Previous Next Contents Index


Chapter 11 Managing SSL

To provide secure communications over the network, the Netscape Directory Server provides the LDAPS communications protocol. LDAPS is the standard LDAP protocol, but it runs on top of Secure Sockets Layer (SSL).

To use LDAPS, you:

  1. Obtain and install a certificate for your directory server, and configure the directory server to trust the certification authority's certificate. For information, see "Obtaining and Installing Server Certificates".

  2. Turn on SSL in your directory. For information, see "Activating SSL".

  3. Configure the administration server to connect to an SSL-enabled directory server. For information, see Managing Servers with Netscape Console.
If you are using FORTEZZA, please read Chapter  12, "Managing FORTEZZA," for information before you attempt to set up SSL.

For a complete description of SSL, internet security, certificates, and setting up certificate databases, see Managing Servers with Netscape Console.

The directory server is capable of simultaneous SSL and non-SSL communications. This means that you do not have to choose between SSL or non-SSL communications for your directory server; you can use both at the same time.

This chapter describes how to use SSL with your directory server in the following sections:


Obtaining and Installing Server Certificates
This section describes the process of creating a certificate database, obtaining and installing a certificate for use with your directory server, and configuring the directory server to trust the certification authority's (CA) certificate. This process is a necessary first step before you can turn on SSL in your directory. If you have already completed these tasks, see "Activating SSL". If you are using FORTEZZA with your directory server, see Chapter  12, "Managing FORTEZZA." Obtaining and installing certificates consists of the following five steps:

You use the Certificate Setup Wizard to request a certificate from a Certificate Authority, when you are ready to install the certificate, and again to trust the CAs certificate. The Certificate Setup Wizard automates the process of creating and installing the key-pair and certificate database for you. For a complete overview of the Certificate Setup Wizard, see the online help or Managing Servers with Netscape Console.

Step 1: Generate a Certificate Request

To generate a certificate request and send it to a CA:

  1. On the Directory Server Console, select the Tasks tab and click Certificate Setup Wizard.

    2. The following dialog box appears outlining the steps required to set up a server certificate. Click Next.

  2. On the dialog box that appears, select Internal (software) from the "Select a token (Cryptographic Device)" drop-down menu.

  3. Under "Is the server certificate already requested and ready to install?", choose No if you have never submitted a request for this certificate.

    4. You would choose Yes when you are ready to install the certificate as described in "Step 3: Install the Certificate". You only choose the third option if you are using FORTEZZA. (If you are using FORTEZZA, your key is stored in an external device.) See Chapter  12, "Managing FORTEZZA," if you are using FORTEZZA.

  4. Click Next. If you have already set up a certificate database for the server's host, skip to the next step. If a certificate database does not already exist for this host, click Next again to create one. A certificate database is a key-pair and certificate database installed on the local host. When you use an internal token, the certificate database is the database into which you install the key and certificate.

    5. On the dialog box that appears, enter and confirm the password you want to use for the certificate database and click Next. The password must contain at least 8 characters, at least one of them numeric. This password helps secure access to the new key database you are creating.

    Once the certificate database is created, the wizard displays a confirmation dialog. Click Next to continue.

  5. A dialog appears confirming that the wizard is ready to continue with the certificate setup and indicates that you need to determine the distinguished name for the server and have the information readily available. See the online help for more information. Click Next.

  6. The Generating a Certificate Request - Step 1 dialog box appears. If prompted, select a token from the list of legal key tokens you can use, enter the password you used when you set up the certificate database, and then click Next.

  7. The Generating a Certificate Request - Step 2 dialog box appears. Select whether this is a request for a new server certificate or whether you are renewing an existing server certificate. If you want to create a new certificate, choose New Certificate. If you already have an existing certificate, the Certificate Renewal option takes less time. If you have an existing certificate and want to replace or renew it, choose Certificate Renewal.

  8. Enter the CA administrator's address where your certificate request should be sent. If you want, click Show CA to launch a web browser and view a list of the Certificate Authorities available to you.

  9. Click Next. The Generate a Certificate Request - Step 3 dialog box appears. Enter the following information and click Next.

    10. Your name. Enter your user ID.

    Telephone. Enter a telephone number where the CA can reach you if necessary.

    Server Host Name. Enter the fully qualified hostname of the directory server as it is used in DNS lookups, for example, dir.airius.com.

    Email Address. Enter your business email address. This is used for correspondence between you and the CA.

