Previous Next Contents Index


Chapter 12 Managing FORTEZZA

The United States government developed FORTEZZA, an encryption system used by federal and government agencies to manage sensitive but unclassified information. Use the Server Console and the Certificate Setup Wizard to configure your server to work with FORTEZZA. (If you are not using FORTEZZA with the Directory Server, the options are not available in the Server Console.) For information on installing the FORTEZZA hardware, see the documentation that came with your card reader.

This chapter includes:


What You Need To Do
Before you can use FORTEZZA with the Directory Server, you need to complete the following:

  1. Install the FORTEZZA PKCS #11 module provided with the Netscape Administration Server. See Managing Servers with Netscape Console for information.
  2. Use the Certificate Setup Wizard to create a trust database. See  "Setting Up FORTEZZA" on page  308 for more information.
  3. Activate FORTEZZA as described in "Activating FORTEZZA".
  4. Restart the Directory Server as described in "Starting the Server with FORTEZZA Enabled".
  5. Optional. If you are using client authentication with the Directory Server, you also need to trust the CAs used by any clients that will be querying the Directory Server.
  6. Optional. Enable SSL for the Administration Server as described in Managing Servers with Netscape Console.

Setting Up FORTEZZA
This section walks you through the process of configuring your server to work with FORTEZZA. This process is a necessary first step before you activate FORTEZZA in your directory. (For information on activating FORTEZZA in your Directory Server, see "Activating FORTEZZA" on page  310.) Before you begin, ensure that the FORTEZZA hardware is correctly connected to the Directory Server's host computer.

This walkthrough consists of the following steps:

Step 1: Install the FORTEZZA PKCS #11 Module

Before you can use FORTEZZA with your Directory Server, you must first install the FORTEZZA PKCS #11 module. For more information, refer to the online guide Managing Servers with Netscape Console before continuing with this procedure.

Step 2: Create a Trust Database

A Trust Database is a key-pair and trust database installed on the local host. When you use an external token and the external device has insufficient storage capacity, the local Trust Database stores your Certificate Revocation Lists (CRLs), certificate chains, and trusted CA information.

If you have already set up a Trust Database for the server's host, skip to "Activating FORTEZZA" on page  310.

To create the trust database:

  1. On the Directory Server Console, select the Tasks tab and click Certificate Setup Wizard. A dialog box appears outlining the steps required to set up a server certificate. Click Next.
  2. On the dialog box that appears, choose the default from the "Select a token (Cryptographic Device)" pull-down menu.
  3. Under "Is the server certificate already requested and ready to install", select "Do not install a certificate".
  4. With FORTEZZA, your key is stored in an external device. Although you do not need to install a certificate, you do need to run the New Trust Database Setup program once.

  5. Click Next.
  6. Click Next again to create the trust database.
  7. Enter and confirm the password you want to use for the trust database and click Next.
  8. The password must contain at least 8 characters, at least one of them numeric. This password helps secure access to the new key database you are creating.

  9. A dialog appears confirming that the trust database has been created. Click Done to dismiss the Certificate Setup Wizard.

Activating FORTEZZA
Most of the time, you want your server to run with FORTEZZA enabled. If you temporarily disable FORTEZZA, make sure you re-enable it before processing transactions that require confidentiality, authentication, or data integrity.

For more information about using FORTEZZA with the Directory Server, refer to Chapter 5 "Using SSL" of the online guide Managing Servers with Netscape Console and "Setting Up FORTEZZA" on page  308 in this manual before continuing with this procedure.

To turn on FORTEZZA communications in your Directory Server:

  1. Make sure the hardware is attached correctly and put the card in the slot from which you want your server to read.
  2. Create a trust database for the Directory Server. See  "Setting Up FORTEZZA" on page  308 for more information.
  3. Set the secure port you want the server to use for secure communications. See  "Changing Directory Server Port Numbers" for information.
  4. The encrypted port number that you specify must not be the same port number you use for normal LDAP communications.

  5. On the Directory Server Console, select the Configuration tab and then select the root entry in the navigation tree in the left pane.
  6. Select the Encryption tab in the right pane. This displays the current server encryption settings.
  7. Indicate that you want encryption enabled by selecting the "Enable SSL" checkbox.
  8. Select the checkbox next to the cipher family or families you want to use.
  9. In order to use FORTEZZA, you must select the FORTEZZA checkbox and then select one or more of the FORTEZZA ciphers.

