Previous Contents Index Next |
iPlanet Directory Server Access Management Edition Installation and Configuration Guide |
Appendix C Managing SSL
This appendix is excerpted from the iPlanet Directory Server Administrator's Guide. For your convenience, Chapter 11 of the Guide is reproduced here in its entirety. To view the full online manual on the Internet, go to http://docs.iplanet.com/docs/manuals/directory.htmlTo provide secure communications over the network, iPlanet Directory Server Access Management Edition includes the LDAPS communications protocol. LDAPS is the standard LDAP protocol, but it runs on top of the Secure Sockets Layer (SSL).
This chapter describes how to use SSL with your Directory Server in the following sections:
Introduction to SSL in the Directory Server
Obtaining and Installing Server Certificates
Introduction to SSL in the Directory Server
You can use SSL to secure communications between LDAP clients and the Directory Server, or between Directory Servers that are bound by a replication agreement, or between a database link and a remote database. You can use SSL with simple authentication (bind DN and password), or with certificate-based authentication.Using SSL with simple authentication guarantees confidentiality and data integrity. The benefits of using a certificate to authenticate to the Directory Server instead of a bind DN and password include:
Improved efficiency
Directory Server is capable of simultaneous SSL and non-SSL communications. This means that you do not have to choose between SSL or non-SSL communications for your Directory Server; you can use both at the same time.
Improved security
- When you are using applications that prompt you once for your certificate database password, and then use that certificate for all subsequent bind or authentication operations, it is more efficient than continuously providing a bind DN and password.
- The use of certificate-based authentication is more secure than non-certificate bind operations. This is because certificate-based authentication uses public-key cryptography. As a result, bind credentials cannot be intercepted across the network.
Enabling SSL: Summary of Steps
To use LDAPS, you must do the following:
Obtain and install a certificate for your Directory Server, and configure the Directory Server to trust the certification authority's certificate.
If you are using FORTEZZA, please read Chapter 12, "Managing FORTEZZA," for information before you attempt to set up SSL.
Turn on SSL in your directory.
- For information, see "Obtaining and Installing Server Certificates," on page 161.
Configure the administration server to connect to an SSL-enabled Directory Server.
- For information, see "Activating SSL," on page 166.
Optionally, ensure that each user of the Directory Server obtains and installs a personal certificate for all clients that will authenticate with SSL.
- For information, see Managing Servers with iPlanet Console.
- For information, see "Configuring LDAP Clients to Use SSL," on page 171.
For a complete description of SSL, internet security, and certificates, see Managing Servers with iPlanet Console.
Obtaining and Installing Server Certificates
This section describes the process of creating a certificate database, obtaining and installing a certificate for use with your Directory Server, and configuring Directory Server to trust the certification authority's (CA) certificate.This process is a necessary first step before you can turn on SSL in your directory. If you have already completed these tasks, see "Activating SSL," on page 166. If you are using FORTEZZA with your directory server, see Chapter 12, "Managing FORTEZZA."
Obtaining and installing certificates consists of the following steps:
Step 1: Generate a Certificate Request
You will use the Certificate Request Wizard to generate a certificate request (Step 1) and send it to a Certificate Authority (Step 2). You then use the Certificate Install Wizard to install the certificate (Step 3), and to trust the Certificate Authority's certificate (Step 4).Step 2: Send the Certificate Request
Step 3: Install the Certificate
These wizards automate the process of creating a certificate database, and of installing the key-pair.
Step 1: Generate a Certificate Request
To generate a certificate request and send it to a CA:
On the Directory Server Console, select the Tasks tab and click Manage Certificates.
Once you have generated the request, you are ready to send it to the CA.
Select the Server Certs tab, and click the Request button.
- The Manage Certificates window is displayed.
Click Next.
- The Certificate Request Wizard is displayed.
Enter the Requester Information in the blank text fields, then click Next.
Enter the password that will be used to protect the private key, and click Next.
- Enter the following information:
- Server Name. Enter the fully qualified hostname of the Directory Server as it is used in DNS lookups, for example, dir.siroe.com.
- Organization. Enter the legal name of your company or institution. Most CAs require you to verify this information with legal documents such as a copy of a business license.
- Organizational Unit. (Optional). Enter a descriptive name for your organization within your company.
- Locality. (Optional). Enter your company's city name.
- State or Province. Enter the full name of your company's state or province (no abbreviations).
