The United States government developed FORTEZZA, an encryption system used by federal and government agencies to manage sensitive but unclassified information. Use the Server Console and the Certificate Setup Wizard to configure your server to work with FORTEZZA. (If you are not using FORTEZZA with the Directory Server, the options are not available in the Server Console.) For information on installing the FORTEZZA hardware, see the documentation that came with your card reader.
This chapter includes:
What You Need To Do
Setting Up FORTEZZA
Activating FORTEZZA
Starting the Server with FORTEZZA Enabled
Disabling FORTEZZA
Specifying FORTEZZA Options
Install the FORTEZZA PKCS #11 module provided with the Netscape Administration Server. See Managing Servers with Netscape Console for information.
Use the Certificate Setup Wizard to create a trust database. See "Setting Up FORTEZZA" on page 308 for more information.
Activate FORTEZZA as described in "Activating FORTEZZA".
Restart the Directory Server as described in "Starting the Server with FORTEZZA Enabled".
Optional. If you are using client authentication with the Directory Server, you also need to trust the CAs used by any clients that will be querying the Directory Server.
Optional. Enable SSL for the Administration Server as described in Managing Servers with Netscape Console.
This walkthrough consists of the following steps:
Step 1: Install the FORTEZZA PKCS #11 Module
Step 2: Create a Trust Database
Before you can use FORTEZZA with your Directory Server, you must first install the FORTEZZA PKCS #11 module. For more information, refer to the online guide Managing Servers with Netscape Console before continuing with this procedure.
A Trust Database is a key-pair and trust database installed on the local host. When you use an external token and the external device has insufficient storage capacity, the local Trust Database stores your Certificate Revocation Lists (CRLs), certificate chains, and trusted CA information.
If you have already set up a Trust Database for the server's host, skip to "Activating FORTEZZA" on page 310.
To create the trust database:
On the Directory Server Console, select the Tasks tab and click Certificate Setup Wizard. A dialog box appears outlining the steps required to set up a server certificate. Click Next.
On the dialog box that appears, choose the default from the "Select a token (Cryptographic Device)" pull-down menu.
Under "Is the server certificate already requested and ready to install", select "Do not install a certificate". With FORTEZZA, your key is stored in an external device. Although you do not need to install a certificate, you do need to run the New Trust Database Setup program once.
With FORTEZZA, your key is stored in an external device. Although you do not need to install a certificate, you do need to run the New Trust Database Setup program once.
Click Next.
Click Next again to create the trust database.
Enter and confirm the password you want to use for the trust database and click Next. The password must contain at least 8 characters, at least one of them numeric. This password helps secure access to the new key database you are creating.
The password must contain at least 8 characters, at least one of them numeric. This password helps secure access to the new key database you are creating.
A dialog appears confirming that the trust database has been created. Click Done to dismiss the Certificate Setup Wizard.
For more information about using FORTEZZA with the Directory Server, refer to Chapter 5 "Using SSL" of the online guide Managing Servers with Netscape Console and "Setting Up FORTEZZA" on page 308 in this manual before continuing with this procedure.
To turn on FORTEZZA communications in your Directory Server:
Make sure the hardware is attached correctly and put the card in the slot from which you want your server to read.
Create a trust database for the Directory Server. See "Setting Up FORTEZZA" on page 308 for more information.
Set the secure port you want the server to use for secure communications. See "Changing Directory Server Port Numbers" for information. The encrypted port number that you specify must not be the same port number you use for normal LDAP communications.
The encrypted port number that you specify must not be the same port number you use for normal LDAP communications.
On the Directory Server Console, select the Configuration tab and then select the root entry in the navigation tree in the left pane.
Select the Encryption tab in the right pane. This displays the current server encryption settings.
Indicate that you want encryption enabled by selecting the "Enable SSL" checkbox.
Select the checkbox next to the cipher family or families you want to use. In order to use FORTEZZA, you must select the FORTEZZA checkbox and then select one or more of the FORTEZZA ciphers.
In order to use FORTEZZA, you must select the FORTEZZA checkbox and then select one or more of the FORTEZZA ciphers.