    Organization. Enter the legal name of your company or institution. Most CAs require you to verify this information with legal documents such as a copy of a business license.

    Organizational Unit. Optional. Enter a descriptive name for your organization within your company.

    Locality. Optional. Enter your company's city name.

    State or Province. Enter the full name of your company's state or province (no abbreviations).

    Country. Select the two-character abbreviation for your country's name (ISO format). The country code for the United States is US. The Netscape Directory Server Schema Reference Guide contains a complete list of ISO Country Codes.

  10. The Generate a Certificate Request - Step 4 dialog box appears. This dialog box contains the certificate request that you need to send to the CA. Click Cancel to exit the wizard.
Once you have generated the request, you are ready to send it to the CA as described in "Step 2: Send the Certificate Request".

Step 2: Send the Certificate Request

If you are using Unix, the certificate request is sent for you automatically via sendmail.

If you are using Windows NT, the certificate information is automatically generated and saved to a file under the server host's \temp directory. Follow these steps to send the certificate information to the CA:

  1. Use your email program to create a new email message.

  2. Manually open the temp file created for you in the \temp directory.

    3. The file will look similar to the following example:

    Certificate request has been generated.

    The mail that you should send is in the file c:\temp\mailtmp.1

    It contains the To, Subject and Reply-To fields. Please use your mailer to enter the rest of the file as the body of the message. When the response arrives, you can use the Install a Certificate form to put it in place.

    To: ca@airius.com

    Subject: Certificate request

    Reply-To: bjensen@airius.com

    Webmaster: ca@airius.com

    Phone: 888 555.1234

    Common-name: dirserver.airius.com

    Email: bjensen@airius.com

    Organization: Airius Corporation

    State: CALIFORNIA

    Country: Us

    -----BEGIN NEW CERTIFICATE REQUEST-----
    MIIBrjCCARcCAQAwbjELMAkGA1UEBhMCVXMxEzARBgNVBAgTCkNBTElGT1JOSUExLDAqBgV
    BAoTI25ldHNjYXBlIGNvbW11bmljYXRpb25zIGNvcnBvcmF0aW9uMRwwGgYDVQQDExNtZW
    xsb24ubmV0c2NhcGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwAbskGh6S
    KYOgHy+UCSLnm3ok3X3u83Us7ug0EfgSLR0f+K41eNqqWRftGR83emqPLDOf0ZLTLjVFGJ
    aH4Jn4l1gG+JDf/n/zMyahxtV7+mT8GOFFigFfuxJaxMjr2j7IvELlxQ4IfZgWwqCm4qQe
    cv3G+N9YdbjveMVXW0v4XwIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAZyZAm8UmP9PQYw
    Ny4Pmypk79t2nvzKbwKVb97G+MT/gw1pLRsI1uBoKinMfLgKp1Q38K5Py2VGW1E47K7/rh
    m3yVQrIiwV+Z8Lcc=
    -----END NEW CERTIFICATE REQUEST-----

  3. Copy the subject line from the temp file, and then paste it into the subject line of the new message.

  4. Copy the To address from the temp file, and then paste it into the address field of the new message.

  5. Copy the certificate information from the temp file, including the headers ---BEGIN NEW CERTIFICATE REQUEST--- and ---END NEW CERTIFICATE REQUEST---, and paste it into the body of the new message. For example:

    6.

  6. Send the email message to the CA.
Once you have emailed your request, you must wait for the CA to respond with your certificate. Response time for your request is highly variable. For example, if your CA is internal to your company, it may only take a day or two to respond to your request. If your selected CA is external to your company, it could take several weeks to respond to your request.

When the CA sends a response, be sure to save the information in a text file. You will need the data when you install the certificate. If you are using client authentication with replication, you will also need to provide the Certificate Subject DN when you configure the servers for replication.

You should also back up the certificate data in a safe location. If your system ever loses the certificate data, you can reinstall the certificate using your backup file.

Once you receive your certificate, you are ready to install it in your server's certificate database as described in the next step.

Step 3: Install the Certificate

To install a server certificate:

  1. On the Directory Server Console, select the Tasks tab.

  2. Click Certificate Setup Wizard.

    3. A dialog box appears outlining the steps required to set up a server certificate. Click Next.

  3. On the dialog box that appears, provide information as follows, and then click Next.

    4. Select a token (Cryptographic Device). Choose the same token you used when you generated the certificate request.

    Is the server certificate already requested and ready to install. Choose Yes.

