8
Managing Secure Sockets Layer (SSL)

If you use Secure Sockets Layer (SSL), you may also configure strong authentication, data integrity, and data privacy. This section discusses these topics in the following sections:

Supported Cipher Suites

A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, the two nodes negotiate to see which cipher suite they will use when transmitting messages back and forth.

The Oracle Internet Directory supports the following SSL cipher suites:

Table 8-1 SSL Cipher Suites Supported in Oracle Internet Directory

Cipher Suite	Authentication	Encryption	Data Integrity
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA	RSA	DES40	SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5	RSA	RC4_40	MD5
SSL_RSA_WITH_NULL_SHA	RSA	None	SHA
SSL_RSA_WITH_NULL_MD5	RSA	None	MD5

SSL Client Scenarios

Oracle Internet Directory clients can use SSL 2.0 or SSL 3.0. A client over SSL can connect to a server either anonymously or by using simple authentication.

When both a client and server authenticate themselves to each other, SSL derives the identity information it requires from the certificate.

Configuring SSL Parameters

During start-up of a directory server instance, the directory reads a set of configuration parameters, including the parameters for the SSL profile. If you are going to run the directory with SSL enabled, you need to examine--and possibly reconfigure--the SSL parameters in the configuration set entry.

To run a server instance in secure mode, modify the configuration settings to run with the secure port 636 as the default port.

See Also:

"Managing Server Configuration Set Entries" for instructions on how to set these parameters

Table F-1 for a description of these parameters

You can create and modify multiple sets of configuration parameters with differing values, using a different configuration set entry for each instance of Oracle Internet Directory. This is a useful way to accommodate clients with different security needs.

Oracle Corporation recommends that you create separate configuration sets and modify their SSL values, rather than modify SSL values in the default configuration set. This is because the default configuration set is the model from which all other configuration sets are drafted.

Configuring SSL Parameters by Using Oracle Directory Manager

You can examine and modify the values for the SSL configuration parameters in each configuration set entry that you have created and in each server instance that is currently running.

Note:
You cannot directly change the parameters for an active instance. If you want to change the parameters for an active instance, change the parameters in a configuration set entry and save it. After it is saved, you can stop current instances and refer to the newly modified configuration set in the start server message.

To view and modify SSL configuration parameters:

In Oracle Directory Manager's navigator pane, expand Oracle Internet Directory Servers > server you want to explore > Server Management.
Expand either Directory Server or Replication Server, as appropriate. The numbered configuration sets are listed beneath your selection.
Select the configuration set that you want to examine. The group of tab pages for that configuration set entry appear in the right pane.
Select the SSL Settings tab:

You can change the parameters in this tab page and save them. The fields in this tab page are described in Table 5-2 .

See Also:
"Managing Server Configuration Set Entries by Using Oracle Directory Manager" for information on changing parameters in a configuration set entry