercert.der
NOTE: The required –n parameter gives the certificate a nickname in the certificate database
files. The nickname value is arbitrary. If you plan to connect to multiple LDAP servers that
were issued SSL certificates by different certificate authorities, you should use the nickname
to help differentiate between the different CA certificates. For example, you might name
one Issuer1 CA cert and the other Issuer2 CA cert.
The –t parameter sets the trust bits for the certificate. For CA certificates, use “CT,,” to
indicate that the certificate is trusted as an issuer of SSL certificates. For server certificates,
use “P,,” to indicate that the certificate represents a trusted peer.
For more information about using the certutil utility, see the following website:
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
2.4.6.2.2 Adjusting the peer certificate policy
With SSL/TLS, not only communication between clients (LDAP-UX) and servers (the LDAP
directory server) can be protected, but in addition, specific levels of assurance of the identities
of the clients and servers can be validated. This section describes how to adjust this validation
level.
The peer_cert_policy parameter in the /etc/opt/ldapux/ldapux_client.conf
configuration file is a string variable used to control the validation level. There are three valid
options for this parameter described below:
WEAK
Performs no validation of SSL or TLS certificates. Communication between the client
and server can be encrypted, however the client has no assurance that it is
communicating with a trusted server.
CERT
Verifies that the issuers of peer SSL or TLS certificates are trusted. Communication
between the client and server can be encrypted and the client has some assurance
that it is communicating with a trusted server. In this scenario, it is still possible for
the server to have a certificate that has been issued for a different server if methods
used to protect private keys of server certificates are not in place. CERT is the default
mode of operation with LDAP-UX.
CNCERT
Performs both the CERT check and also verifies that the common name or
subjectAltName values embedded in the certificate matches the address used to
connect to the LDAP server, as described in RFC 4513.
As mentioned above, the default mode of operation for LDAP-UX is CERT. Increasing certificate
validation level to CNCERT requires additional and specific configuration steps. If not properly
established, it can interfere with LDAP-UX and proper system operation. Because LDAP-UX can
be used for host-name resolution (similar to DNS), LDAP-UX normally stores the IP address of
LDAP servers in the configuration profile. This procedure assures that if LDAP-UX is asked to
resolve a host name, it can do so without first needing to resolve the host name of the LDAP
directory server (which could lead to a catch-22). However, since certificates normally embed
the host name or fully qualified host name and LDAP-UX only has the IP address of the host, it
is not possible for LDAP-UX to verify the host name on the certificate.
If you want to configure the CNCERT validation level with the peer_cert_policy parameter,
you must manually execute the following configuration steps:
1. Update the preferredserverlist setting in the profile to contain the host name of the
LDAP server such that it matches the host name specified in the LDAP server’s certificate.
See the “Modifying preferredserverList in the LDAP-UX Profile” section for details.
2.4 Customized installation (setup) 81