Exit Print View

Sun OpenDS Standard Edition 2.2 Administration Guide

Get PDF Book Print View
 
Previous Next

Document Information

Before You Start

Starting and Stopping Your Server Instance

Configuring the Server Instance

Configuring the Proxy Components

Configuring Security Between Clients and Servers

Getting SSL Up and Running Quickly

To Accept SSL-Based Connections Using a Self-Signed Certificate

Configuring Key Manager Providers

Key Manager Provider Overview

Using the JKS Key Manager Provider

To Generate the Private Key

To Self-Sign the Certificate

To Sign the Certificate by Using an External Certificate Authority

To Configure the JKS Key Manager Provider

Using the PKCS #12 Key Manager Provider

Using the PKCS #11 Key Manager Provider

Configuring Trust Manager Providers

Overview of Certificate Trust Mechanisms

Using the Blind Trust Manager Provider

Using the JKS Trust Manager Provider

Using the PKCS #12 Trust Manager Provider

Configuring Certificate Mappers

Using the Subject Equals DN Certificate Mapper

Using the Subject Attribute to User Attribute Certificate Mapper

Using the Subject DN to User Attribute Certificate Mapper

Using the Fingerprint Certificate Mapper

Configuring SSL and StartTLS for LDAP and JMX

Configuring the LDAP and LDAPS Connection Handlers

To Enable a Connection Handler

To Specify a Connection Handler's Listening Port

To Specify a Connection Handler's Authorization Policy

To Specify a Nickname for a Connection Handler's Certificate

To Specify a Connection Handler's Key Manager Provider

To Specify a Connection Handler's Trust Manager Provider

To Enable StartTLS Support

To Enable SSL-Based Communication

Enabling SSL in the JMX Connection Handler

Using SASL Authentication

Supported SASL Mechanisms

Authorization IDs

SASL Options for the ANONYMOUS Mechanism

SASL Options for the CRAM-MD5 Mechanism

SASL Options for the DIGEST-MD5 Mechanism

SASL Options for the EXTERNAL Mechanism

SASL Options for the GSSAPI Mechanism

SASL Options for the PLAIN Mechanism

Configuring SASL Authentication

Configuring SASL External Authentication

Configuring SASL DIGEST-MD5 Authentication

Configuring SASL GSSAPI Authentication

Configuring Kerberos and the Sun OpenDS Standard Edition Directory Server for GSSAPI SASL Authentication

To Configure Kerberos V5 on a Host

To Specify SASL Options for Kerberos Authentication

Example Configuration of Kerberos Authentication Using GSSAPI With SASL

Troubleshooting Kerberos Configuration

Testing SSL, StartTLS, and SASL Authentication With ldapsearch

ldapsearch Command Line Arguments Applicable To Security

Testing SSL

Testing StartTLS

Testing SASL External Authentication

Controlling Connection Access using Allowed and Denied Rules

Configuration

Configuring Security Between the Proxy and the Data Source

Configuring Servers With the Control Panel

Managing Directory Data

Replicating Directory Data

Controlling Access To Data

Managing Users and Groups

Monitoring Sun OpenDS Standard Edition

Improving Performance

Advanced Administration

Using the PKCS #12 Key Manager Provider

PKCS #12 is a standard format for storing certificate information, including private keys. Sun OpenDS Standard Edition can use a PKCS #12 file as a certificate keystore if it includes the private key for the certificate.

Because PKCS #12 is a common format for storing certificate information, you might already have a certificate in this format, or the certificate authority (CA) that you use might create certificates in this form. In some cases, it might also be possible to convert an existing certificate into PKCS #12 format. For example, if you already have a certificate in a Network Security Services (NSS) certificate database, then the NSS pk12util tool can import it. The following example uses the pk12util tool to export a certificate named server-cert contained in the database ../../alias/slapd-config-key3.db to a PKCS #12 file, /tmp/server-cert.p12:

$ ./pk12util -n server-cert -o /tmp/server-cert.p12 \
  -d ../../alias -P "slapd-config-"

To create a new certificate in PKCS #12 format, use the procedure described in Using the JKS Key Manager Provider for obtaining a certificate in a JKS keystore. The only difference in the process is that you should use -storetype PKCS12 instead of -storetype JKS when you invoke the keytool commands. For example, to create a self-signed certificate in a PKCS #12 file, use the following commands:

$ keytool -genkey -alias server-cert -keyalg rsa \
  -dname "CN=server.example.com,O=example.com,C=US" \
  -keystore config/keystore.p12 -keypass password \
  -storetype PKCS12 -storepass password

Note - The preceding command uses syntax for the keytool provided with Java 1.5. If your installation uses Java 1.6, substitute -genkeypair for the -genkey option.

$ keytool -selfcert -alias server-cert -validity 1825 \
  -keystore config/keystore.p12 -keypass password \
  -storetype PKCS12 -storepass password

As with JKS, the server provides a template key manager provider for use with PKCS #12 certificate files that uses the same set of configuration attributes as the configuration entry for the JKS key manager provider. The only differences are that the value of the key-store-type attribute must be PKCS12, and the key-store-file attribute should refer to the location of the PKCS #12 file rather than a JKS keystore. The following example uses dsconfig to configure the PKCS #12 keystore manager provider:

$ dsconfig -D "cn=directory manager" -w password -X -n\
  set-key-manager-provider-prop --provider-name "PKCS12" --advanced

For a complete list of configurable properties, see the File Based Key Manager Provider Configuration.

Legal Copyright 1994-2009 Sun Microsystems, Inc.
Previous Next