- Country. Select the two-character abbreviation for your country's name (ISO format). The country code for the United States is US. The iPlanet Directory Server Schema Reference contains a complete list of ISO Country Codes.
Select Copy to Clipboard or Save to File to save the certificate request information that you must send to the Certificate Authority.
- The Next field is greyed out until you supply a password. When you click Next, the Request Submission dialog box is displayed.
Step 2: Send the Certificate Request
Follow these steps to send the certificate information to the CA:
Use your email program to create a new email message.
Once you have emailed your request, you must wait for the CA to respond with your certificate. Response time for your request varies. For example, if your CA is internal to your company, it may only take a day or two to respond to your request. If your selected CA is external to your company, it could take several weeks to respond to your request.Copy the certificate request information from the clipboard or the saved file into the body of the message.
Send the email message to the CA.
- The content will look similar to the following example:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBrjCCARcCAQAwbjELMAkGA1UEBhMCVXMxEzARBgNVBAgTCkNBTElGT1JOSUExLD
AqBgVBAoTI25ldHNjYXBlIGNvbW11bmljYXRpb25zIGNvcnBvcmF0aW9uMRwwGgYDV
QQDExNtZWxsb24ubmV0c2NhcGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQK
BgQCwAbskGh6SKYOgHy+UCSLnm3ok3X3u83Us7ug0EfgSLR0f+K41eNqqWRftGR83e
mqPLDOf0ZLTLjVGJaH4Jn4l1gG+JDf/n/zMyahxtV7+mT8GOFFigFfuxJaxMjr2j7I
vELlxQ4IfZgWwqCm4qQecv3G+N9YdbjveMVXW0v4XwIDAQABoAAwDQYJKoZIhvcNAQ
EEBQADgYEAZyZAm8UmP9PQYwNy4Pmypk79t2nvzKbwKVb97G+MT/gw1pLRsI1uBoKi
nMfLgKp1Q38K5Py2VGW1E47K7/rhm3yVQrIiwV+Z8Lcc=
-----END NEW CERTIFICATE REQUEST-----
When the CA sends a response, be sure to save the information in a text file. You will need the data when you install the certificate.
You should also back up the certificate data in a safe location. If your system ever loses the certificate data, you can reinstall the certificate using your backup file.
Once you receive your certificate, you are ready to install it in your server's certificate database.
Step 3: Install the Certificate
To install a server certificate:
On the Directory Server Console, select the Tasks tab and click Manage Certificates.
Now that you have installed your certificate, you need to configure your server to trust the Certificate Authority from which you obtained the server's certificate.
Select the Server Certs tab, and click Install.
- The Manage Certificates window is displayed.
Choose one of the following options for the certificate location, then click Next.
- The Certificate Install Wizard is displayed.
Check that the certificate information displayed is correct, and click Next.
- In this file.Enter the absolute path to the certificate in this field.
- In the following encoded text block. Copy the text from the CAs email or from the text file you created and paste it in this field. For example:
-----BEGIN CERTIFICATE-----
MIICMjCCAZugAwIBAgICCEEwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBhMCVVMx
IzAhBgNVBAoTGlBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0wGwYDVQQLExRX
aWRnZXQgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdCBUZXN0IFRlc3QgVGVz
dCBUZXN0IFRlc3QgQ0EwHhcNOTgwMzEyMDIzMzU3WhcNOTgwMzI2MDIzMzU3WjBP
MQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTmV0c2NhcGUgRGlyZWN0b3J5IFB1Ymxp
Y2F0aW9uczEWMBQGA1UEAxMNZHVgh49dq2itLmNvbTBaMA0GCSqGSIb3DQEBAQUA
A0kAMEYCQQCksMR/aLGdfp4m0OiGcgijG5KgOsyRNvwGYW7kfW+8mmijDtZRjYNj
jcgpF3VnlsbxbclX9LVjjNLC57u37XZdAgEDozYwNDARBglghkgBhvhCAQEEBAMC
APAwHwYDVR0jBBgwFoAU67URjwCaGqZuUpSpdLxlzweJKiMwDQYJKoZIhvcNAQEF
BQADgYEAJ+BVem3vBOP/BveNdLGfjlb9hucgmaMcQa98A/db8qimKT/ue9UGOJqL
bwbMKBBopsD56p2yV3PLJIsBgrcuSoBCuFFnxBnqSiTS/7YiYgCWqWaUAExJFmD6
6hBLseqkSWulk+hXHN7L/NrViO+7zNtKcaZLlFPf7d7j2MgX4Bo=
-----END CERTIFICATE-----
Specify a name for the certificate, and click Next.