  4. A dialog appears confirming that the wizard is ready to continue with the certificate setup. Click Next.

  5. The Install the Server Certificate - Step 1 dialog box appears. Provide the following information and then click Next.

    6. Certificate for. If you are installing your server's certificate choose "This Server." If you are installing your CA's certificate choose "Server Certificate Chain".

    You only choose "Trusted Certificate Authority" if you are using a certificate that you want to accept as a trusted CA for client authentication, as described in "Step 4: Trust the Certificate Authority".

    Password. Enter the certificate database password you used when you generated the certificate request.

  6. The Install the Server Certificate - Step 2 dialog box appears. Choose one of the following options and then click Next.

    7. The certificate is located in this file. You can either enter the absolute path to the certificate in this text box, or copy and paste the certificate as described below.

    The certificate is located in the following text field. Copy the text from the CAs email or from the text file you created and paste it in this field. For example:

    -----BEGIN CERTIFICATE-----
    MIICMjCCAZugAwIBAgICCEEwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBhMCVVMx
    IzAhBgNVBAoTGlBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0wGwYDVQQLExRX
    aWRnZXQgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdCBUZXN0IFRlc3QgVGVz
    dCBUZXN0IFRlc3QgQ0EwHhcNOTgwMzEyMDIzMzU3WhcNOTgwMzI2MDIzMzU3WjBP
    MQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTmV0c2NhcGUgRGlyZWN0b3J5IFB1Ymxp
    Y2F0aW9uczEWMBQGA1UEAxMNZHVgh49dq2itLmNvbTBaMA0GCSqGSIb3DQEBAQUA
    A0kAMEYCQQCksMR/aLGdfp4m0OiGcgijG5KgOsyRNvwGYW7kfW+8mmijDtZRjYNj
    jcgpF3VnlsbxbclX9LVjjNLC57u37XZdAgEDozYwNDARBglghkgBhvhCAQEEBAMC
    APAwHwYDVR0jBBgwFoAU67URjwCaGqZuUpSpdLxlzweJKiMwDQYJKoZIhvcNAQEF
    BQADgYEAJ+BVem3vBOP/BveNdLGfjlb9hucgmaMcQa98A/db8qimKT/ue9UGOJqL
    bwbMKBBopsD56p2yV3PLJIsBgrcuSoBCuFFnxBnqSiTS/7YiYgCWqWaUAExJFmD6
    6hBLseqkSWulk+hXHN7L/NrViO+7zNtKcaZLlFPf7d7j2MgX4Bo=
    -----END CERTIFICATE-----

Now that you have installed your certificate, you need to configure your server to trust the Certificate Authority from which you obtained the server's certificate. This process is described in the next step.

Step 4: Trust the Certificate Authority

This process consists of obtaining your CA's certificate and installing it into your server's certificate database. This process differs depending on the certificate authority you use. Some commercial CAs provide a link off of their web site that allows you to automatically download the certificate. Others will email it to you upon request.

Once you have received the CA certificate, use the Certificate Setup Wizard to configure the Directory Server to trust the Certificate Authority. To do this:

Use the Certificate Setup Wizard to configure the directory server to trust the Certificate Authority. To do this:

  1. On the Directory Server Console, select the Tasks tab.

  2. Click Certificate Setup Wizard.

    3. A dialog box appears outlining the steps required to set up a server certificate. Click Next.

  3. In the screen that appears, select the same token you used when you generated the certificate request and then select Yes to indicate that you are ready to install a certificate. Click Next.

  4. A summary screen appears indicating that the wizard is ready to proceed with the installation. Click Next.

  5. The Install the Server Certificate - Step 1 dialog box appears. Select the Trusted Certificate Authority or Server Certificate Chain radio button as appropriate and then type the directory server's certificate database password. Click Next.

  6. The Install the Server Certificate - Step 2 dialog box appears. If you saved the CA's certificate to a file, enter the path in the text box provided. If you received the CA's certificate via email, copy and paste the certificate including the headers into the text field provided. Click Next.

  7. The Install the Server Certificate - Step 3 dialog box appears. Click Add to add the certificate to the trust database.

  8. A confirmation dialog box appears. Click Done to exit the wizard.
Once you have installed your certificate and trusted the CA's certificate, you are ready to activate SSL; however, Netscape recommends that you confirm that the certificates have been installed correctly as described in the next step.

Step 5: Confirm That Your New Certificates Are Installed

  1. On the Directory Server Console, select the Tasks tab.

  2. Choose Manage Certificates from the Console menu.

    3. The Certificate Management dialog box that appears contains a list of all the installed certificates for the directory server.

