Manualshelf

LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
31323334353637383940
NOTE: A CA certificate for the "mydomain.example.com" domain has been created.
This certificate can be pre-installed on HP-UX clients or included as part
of an HP-UX Ignite image. Installing this CA certificate on host will
pre-establish trust with this directory server. The depot file for this
CA certificate is found at : /tmp/ca-mydomain.example.com.depot
============================================================================
The depot contains one product that, when installed, will install the CA certificate for the LDAP-UX
domain on the host. For each domain, a CA certificate should be created, and the product created
will be named as follows:
# swlist -d -s /tmp/ca-cup.hp.com.depot
# Initializing...
# Contacting target "hpt079"...
#
# Target: hpt079:/tmp/ca-cup.hp.com.depot
#
#
# No Bundle(s) on hpt079:/tmp/ca-cup.hp.com.depot
# Product(s):
#
LDAPUX-MYDOMAIN-CA A.01.00 LDAP-UX mydomain.example.com domain CA Certificate
NOTE: SSL/TLS protocols support a variety of different cryptographic algorithms (ciphers) for
use in authentication operations between server and client, certificate transmissions, and session
key establishment. If a cipher is found to be flawed and subject to attack, administrators of HP-UX
and the directory server must know about their vulnerability. Ciphers can be disabled in the directory
server. For information about SSL/TLS ciphers and which ones are supported by LDAP-UX, see
Section 2.4.6.5 (page 84).
Some organizations might prefer to distribute this certificate product by preinstalling it on an
Ignite-UX image or on other media that can be used to distribute and install new instances of HP-UX.
As part of generating the server certificate, the guided installation creates a pin.txt file to hold
the password it uses for retrieving the server certificate private key. The guided installation requires
access to the private key to automatically start up the newly-created directory server. The private
key validates the directory server’s identity.
The private key is stored in the /etc/opt/dirsvr/slapd-domain-instanceName/key3.db
file. The pin.txt file that holds the private key password is stored in the same directory. (The
instanceName of the first directory server created on a host will always be
domain-name-prefix-master, where domain-name-prefix is the prefix of the DNS domain
name.)
WARNING! The root user, or any user that can bypass file system access controls, can read the
pin.txt file. Any user that has access to the pin.txt, cert8.db, and key3.db files can use
them to impersonate a directory server. Therefore, ensure that you restrict access to the accounts
of the root user and users that can bypass file system access restrictions.
For security purposes, you can consider removing the pin.txt file and requiring that the private
key password be manually entered whenever the directory server is restarted. However, requiring
manual password entry at every startup can have drawbacks. For example, consider the impact
for server availability after a reboot or power failure.
The CA certificate generated when the guided installation creates the first directory server (the
master instance) is stored in the /etc/opt/dirsvr/slapd-domain-master/cacert.pk12
40 Installing and configuring LDAP-UX Client Services for an HP server environment