  10. Click Cipher Preferences.
  11. The Cipher Preferences dialog box displays. You must select at least one FORTEZZA cipher to activate FORTEZZA. Click OK to return to the Encryption tab when you are finished.

    The Directory Server provides the following SSL 3.0 FORTEZZA ciphers:

  12. Select the token, or card slot, you want the server to use.
  13. Enter the certificate, or personality, that you want to use in the "Certificate" text box. This certificate is stored on the FORTEZZA card.
  14. If you want the server to use client authentication, select "Allow client authentication" or "Require client authentication" as appropriate. For more information about certificate-based authentication, see "Using Certificate-Based Authentication".
  15. Click Save.
  16. Restart the Directory Server. See "Starting the Server with FORTEZZA Enabled" on page  312 for information.
WARNING! Requiring client authentication disables communication between Netscape Console and the directory server. This is because Netscape Console does not support client authentication. If you configure the server to require client authentication, you will no longer be able to manage your Netscape Servers from Netscape Console; instead, you must use the command-line tools.

If you want the Directory Server and Administration Server to use FORTEZZA for communications, you need to set up FORTEZZA for the Administration Server. See Managing Servers with Netscape Console for information.


Starting the Server with FORTEZZA Enabled
If you are using FORTEZZA on Windows NT, you can start the Directory Server from the Server Console. For all platforms, you can start the server from the command line. In either case, you must start the server from the physical machine where you installed the Directory Server.

This section explains:

Starting a FORTEZZA-Enabled Server From the Server Console (Windows NT Only)

To start a FORTEZZA-enabled Directory Server from the Server Console on Windows NT:

  1. On the server's host machine, make sure the hardware is attached correctly and put the card in the slot from which you want your server to read.
  2. You must start the Directory Server from the physical machine where you installed the Directory Server.

  3. On the Directory Server Console, select the Tasks tab.
  4. Click "Start the Directory Server".
  5. When prompted, enter the PIN for the FORTEZZA card.
  6. The PIN number is packaged with the FORTEZZA crypto card and is not provided by Netscape. If you are also using other SSL cipher-families, you will also be prompted for the trust database (internal token) password.

Starting a FORTEZZA-Enabled Server From the Command Line

To start a FORTEZZA-enabled Directory Server from the command line:

  1. On the server's host machine, make sure the hardware is attached correctly and put the card in the slot from which you want your server to read.
  2. You must start the Directory Server from the physical machine where you installed the Directory Server.

  3. At the command prompt, type <NSHOME>/slapd-<serverID>/start-slapd and press Enter. Make sure you replace <NSHOME> with the server root directory and <serverID> with the name of the Directory Server.
  4. When prompted, type the PIN number for the FORTEZZA card and press Enter.
  5. The PIN number is packaged with the FORTEZZA crypto card and is not provided by Netscape. If you are also using other SSL cipher-families, you will also be prompted for the trust database (internal token) password.


Disabling FORTEZZA
You disable FORTEZZA by configuring the server not to use the FORTEZZA cipher family for encrypted communications. Disabling FORTEZZA will disable SSL if you are using only FORTEZZA ciphers. For information on disabling SSL, see "Activating SSL" on page  299. To enable or disable FORTEZZA for your server:

  1. On the Directory Server Console, select the Configuration tab and then select the root entry in the navigation tree in the left pane.
  2. Select the Encryption tab in the right pane. This displays the current server encryption settings.
  3. To disable FORTEZZA, clear the FORTEZZA cipher family checkbox. For information on enabling FORTEZZA, see "Activating FORTEZZA" on page  310.
  4. Click Save.
  5. Restart the Directory Server. For information on how to do this, see "Starting the Server with FORTEZZA Enabled" or "Starting and Stopping the Directory Server" as appropriate.

Specifying FORTEZZA Options
You can configure the following options for the Directory Server:

For information on how to manage these options, see "Managing Server Certificates" in Chapter 5 "Using SSL" of Managing Servers with Netscape Console.


Using FORTEZZA With Client Authentication
To use FORTEZZA with client authentication:

 

© Copyright 1999 Netscape Communications Corporation, a subsidiary of America Online, Inc. All Rights Reserved.