test

Sun Java System Directory Server Enterprise Edition 6.1 Administration Guide

Configuring SSL Communication

This section contains procedures related to disabling and enabling SSL.

Disabling Non Secure Communication

When a server instance is created, both an LDAP clear port and a secure LDAP port (LDAPS) are created by default. However, there might be situations where you want to disable non-SSL communications so that the server communicates only through SSL.

The SSL connection is enabled with a default self-signed certificate. If you want to, you can install your own certificates. For instructions on managing certificates and disabling SSL after the server has been started, see Chapter 5, Directory Server Security. For an overview of certificates, certificate databases, and obtaining a CA-signed server certificate, see Sun Java System Directory Server Enterprise Edition 6.1 Reference.

ProcedureTo Disable the LDAP Clear Port

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Disable the LDAP clear port.

    To disable the non secure point, you must bind to the LDAP secure port. This example shows a bind to the default LDAP secure port, 1636, on the host server host1.


    $ dsconf set-server-prop -h host1 -P 1636 ldap-port:disabled

  2. Restart the server for the change to take effect.


    $ dsadm restart /local/ds

    You can now no longer bind on the non secure port 1389.

Choosing Encryption Ciphers

A cipher is the algorithm used to encrypt and decrypt data. Generally speaking, the more bits that a cipher uses during encryption, the stronger or more secure the encryption is. Ciphers for SSL are also identified by the type of message authentication used. Message authentication is another algorithm that computes a checksum that guarantees data integrity.

When a client initiates an SSL connection with a server, the client and server must agree on a cipher to use to encrypt information. In any two-way encryption process, both parties must use the same cipher. The cipher used depends upon the current order of the cipher list kept by the server. The server chooses the first cipher presented by the client that matches a cipher in its list. The default cipher value for Directory Server is all, which means all known secure ciphers supported by the underlying SSL library. However, you can modify this value to only accept certain ciphers.

For more information about the ciphers that are available with Directory Server, see Sun Java System Directory Server Enterprise Edition 6.1 Reference.

ProcedureTo Choose an Encryption Cipher

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Make sure that SSL is enabled for your server.

    See Configuring SSL Communication.

  2. View the available SSL ciphers.


    $ dsconf get-server-prop -h host -p port ssl-supported-ciphers
ssl-supported-ciphers  :  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
ssl-supported-ciphers  :  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
ssl-supported-ciphers  :  TLS_DHE_RSA_WITH_AES_256_CBC_SHA
ssl-supported-ciphers  :  TLS_DHE_DSS_WITH_AES_256_CBC_SHA 
...

  3. (Optional) If you want to keep a copy of non-encrypted data, export the data before setting the SSL ciphers.

    See Exporting to LDIF.

  4. Set the SSL ciphers.


    $ dsconf set-server-prop -h host -p port ssl-cipher-family:cipher

    For example, to set the cipher family to SSL_RSA_WITH_RC4_128_MD5 and SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, type:


    $ dsconf set-server-prop -h host1 -P 1636 ssl-cipher-family:SSL_RSA_WITH_RC4_128_MD5 \
 ssl-cipher-family:SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Enter "cn=Directory Manager" password:  
Before setting SSL configuration, export Directory Server data. 
Do you want to continue [y/n] ? y
Directory Server must be restarted for changes to take effect.

  5. (Optional) Add an SSL cipher to an existing list.

    If you already have a list of ciphers specified, and you want to add a cipher, use this command:


    $ dsconf set-server-prop -h host -p port ssl-cipher-family+:cipher

    For example, to add the SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA cipher, type:


    $ dsconf set-server-prop -h host1 -P 1636 \
 ssl-cipher-family+:SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

  6. Restart the server for the changes to take effect.


    $ dsadm restart /local/ds