  3. Scroll through the list. You should find the certificates you installed. If you find the certificates, your server is ready for SSL activation.

Activating SSL
Most of the time, you want your server to run with SSL enabled. If you temporarily disable SSL, make sure you re-enable it before processing transactions that require confidentiality, authentication, or data integrity.

Before you can activate SSL, you must create a certificate database, obtain and install a server certificate and trust the CA's certificate as described in "Obtaining and Installing Server Certificates".

To turn on SSL communications with your directory server:

  1. Set the secure port you want the server to use for SSL communications. See  "Changing Directory Server Port Numbers" for information.

    2. The encrypted port number that you specify must not be the same port number you use for normal LDAP communications. By default, the standard port number is 389 and the secure port is 636.

  2. On the Directory Server Console, select the Configuration tab and then select the root entry in the navigation tree in the left pane.

  3. Select the Encryption tab in the right pane.

    4. This displays the current server encryption settings.

  4. Indicate that you want encryption enabled by selecting the "Enable SSL" checkbox.

  5. Select the checkbox next to the cipher family or families you want to use.

    6. You can specify which ciphers you want the server to use by selecting a cipher family and then clicking Cipher Preferences. For more information about specific ciphers, see "Setting Security Preferences".

  6. Select the token you want the server to use.

  7. Select the certificate that you want to use.

    8. You create the encryption alias when you create your server's certificate database. For more information about certificate databases, see the "Enabling SSL Encryption" section in Managing Servers with Netscape Console. For instructions on setting up a certificate database for your server, see "Obtaining and Installing Server Certificates".

  8. If you do not want the server to use client authentication, select "Do not allow client authentication". If you want the server to use client authentication, select "Allow client authentication" or "Require client authentication" as appropriate.

    9. The default is "Allow client authentication". For more information about certificate-based authentication, see "Using Certificate-Based Authentication".

    If you are using certificate-based authentication with supplier-initiated replication, then you must configure the consumer server to either allow or require client authentication.

    If you are using certificate-based authentication with consumer-initiated replication, then you must configure the supplier server to either allow or require client authentication.

WARNING!

Selecting "Require client authentication" will disable communication between the Netscape Console and the directory server. This is because the Netscape Console does not support client authentication. If you select this option, you will no longer be able to manage your Netscape Servers from the Netscape Console; instead, you must use the command-line tools.

  1. If you want Netscape Console and the directory server to use SSL during communications, select Use SSL in Netscape Console.

  2. Click Save.

  3. Restart the Directory Server. See "Starting the Server with SSL Enabled" for information.

Setting Security Preferences
You can choose the type of ciphers you want to use for SSL communications. A cipher is the algorithm used in encryption. Some ciphers are more secure or stronger than others. Generally speaking, the more bits a cipher uses during encryption, the more difficult it is to decrypt the key. (For a more complete discussion of algorithms and their strength, see Managing Servers with Netscape Console.)

When a client initiates an SSL connection with a server, the client tells the server what ciphers it prefers to use to encrypt information. In any two-way encryption process, both parties must use the same ciphers. There are a number of ciphers available. Your server needs to be able to use the ciphers that will be used by client applications connecting to the server.

You might not want to enable all ciphers in order to prevent SSL connections with less than optimal encryption. Under most circumstances, United States law prohibits the export of products with 128-bit encryption, so overseas clients might only be using 40-bit encryption, which is not as difficult to crack as 128-bit. Deselecting all 40-bit ciphers effectively restricts access to clients available only in the United States.

Domestic versions of the Directory Server provide the following SSL 3.0 ciphers:

Export versions of the Directory Server provide the following SSL 3.0 ciphers:

In addition, the directory server also provides FORTEZZA ciphers. For information on using FORTEZZA with the Directory Server, see Chapter  12, "Managing FORTEZZA.".

To select the ciphers you want the server to use:

  1. Make sure SSL is enabled for your server. For information on how to do this, see "Activating SSL".

  2. On the Directory Server Console, select the Configuration tab and then select the root entry in the navigation tree in the left pane.

  3. Select the Encryption tab in the right pane. This displays the current server encryption settings.

  4. Select one or more cipher families you want to use and then click Cipher Preferences.

  5. In the dialog that appears, specify which ciphers you want your server to use by selecting them in the list. Unless you have a security reason to not use a specific cipher, you should select all of the ciphers except for NULL. When you are finished, click OK.

