Exit Print View

Sun OpenDS Standard Edition 2.2 Administration Guide

Get PDF Book Print View
 
Previous Next

Document Information

Before You Start

Starting and Stopping Your Server Instance

Configuring the Server Instance

Configuring the Proxy Components

Configuring Security Between Clients and Servers

Configuring Security Between the Proxy and the Data Source

How the Proxy Manages Secure Connections

Modes of Secure Connection

Configuring Security Between the Proxy and Data Source Using dsconfig

To Configure Security Between the Proxy and Directory Servers Using dsconfig

StartTLS and the Proxy

Setting Access Control Using Network Group Criteria

Configuring Servers With the Control Panel

Managing Directory Data

Replicating Directory Data

Controlling Access To Data

Managing Users and Groups

Monitoring Sun OpenDS Standard Edition

Improving Performance

Advanced Administration

Modes of Secure Connection

The Sun OpenDS Standard Edition proxy handles connections to the remote LDAP servers in three SSL security modes:

You can view or edit these settings using the dsconfig --advanced command. Choose Extension from the main menu.

The remote-ldap-server-ssl-policy property manages the three SSL security modes.

When the remote-ldap-server-ssl-policy property is set to always or user, the Sun OpenDS Standard Edition proxy needs to trust the remote LDAP servers. To achieve this, you need to manually import the certificates of each remote LDAP server into the proxy's truststore.

If you configure security using vdp-setup GUI during installation, the remote-ldap-server-ssl-policy property is set automatically, depending on the choice of port in the Add Servers panel, or on the choice of protocol in the Add Sun Servers panel. For more information, see To Set Up the Proxy Using the vdp-setup GUI in Sun OpenDS Standard Edition 2.2 Installation Guide.

The always Secure Mode

With the remote-ldap-server-ssl-policy property set to always, all connections made from the proxy to the remote LDAP servers are fully secure SSL connections, regardless how the client connects to the proxy.

In this mode, the pool size refers to one type of connection pool: secure LDAPS connections.

In the always secure mode, the certificate of each remote LDAP server must be imported into the truststore of the Sun OpenDS Standard Edition proxy. If there is a large number of non-Sun back-end LDAP servers, and if certificates were not managed using vdp-setup during installation, importing certificates into the truststore of the Sun OpenDS Standard Edition proxy can be a constraint. For test environment purposes, you can speed up this process by using the ssl-trust-all parameter. This parameter requests the proxy to trust all remote LDAP servers.

The never Secure Mode

With the remote-ldap-server-ssl-policy property set to never, none of the connections from the Sun OpenDS Standard Edition proxy to the remote LDAP servers are secure SSL connections.

In this mode, the monitoring connection by Sun OpenDS Standard Edition proxy of the remote LDAP servers is never secure.

In this mode, the pool size refers to one type of connection pool: unsecure LDAP connections.

The user Secure Mode

With the remote-ldap-server-ssl-policy property set to user, incoming requests from clients to the proxy dictate whether the connection between the Sun OpenDS Standard Edition proxy and remote LDAP servers should be secure, regardless how the client connects to the Sun OpenDS Standard Edition proxy.

If the incoming client request is secure, whether SSL or StartTLS, the connection from the Sun OpenDS Standard Edition proxy to the remote LDAP servers is a secure SSL connection.

If the incoming client request is not secure, the connection from the Sun OpenDS Standard Edition proxy to the remote LDAP servers is not a secure SSL connection.

In this mode, the monitoring connection by Sun OpenDS Standard Edition proxy of the remote LDAP LDAP servers is never secure.

Two pools of connections are created, one secure and one unsecure. This is shown in Figure 6. In the scenario on the left, the client connects to Sun OpenDS Standard Edition proxy using an unsecure connection, and the unsecure pool of connections from the proxy to the remote LDAP servers is used. In the scenario on the right, the client connects to proxy using a secure connection, whether SSL or StartTLS, and the secure SSL pool of connections from Sun OpenDS Standard Edition proxy to the remote LDAP servers is used.

Figure 6
Connections in the user Secure Mode
Graphic shows user secure mode of the proxy

In the user mode, the certificate of each remote LDAP server must be imported into the truststore of the Sun OpenDS Standard Edition proxy. If there is a large number of non-Sun remote LDAP servers, and if certificates were not managed using vdp-setup during installation, importing ertificates into the truststore of the Sun OpenDS Standard Edition proxy can be a constraint. For test environment purposes, you can speed up this process by using the ssl-trust-all parameter. This parameter requests the Sun OpenDS Standard Edition proxy to trust all remote LDAP servers.

When the remote-ldap-server-ssl-policy property is set to user, the pool size refers to two types of connection pools: unsecure LDAP connections and secure LDAPS connections. If for example the pool-initial-size is set to 5 connections, as shown in Figure 7, then when the LDAP Extension is initialized, there will be one pool of 5 LDAP connections and one pool of 5 LDAPS connections, or a total of 10 connections. Each pool evolves separately after this initialization, based on parameters set for that pool.

Note - By default, pool-initial-size is set to 10 connections.

Figure 7
Multiple Pools of Connections
Graphic shows multiple pools of connections to Sun Virtual Directory Proxy
Legal Copyright 1994-2009 Sun Microsystems, Inc.
Previous Next