LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

# # /opt/ldapux/contrib/bin/certutil -d /etc/opt/ldapux -A -n "CA

cert" -t “CT,,” -i cacert.pem -a

If the certificate is a server certificate, use the “P,,” trust flag:

# # /opt/ldapux/contrib/bin/certutil -d /etc/opt/ldapux -A -n "server

cert" -t “P,,” -i servercert.der

NOTE: The required –n parameter gives the certificate a nickname in the certificate database

files. The nickname value is arbitrary. If you plan to connect to multiple LDAP servers that were

issued SSL certificates by different certificate authorities, you should use the nickname to help

differentiate between the different CA certificates. For example, you might name one Issuer1

CA cert and the other Issuer2 CA cert.

The –t parameter sets the trust bits for the certificate. For CA certificates, use “CT,,” to

indicate that the certificate is trusted as an issuer of SSL certificates. For server certificates, use

“P,,” to indicate that the certificate represents a trusted peer.

For more information about using the certutil utility, see:

http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html

2.4.6.5 SSL/TLS ciphers

The SSL/TLS protocols support a variety of different cryptographic algorithms called ciphers for

use in operations such as authenticating the server and client to each other, transmitting certificates,

and establishing session keys. When an LDAP client connects to an LDAP directory server, the

server usually picks the strongest cipher supported by both client and server. Clients and servers

might support different cipher suites, or sets of ciphers, depending on a variety of factors. The

ciphers currently supported by LDAP-UX are listed in Table 8 (page 84).

Table 8 Supported ciphers

Message

authenticationKey lengthEncryptionKey exchangeVersion

MD5 (Message Digest

algorithm)

128RC4 (Rivest

encryption)

RSA (A public-key

algorithm for both

encryption and

authentication)

SSL3 and TLS

SHA1 (Secure Hash

Algorithm)

1683DES (Data Encryption

Standard applied

three times)

RSASSL3 and TLS

SHA156DES (Data Encryption

Standard)

RSASSL3 and TLS

MD540RC4RSASSL3 and TLS

MD540RC2RSASSL3 and TLS

SHA156RC4RSA (1024–bit public

key)

TLS

SHA156DESRSA (1024–bit public

key)

TLS

If vulnerabilities are discovered in cipher systems, administrators can use this list to determine

whether the cited vulnerabilities might affect their systems. If a cipher with a known vulnerability

is indeed being used, the appropriate administrator can disable the cipher in the central directory

server (not in LDAP-UX). For information about managing available ciphers for use with HP-UX

Directory Server, see the HP-UX Directory Server administrator guide.

84 Installing and configuring LDAP-UX Client Services for an HP server environment