LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
NOTE: If you already have the certificate database files cert8.db and key3.db on your
client for your HP-UX applications, you can simply create a symbolic link /etc/opt/ldapux/
cert8.db that points to cert8.db, and /etc/opt/ldapux/key3.db that points to
key3.db.
4. SSL and TLS protocols support a variety of cryptographic algorithms (known as ciphers) that
are used for such operations as authenticating the server and client to each other, transmitting
certificates, and establishing session keys. If a cipher is found to be flawed and subject to
attack, administrators of HP-UX and the directory server must know about their vulnerability.
Ciphers can be disabled in the directory server. For information about SSL/TLS ciphers and
which ones are supported by LDAP-UX, see Section 2.4.6.5 (page 84).
2.4.6.3 Adjusting the peer certificate policy
With SSL/TLS, not only communication between clients (LDAP-UX) and servers (the LDAP directory
server) can be protected, but in addition, specific levels of assurance of the identities of the clients
and servers can be validated. This section describes how to adjust this validation level.
The peer_cert_policy parameter in the /etc/opt/ldapux/ldapux_client.conf
configuration file is a string variable used to control the validation level. The valid options for this
parameter are:
WEAK Performs no validation of SSL or TLS certificates. Communication between the client
and server can be encrypted, however the client has no assurance that it is
communicating with a trusted server.
CERT Verifies that the issuers of peer SSL or TLS certificates are trusted. Communication
between the client and server can be encrypted and the client has some assurance that
it is communicating with a trusted server. In this scenario, it is still possible for the server
to have a certificate that has been issued for a different server if methods used to protect
private keys of server certificates are not in place. CERT is the default mode of operation
with LDAP-UX.
CNCERT Performs both the CERT verification and also verifies that the common name or
subjectAltName values embedded in the certificate matches the address used to
connect to the LDAP server, as described in RFC 4513.
Increasing certificate validation level from the default (CERT) to CNCERT requires additional and
specific configuration steps. If not properly established, it can interfere with LDAP-UX and proper
system operation. Because LDAP-UX can be used for host-name resolution (similar to DNS), LDAP-UX
normally stores the IP address of LDAP servers in the configuration profile. This procedure assures
that if LDAP-UX is asked to resolve a host name, it can do so without first needing to resolve the
host name of the LDAP directory server (which could lead to a catch-22). However, since certificates
normally embed the host name or fully qualified host name and LDAP-UX only has the IP address
of the host, it is not possible for LDAP-UX to verify the host name on the certificate.
If you want to configure the CNCERT validation level with the peer_cert_policy parameter,
you must manually execute the following configuration steps:
1. Update the preferredserverlist setting in the profile to contain the host name of the
LDAP server such that it matches the host name specified in the LDAP server’s certificate. To
update this setting, follow the steps described in Section 2.4.6.3.1 (page 82).
2. Perform one of the following steps:
• Prevent LDAP-UX from being used for host-name resolution by removing “ldap” from the
“hosts” service in the /etc/nsswitch.conf file.
• Or, have some other name resolution service (such as files or dns) provide the host
name and IP address; the selected service must appear before “ldap” in the /etc/
nsswitch.conf file for the “hosts” service.
2.4 Customized installation (setup) for an HP directory server environment 81