Verify the certificate by providing the password that protects the private key.
- This password is the same as the one you provided in "Step 1: Generate a Certificate Request," on page 161.
Step 4: Trust the Certificate Authority
Configuring your Directory Server to trust the certificate authority consists of obtaining your CA's certificate and installing it into your server's certificate database. This process differs depending on the certificate authority you use. Some commercial CAs provide a website that allows you to automatically download the certificate. Others will email it to you upon request.Once you have the CA certificate, you can use the Certificate Install Wizard to configure the Directory Server to trust the Certificate Authority.
On the Directory Server Console, select the Tasks tab and click Manage Certificates.
Once you have installed your certificate and trusted the CA's certificate, you are ready to activate SSL. However, you should first make sure that the certificates have been installed correctly.
Go to the CA Certs tab, and click Install.
- The Manage Certificates window is displayed.
If you saved the CA's certificate to a file, enter the path in the field provided. If you received the CA's certificate via email, copy and paste the certificate including the headers into the text field provided. Click Next.
- The Certificate Install Wizard is displayed.
Check that the certificate information that is displayed is correct, and click Next.
Specify a name for the certificate, and click Next.
Select the purpose of trusting this Certificate Authority (you can select both):
Click Done to dismiss the wizard.
- Accepting connections from clients (Client Authentication). The server checks that the client's certificate has been issued by a trusted Certificate Authority.
- Accepting connections to other servers (Server Authentication). This server checks that the directory to which it is making a connection (for example, for replication updates) has a certificate that has been issued by a trusted Certificate Authority.
Step 5: Confirm That Your New Certificates Are Installed
On the Directory Server Console, select the Tasks tab and click Manage Certificates.
Select the Server Certs tab.
- The Manage Certificates window is displayed.
Scroll through the list. You should find the certificates you installed.
- A list of all the installed certificates for the server is displayed.
- Your server is now ready for SSL activation.
Activating SSL
Most of the time, you want your server to run with SSL enabled. If you temporarily disable SSL, make sure you re-enable it before processing transactions that require confidentiality, authentication, or data integrity.Before you can activate SSL, you must create a certificate database, obtain and install a server certificate and trust the CA's certificate as described in "Obtaining and Installing Server Certificates," on page 161.
To activate SSL communications:
Set the secure port you want the server to use for SSL communications. See "Changing Directory Server Port Numbers," on page 37 for information.
On the Directory Server Console, select the Configuration tab and then select the topmost entry in the navigation tree in the left pane.
- The encrypted port number that you specify must not be the same port number you use for normal LDAP communications. By default, the standard port number is 389 and the secure port is 636.
Select the Encryption tab in the right pane.
Indicate that you want encryption enabled by selecting the "Enable SSL for this Server" checkbox.
- The tab displays the current server encryption settings.
Check the "Use this Cipher Family" checkbox.
Select the certificate that you want to use from the drop-down menu.
Select the checkbox next to the cipher you want to use, and click OK to dismiss the Cipher Preference dialog box.
- The Cipher Preference dialog box is displayed.
Set your preferences for client authentication.
- For more information about specific ciphers, see "Setting Security Preferences," on page 167.
If you want iPlanet Console to use SSL during communications with Directory Server, select Use SSL in iPlanet Console.
- Do not allow client authentication. With this option, the server will ignore the client's certificate. This does not mean that the bind will fail.
- Allow client authentication. This is the default setting. With this option, authentication is performed on the client's request. For more information about certificate-based authentication, see "Using Certificate-Based Authentication," on page 169.
- Require client authentication. With this option, the server requests authentication from the client.
Note If you are using certificate-based authentication with replication, then you must configure the consumer server to either allow or require client authentication.
- See "Starting the Server with SSL Enabled," on page 38 for more information.
Setting Security Preferences
You can choose the type of ciphers you want to use for SSL communications. A cipher is the algorithm used in encryption. Some ciphers are more secure or stronger than others. Generally speaking, the more bits a cipher uses during encryption, the more difficult it is to decrypt the key. For a more complete discussion of algorithms and their strength, see Managing Servers with iPlanet Console.When a client initiates an SSL connection with a server, the client tells the server what ciphers it prefers to use to encrypt information. In any two-way encryption process, both parties must use the same ciphers. There are a number of ciphers available. Your server needs to be able to use the ciphers that will be used by client applications connecting to the server.
iPlanet Directory Server Access Management Edition provides the following SSL 3.0 ciphers:
RC4 cipher with 40-bit encryption and MD5 message authentication.