Click Cipher Preferences. The Cipher Preferences dialog box displays. You must select at least one FORTEZZA cipher to activate FORTEZZA. Click OK to return to the Encryption tab when you are finished. The Directory Server provides the following SSL 3.0 FORTEZZA ciphers:
The Cipher Preferences dialog box displays. You must select at least one FORTEZZA cipher to activate FORTEZZA. Click OK to return to the Encryption tab when you are finished.
The Directory Server provides the following SSL 3.0 FORTEZZA ciphers:
FORTEZZA with 80-bit Skipjack encryption and SHA message authentication. Skipjack is a data encryption and decryption algorithm. For added security, FORTEZZA ciphers use SHA message authentication. SHA is a government standardized algorithm used to construct a message authentication code that detects attempts to modify data while it is in transit. SHA is slower than MD5, but it is stronger.
FORTEZZA with 128-bit RC4 encryption and SHA message authentication. This cipher has approximately 1038 possible keys, making it very difficult to crack.
No encryption, only FORTEZZA/SHA message authentication. This cipher uses only SHA message authentication to secure data. Any data sent using this cipher is not encrypted. The data is protected from modification, but it can be viewed by eavesdroppers.
Select the token, or card slot, you want the server to use.
Enter the certificate, or personality, that you want to use in the "Certificate" text box. This certificate is stored on the FORTEZZA card.
If you want the server to use client authentication, select "Allow client authentication" or "Require client authentication" as appropriate. For more information about certificate-based authentication, see "Using Certificate-Based Authentication".
Click Save.
Restart the Directory Server. See "Starting the Server with FORTEZZA Enabled" on page 312 for information.
If you want the Directory Server and Administration Server to use FORTEZZA for communications, you need to set up FORTEZZA for the Administration Server. See Managing Servers with Netscape Console for information.
This section explains:
Starting a FORTEZZA-Enabled Server From the Server Console (Windows NT Only)
Starting a FORTEZZA-Enabled Server From the Command Line
To start a FORTEZZA-enabled Directory Server from the Server Console on Windows NT:
On the server's host machine, make sure the hardware is attached correctly and put the card in the slot from which you want your server to read. You must start the Directory Server from the physical machine where you installed the Directory Server.
You must start the Directory Server from the physical machine where you installed the Directory Server.
On the Directory Server Console, select the Tasks tab.
Click "Start the Directory Server".
When prompted, enter the PIN for the FORTEZZA card. The PIN number is packaged with the FORTEZZA crypto card and is not provided by Netscape. If you are also using other SSL cipher-families, you will also be prompted for the trust database (internal token) password.
The PIN number is packaged with the FORTEZZA crypto card and is not provided by Netscape. If you are also using other SSL cipher-families, you will also be prompted for the trust database (internal token) password.
To start a FORTEZZA-enabled Directory Server from the command line:
At the command prompt, type <NSHOME>/slapd-<serverID>/start-slapd and press Enter. Make sure you replace <NSHOME> with the server root directory and <serverID> with the name of the Directory Server.
When prompted, type the PIN number for the FORTEZZA card and press Enter. The PIN number is packaged with the FORTEZZA crypto card and is not provided by Netscape. If you are also using other SSL cipher-families, you will also be prompted for the trust database (internal token) password.
To disable FORTEZZA, clear the FORTEZZA cipher family checkbox. For information on enabling FORTEZZA, see "Activating FORTEZZA" on page 310.
Restart the Directory Server. For information on how to do this, see "Starting the Server with FORTEZZA Enabled" or "Starting and Stopping the Directory Server" as appropriate.
The name of the personality (certificate) used in key exchange
The trust database password
Compromised key list (CKL) and Certificate Revocation List (CRL) file locations.
You must install a current Compromised Key List (CKL). For information, see "Managing Certificate Lists" in Chapter 5, "Using SSL" of Managing Servers with Netscape Console.
You must install and configure a trusted CA for the FORTEZZA PKF hierarchy. See Appendix C, "FORTEZZA" of Managing Servers with Netscape Console.
You also may need to configure the certificate mapping services of the Directory Server. See "Using Client Certificates" in Chapter 5, "Using SSL" of Managing Servers with Netscape Console.