Starting and Stopping Your Server Instance
Configuring the Server Instance
Configuring the Proxy Components
Configuring Security Between Clients and Servers
Configuring Security Between the Proxy and the Data Source
How the Proxy Manages Secure Connections
Configuring Security Between the Proxy and Data Source Using dsconfig
To Configure Security Between the Proxy and Directory Servers Using dsconfig
Setting Access Control Using Network Group Criteria
Configuring Servers With the Control Panel
The dsconfig tool accesses the server over a secured connection with certificate authentication. If you run dsconfig in non-interactive mode, as dsconfig –n, specification of the trust store parameters depends on whether you run the command locally or remotely. For more information on running the command locally or remotely, see Overview of the dsconfig Command.
This task highlights the main steps to take to configure security for connections to remote LDAP servers. Where the process is similar to that provided for configuring security between Sun OpenDS Standard Edition proxy and the client, pointers are given to the related procedure.
If the remote LDAP servers require client authentication to be passed from Sun OpenDS Standard Edition proxy, perform the following sub-steps:
To do this, on the Sun OpenDS Standard Edition proxy, generate a certificate using the Java keytool. The keystore must be configured manually. For details, see Configuring Key Manager Providers.
Self-sign the certificate or have the certificate signed by an external certificate authority. For details, see Configuring Key Manager Providers.
For details, see Configuring Key Manager Providers. This key manager provider can be separate to that used for handling secure connections to clients.
For the importing and exporting of certificates, for remote LDAP servers running the OpenDS software, see Configuring Key Manager Providers.
All remote LDAP servers requiring a secure connection need to have their certificates imported into the Sun OpenDS Standard Edition proxy truststore. All of these remote LDAP server certificates can be imported into a single Sun OpenDS Standard Edition proxy truststore or distributed among multiple Sun OpenDS Standard Edition proxy truststores. You can have as many Sun OpenDS Standard Edition proxy truststores as there are remote LDAP server certificates to be imported.
An LDAP proxy extension targeting a secured connection to a remote LDAP data source must reference in its configuration the appropriate truststore manager. This enables the LDAP proxy extension to access the imported remote LDAP server certificate, to accept the secure connection.
To list Sun OpenDS Standard Edition proxy trust manager providers, use the dsconfig list-trust-manager-providers command. For example:
$ dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -w password -X -n \ list-trust-manager-providers
To create a Sun OpenDS Standard Edition proxy trust manager provider, use the dsconfig create-trust-manager-provider command. For example:
$ dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -w password -X -n \ create-trust-manager-provider \ --provider-name Backend\ Servers \ --type file-based --set enabled:true \ --set trust-store-file:/localhost/VDP1.0/config/backend-servers-truststore \ --set trust-store-type:JKS \ --set trust-store-pin-file:/installPath/VDP1.0/config/backend-servers-truststore.pin
When managing connections to remote LDAP servers using dsconfig, a number of configurable LDAP Extension security connection properties are available. For information about managing LDAP extensions, see Configuring an LDAP Proxy. Configurable properties that either directly or indirectly relate to security considerations include the following:
This important value governs the overall security mode of the connections between the Sun OpenDS Standard Edition proxy and remote LDAP servers. Its use is covered in the section Modes of Secure Connection.
If the remote-ldap-server-ssl-policy property is set to user, two pools of connections are created and the incremental change of size of each pool is set to pool-increment. For more information on this property, see Viewing LDAP Proxy Element Properties.
If the remote-ldap-server-ssl-policy property is set to user, two pools of connections are created and the initial size, and minimum size, of each pool is set to pool-initial-size. In this case, therefore, there will initially be twice the total number of connections indicated in pool-initial-size. For details, see Modes of Secure Connection.
If the remote-ldap-server-ssl-policy property is set to user, two pools of connections are created and the maximum size of each pool is set to pool-max-size.
The default value is 1000 connections. For more information on this property, see Viewing LDAP Proxy Element Properties.
The port number for SSL connections from Sun OpenDS Standard Edition proxy to the remote LDAP server.
When a keystore is created for client authentication, several keys can be stored in it. Use this property to specify which key to use. For more information about keystores, see Getting SSL Up and Running Quickly. See also Configuring Key Manager Providers.
Specifies a key manager provider to use for the LDAP Server Extension. The key manager provider is not mandatory and can be used if the remote LDAP server is configured for client authentication. The referenced key manager provider must be enabled. For more information about key manager providers, see Configuring Key Manager Providers.
If this parameter is set to true, all remote LDAP servers are trusted. The default value is false. Setting this value to true avoids having to import certificates from remote LDAP servers but is insecure.
Note that although the interactive dsconfig --advanced command offers Blind Trust as a possible trust manager provider, Blind Trust is not supported for this release of the Sun OpenDS Standard Edition proxy. Instead, if you want to avoid the import of certificates, set the ssl-trust-all parameter to true. This presents an insecure deployment and is not recommended for production environments, only for testing purposes.
If the remote-ldap-server-ssl-policy is set to never, then the value of the ssl-trust-all parameter is irrelevant. All connections between the Sun OpenDS Standard Edition proxy will be insecure (unencrypted) in this case. For more information on the remote-ldap-server-ssl-policy, see Modes of Secure Connection.
Specifies which trust manager provider to use for the LDAP Server Extension. The trust manager provider is mandatory unless the ssl-trust-all parameter is set to true. The referenced trust manager provider must be enabled.