In addition, the directory server also provides FORTEZZA ciphers. For information on using FORTEZZA with the Directory Server, see Chapter 12, "Managing FORTEZZA.".RC2 cipher with 40-bit encryption and MD5 message authentication.
No encryption, only MD5 message authentication.
DES with 56-bit encryption and SHA message authentication.
RC4 cipher with 128-bit encryption and MD5 message authentication.
Triple DES with 168-bit encryption and SHA message authentication.
FIPS DES with 56-bit encryption and SHA message authentication. This cipher meets the FIPS 140-1 U.S. government standard for implementations of cryptographic modules.
FIPS Triple DES with 168-bit encryption and SHA message authentication. This cipher meets the FIPS 140-1 US government standard for implementations of cryptographic modules.
To select the ciphers you want the server to use:
Make sure SSL is enabled for your server.
In order to continue using the iPlanet Console with SSL, you must select at least one of the following ciphers:
On the Directory Server Console, select the Configuration tab and then select the topmost entry in the navigation tree in the left pane.
- For information, see "Activating SSL," on page 166.
Select the Encryption tab in the right pane.
Click Cipher Settings.
- This displays the current server encryption settings.
In the Cipher Preference dialog box, specify which ciphers you want your server to use by selecting them from the list, and click OK.
- The Cipher Preference dialog box is displayed.
On the Encryption tab, click Save.
- Unless you have a security reason to not use a specific cipher, you should select all of the ciphers, except for none,MD5.
Avoid selecting the none,MD5 cipher because the server will use this option if no other ciphers are available on the client. It is not secure because encryption doesn't occur.
RC4 cipher with 40-bit encryption and MD5 message authentication.
No encryption, only MD5 message authentication.
DES with 56-bit encryption and SHA message authentication.
RC4 cipher with 128-bit encryption and MD5 message authentication.
Triple DES with 168-bit encryption and SHA message authentication.
Using Certificate-Based Authentication
Directory Server allows you to use certificate-based authentication for the command-line tools (which are LDAP clients) and for replication communications. Certificate-based authentication can occur between:
An LDAP client connecting to the Directory Server
A Directory Server connecting to another Directory Server (replication or chaining)
Setting up Certificate-Based Authentication
To set up certificate-based authentication, you must:
Create a certificate database for the client and the server, or for both servers involved in replication.
Obtain and install a certificate on both the client and the server, or on both servers involved in replication.
- On the Directory Server, the certificate database creation automatically takes place when you install a certificate. For information on creating a certificate database for a client, see "Configuring LDAP Clients to Use SSL," on page 171.
Enable SSL on the server, or on both servers involved in replication.
Map the certificate's distinguished name to a distinguished name known by your directory.
- For information on enabling SSL, refer to "Activating SSL," on page 166.
- This allows you to set access control for the client when it binds using this certificate. This mapping process is described in Managing Servers with iPlanet Console.
Allowing/Requiring Client Authentication
If you have configured iPlanet Console to connect to your Directory Server using SSL and your Directory Server requires client authentication, you can no longer use iPlanet Console to manage any of your iPlanet servers. You will have to use the appropriate command-line utilities instead.However, if at a later date you wish to change your directory configuration to no longer require but allow client authentication, so that you can use iPlanet Console, you must follow these steps:
Stop Directory Server.
Modify the cn=encryption,cn=config entry by changing the value of the nsSSLClientAuth attribute from required to allowed.
- For information on stopping and starting the server from the command line, see "Starting/Stopping the Server From the Command Line," on page 35.
Start Directory Server.
- For information on modifying entries from the command line, see Chapter2, "Creating Directory Entries."
- You can now start iPlanet Console.
Configuring LDAP Clients to Use SSL
If you want all the users of your Directory Server to use SSL or certificate-based authentication when they connect using LDAP client applications, you must make sure they perform the following tasks:
Create a certificate database.
These operations are sufficient if you want to ensure that LDAP clients recognize the server's certificate. However, if you also want LDAP clients to use their own certificate to authenticate to the directory, make sure that all your directory users obtain and install a personal certificate.Trust the Certificate Authority (CA) that issues the server certificate.
Note Some client applications do not verify that the server has a trusted certificate.
