|Sun Java(TM) System Directory Proxy Server 5.2 2005Q1 Administration Guide|
Creating System Configuration Instances
System parameters are those that affect the functional behavior of Directory Proxy Server. This chapter explains how to specify and save system configuration.
The chapter contains the following sections:
Creating System Configuration Instances
This section explains how to configure system-specific parameters of a Directory Proxy Server instance.
To Create an Object for System Configuration
- Access the Directory Proxy Server Console as described in Accessing the Directory Proxy Server Consoles.
- Select a Directory Proxy Server instance and click Open.
- On the Directory Proxy Server Console press the Configuration tab.
- Click New.
The New Object window appears.
- In the Name field, type a name for the system configuration. The name must be a unique alphanumeric string. Press OK.
- In the Network tab, specify general settings for this system configuration:
Host. Enter the name of the host interface on which Directory Proxy Server will listen for connections. This attribute is needed only if there are multiple network interfaces on the host running Directory Proxy Server. By default, the hostname is set to "localhost," meaning Directory Proxy Server will listen on all available network interfaces. Specifying "localhost" will permit shared system properties.
Port. Enter the port number on which Directory Proxy Server will listen for incoming connections. Legal values for this field are 1 through 65535. By default, the value is set to 389, as specified for LDAP. This port number must be different from that used by any other LDAP server running on the same host. On UNIX platforms the server must be started as root to listen on a port number below 1024.
SSL port. Enter a value representing the port number on which to listen for LDAPS (LDAP over SSL) connections. By default, Directory Proxy Server does not listen for connections from LDAPS clients. This value must be present to enable LDAPS connections from clients using this nonstandard function, with a value such as 636. This value must be different from the Host value. This option also requires TLS/SSL configuration, found on the Encryption tab.
- Press the SSL/TLS tab.
This window displays the default configuration from which Directory Proxy Server sends to and requires from SSL certificates from servers and clients. This window gives the following options:
Send certificate when making SSL connection to LDAP sever. Enable this setting if you want Directory Proxy Server to send its certificate to the backend LDAP directory server when making a TLS connection. By default this setting is disabled.
Require a client certificate. Enable this setting to specify that Directory Proxy Server will require all clients that establish an SSL session to submit a certificate chain. Directory Proxy Server will close the connection if a certificate chain is not submitted. Note that this option does not effect SSL sessions between Directory Proxy Server and the backend servers. By default this setting is disabled.
SSL/TLS Version. Select the drop-down windows next to Client > Directory Proxy Server and Directory Proxy Server > Backend to select the appropriate SSL/TLS version for each case. You must specify a version if SSL is enabled for the system.
- Press the Connections tab and specify how Directory Proxy Server should maintain its connections.
This displays the Directory Proxy Server connection backlog value, allows you to specify a maximum number of connections, and set connection pool timeout values. Select entries for:
Connection backlog. Enter a value greater than zero specifying the maximum number of outstanding connections in the listening socket's queue. The default is 128 connections. The maximum value depends on the underlying operating system configuration.
Specify maximum number of connections. Select the option and enter a value (greater than zero) specifying the maximum number of simultaneous client connections that Directory Proxy Server will accept. To allow an unlimited number of simultaneous connections, do not select this option.
Enable Connection Pool. Enables the connection pool module with which Directory Proxy Server will preconnect to the directory servers. The default for the setting is disabled. If the connection pool is enabled, Directory Proxy Server will try to reuse existing connections to the backend LDAP servers. Switching on this option can give significant performance gain if the backend server is on a Wide Area Network (WAN). Enter the following values:
Interval. Enter the number of seconds (greater or equal to one) specifying the interval in seconds at which Directory Proxy Server will sample the incoming requests to anticipate future activity. The default is 15.
Specify timeout. Select the option and enter the number of seconds (greater or equal to zero) specifying the period of time in seconds after which an idle connection to an LDAP server will be terminated. If the checkbox is unchecked, no timeout will be applied. The default is 30. This value should be less than the idle connection timeout value of the backend LDAP server.
- Press the UNIX Tab.
This panel contains attributes that pertain to Directory Proxy Servers in a UNIX environment only.
User ID. Enter the user ID under which Directory Proxy Server will run. If Directory Proxy Server was run as root then it will change its uid to the one specified here. The default is to switch to nobody.
Working directory. Enter the directory from which Directory Proxy Server should run. Directory Proxy Server will change its working directory to the directory specified as value for this attribute on startup. The default is /tmp.
- Select the Encryption tab and configure Directory Proxy Server for SSL-enabled communication. For information on configuring the server for SSL communication see Configuring Security.
The Encryption Tab allows you to configure the following parameters:
Refresh. Click to refresh the current screen values. Refresh the screen to see newly created certificates.
Enable SSL for this server. Select this box to enable SSL/TLS information needed by Directory Proxy Server to listen over a secure connection. If an SSL port is specified, you must enable this setting in order to save this configuration.
Use this cipher family RSA. Select this box to set the Security Device, Certificate, and Cipher Settings for this instance of Directory Proxy Server
Security Device. Click the drop-down window to select from available options. The default is internal (software).
Certificate. Click the drop-down window to select from available options.
Cipher. Select Settings to set SSL 2.0, SSL 3.0, and TLS Cipher Preferences. Press the SSL 2.0, SSL 3.0, and TLS tabs and select the box next to desired Ciphers for each.
- Click Save to save the object.
The Directory Proxy Server configuration is modified, and you are prompted to restart the servers that rely on this configuration. Don't restart the servers yet. You can do this after you've completed all the configuration changes.
- Restart the servers as described in Restarting Directory Proxy Server.
Changes to Host, Port, and "SSL port" fields in the Settings tab require stopping and starting Directory Proxy Server.
For instructions to stop and start Directory Proxy Server, see Starting and Stopping Directory Proxy Server.
The utility dpsconfig2ldif is used to download Directory Proxy Server configuration and save it in an LDIF file. The utility is found at the following location:
The utility requires two arguments:
Filename is the path to the startup configuration file. This will usually be the tailor.txt file in the etc directory.
The name of the file in which to output the configuration.