  6. On the Encryption tab, click Save.

Warning. You might not want to select the none, MD5 cipher. If no other ciphers are available on the client, the server uses this, and no encryption occurs.

In order to continue using the Netscape Console with SSL, you must select at least one of the ciphers listed next.

For the export version of the server:

For the domestic version of the server:


Using Certificate-Based Authentication
LDAP clients can bind to the directory server using certificates rather than normal Bind DN/Password authentication. This kind of authentication provides two things:

The directory server allows you to use certificate-based authentication using the command-line tools, for replication communications, and for applications you write using the LDAP SDK.

To set up certificate-based authentication, you must:

  1. Create a certificate database for both the client and the server.

    2. In the case of supplier-server to consumer-server replication, you need a certificate database for both servers.

  2. Obtain a certificate for both client and server.

    3. For replication communications, you obtain server certificates. For command-line tools, you obtain a client certificate.

  3. Map the certificate's distinguished name to a distinguished name known by the directory server.

    4. This allows you to set access control for the client when it binds using this certificate. This mapping process is described in the "Mapping Client Certificates to LDAP" section in Managing Servers with Netscape Console.

For information on creating a certificate database and obtaining a certificate for use with replication, see See  "Obtaining and Installing Server Certificates". For command-line clients, see See  "Creating Certificate Databases for LDAP Clients".

WARNING! Requiring client authentication disables communication between the Netscape Console and the directory server. This is because the Netscape Console does not support client authentication. If you configure the server to require client authentication, you will no longer be able to manage your Netscape Servers from the Netscape Console; instead, you must use the command-line tools.


Creating Certificate Databases for LDAP Clients
If you want to use SSL and/or certificate-based authentication with LDAP clients such as ldapmodify, ldapsearch, or the NT synchronization service, you must:

The following procedure describes how to use Netscape Communicator 4.x to perform these activities.

Note. You must use Netscape Communicator version 4.x to create a certificate database for clients that are communicating with Netscape Directory Server 4.x.

  1. For Communicator under Unix operating systems, create a fresh user account and run Communicator from there. This creates a fresh certificate database to be created for that user account.

    2. Under Windows NT, you should create a new user profile for the purpose of obtaining the certificate database. You can create a user profile by using the Netscape User Profile Manager tool. It is available by default from the Start menu under Programs -> Netscape Communicator -> Utilities.

  2. Use Communicator to connect to your Certificate Authority (CA). If you are using an internally deployed Netscape Certificate Server, you will go to a URL of the form:

    3. https://<hostname>:444

  3. Trust the CA. This task differs depending on the CA. In some cases, such as if you are connecting to a Netscape Certificate Server, Communicator will automatically prompt you to see if you want to trust the CA. Other CA's provide a link that allows you to download the CA's certificate.

  4. Optionally obtain a client certificate from the CA. This is required only if your client will use certificate-based authentication. Again, how you do this depends on your CA, but most will provide a link to a form that allows you to request the certificate. Usually, but not always, the certificate is mailed to you once it is assigned by the CA. This process can take from a few moments to several weeks.

    5. When you receive your certificate, install it in your certificate database file. Regardless of how you receive your certificate (either in email or on a web page), there should be a link that you click to install the certificate. Click it and step through the dialog boxes that Communicator presents to you.

    Make sure you keep a record of the information that is sent to you with your certificate. In particular, you must know what your certificate's subject DN is so that it can be mapped to an entry in the directory. If you lose your subject DN, you will have to request a certificate all over again.

  5. When you have trusted your CA and you have installed your certificate (if any), shut down Communicator and move your cert7.db and key3.db files to a location that is convenient for use with your LDAP clients. If you move these files using FTP, be sure to use a binary transfer.

    6. Under Unix operating systems, these files are available in the .netscape directory in your home directory.

    Under Windows NT, you can find these files in the following location:

    <communicator home>\users\<profile name>

    where <communicator home> is the directory where you installed Netscape Communicator and <user name> is the profile that you used to obtain the certificate. If you are not using user profiles, then there will be no <profile name> directory. In this case, cert7.db and key3.db will be under the users directory.

  6. If you are using certificate-based authentication, map the subject DN of the certificate that you obtained to the appropriate directory entry. This procedure is described in Managing Servers with Netscape Console.
You can now use SSL with your LDAP clients. For information on how to use SSL with:
 

© Copyright 1999 Netscape Communications Corporation, a subsidiary of America Online, Inc. All Rights Reserved.