The following procedure describes how to use Netscape Communicator 4.7 to perform these tasks.
To create a certificate, it is sufficient to start Netscape Communicator 4.7.
These steps are sufficient to ensure that your client applications will accept connections to take place with the Directory Server, because the clients recognize that the Directory Server's certificate has been issued by a trusted CA.
Use Communicator to connect to your Certificate Authority.
- If it does not already exist, the certificate database will be created.
Trust the Certificate Authority.
- If you are using an internally deployed iPlanet Certificate Server, you will go to a URL of the form:
- https://hostname:444
- Some Certificate Authorities provide a link that allows you to download the CA's certificate.
- This task differs depending on the CA. In some cases, such as if you are connecting to a iPlanet Certificate Server, Communicator will automatically prompt you to see if you want to trust the CA.
However, if you also want the Directory Server to authenticate clients using the clients' certificate, you must perform the following additional steps:
On the client system, obtain a client certificate from the CA.
You can now use SSL with your LDAP clients. For information on how to use SSL with ldapmodify, ldapdelete and ldapsearch, refer to iPlanet Directory Server Configuration, Command, and File Reference.On your client system, install your client certificate.
You must convert the client certificate into binary format using the certutil utility. To do this:
- Regardless of how you receive your certificate (either in email or on a web page), there should be a link that you click to install the certificate. Click it and step through the dialog boxes that Communicator presents to you.
- Make sure you record the certificate information that is sent to you in a file. In particular, you must know the subject DN of the certificate because you must configure the server to map it to an entry in the directory. Your client certificate will be similar to:
-----BEGIN CERTIFICATE-----
MIICMjCCAZugAwIBAgICCEEwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBhMCVVMx
IzAhBgNVBAoTGlBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0wGwYDVQQLExRX
aWRnZXQgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdCBUZXN0IFRlc3QgVGVz
dCBUZXN0IFRlc3QgQ0EwHhcNOTgwMzEyMDIzMzU3WhcNOTgwMzI2MDIzMzU3WjBP
MQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTmV0c2NhcGUgRGlyZWN0b3J5IFB1Ymxp
Y2F0aW9uczEWMBQGA1UEAxMNZHVgh49dq2itLmNvbTBaMA0GCSqGSIb3DQEBAQUA
A0kAMEYCQQCksMR/aLGdfp4m0OiGcgijG5KgOsyRNvwGYW7kfW+8mmijDtZRjYNj
jcgpF3VnlsbxbclX9LVjjNLC57u37XZdAgEDozYwNDARBglghkgBhvhCAQEEBAMC
APAwHwYDVR0jBBgwFoAU67URjwCaGqZuUpSpdLxlzweJKiMwDQYJKoZIhvcNAQEF
BQADgYEAJ+BVem3vBOP/BveNdLGfjlb9hucgmaMcQa98A/db8qimKT/ue9UGOJqL
bwbMKBBopsD56p2yV3PLJIsBgrcuSoBCuFFnxBnqSiTS/7YiYgCWqWaUAExJFmD6
6hBLseqkSWulk+hXHN7L/NrViO+7zNtKcaZLlFPf7d7j2MgX4Bo=
-----END CERTIFICATE-----
Download the certutil utility from http://www.iplanet.com
On the server, map the subject DN of the certificate that you obtained to the appropriate directory entry by editing the certmap.conf file.
Run certutil as follows:
- On the iPlanet home page, search for certutil. Download the most recent PKCS package. It will contain the certutil utility.
- certutil -L -d cert7.db_path -n user_cert_name -r > user_cert.bin
- where cert7.db_path is the location of your certificate database, user_cert_name is the name you gave to your certificate when you installed it, and user_cert.bin is the name you must specify for the output file that will contain the binary certificate.
On the Directory Server, you must modify the directory entry for the user who owns the client certificate to add the userCertificate attribute.
- This procedure is described in Managing Servers with iPlanet Console. Make sure that the verifyCert parameter is set to on in the certmap.conf file.
Select the Directory tab, and navigate to the user entry.
Double click the user entry, and use the Property Editor to add the userCertificate attribute, with the binary subtype.
Click Set Value.
- When you add this attribute, instead of an editable field, the server provides a Set Value button.
- A file selector is displayed. Use it to select the binary file you created in Step 6.
- For information on using the Directory Server Console to edit entries, refer to "Modifying Directory Entries," on page 45.
Previous Contents Index Next
Copyright 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated May 13, 2002