Chapter 22 Security in Directory Proxy Server

This chapter describes the mechanisms that can be used to secure data that passes through Directory Proxy Server.

The chapter covers the following topics:

• How Directory Proxy Server Provides Security

• Secure Sockets Layer for Directory Proxy Server

• Ciphers and Protocols for Directory Proxy Server

How Directory Proxy Server Provides Security

Directory Proxy Server provides security through a combination of the following methods:

• Encryption

  Encryption protects the privacy of information. When data is encrypted, the data is scrambled in a way that only a legitimate recipient can decode. Directory Proxy Server supports SSL encryption. For information about SSL, see Secure Sockets Layer for Directory Proxy Server.

• Authentication

  Authentication is a means for one party to verify another’s identity. For example, a client gives a password to Directory Proxy Server during an LDAP bind operation. Policies define the criteria that a password must satisfy to be considered valid, for example, age, length, and syntax. Directory Proxy Server supports anonymous authentication, password-based authentication, and certificate-based authentication. For information about authentication, see Chapter 21, Directory Proxy Server Client Authentication.

• Access control instructions (ACIs)

  ACIs govern the access rights granted to client applications, and provide a way of specifying required credentials or bind attributes. Directory Proxy Server implements access control through request filtering policies and through virtual ACIs. For information about request filtering policies , see Request Filtering Policies for Connection Handlers. For information about virtual ACIs, see Access Control On Virtual Data Views.

• Auditing and Logs

  Auditing can be used to determine whether security has been compromised. The log files maintained by Directory Proxy Server can be audited to track who has accessed the server, and what operations they have performed. For information about log files, see Chapter 24, Directory Proxy Server Alerts and Monitoring and Chapter 23, Directory Proxy Server Logging.

Secure Sockets Layer for Directory Proxy Server

The Secure Sockets Layer (SSL) provides encrypted communications between a client and Directory Proxy Server. By using SSL with authentication, data sent to and from Directory Proxy Server can be encrypted.

When an instance of Directory Proxy Server is created, SSL is enabled by default and the following directories and files are created:

A randomly generated password to protect the certificate database

The password is stored in instance-path/etc/pass.txt

A key store database for certificates

The keystore database is located in instance-path/alias/cert.jks

A key store database for a symmetric encryption key

The keystore database is located in instance-path/alias/key.jceks

The key store databases are protected by the same password.

For more information about SSL, see Secure Sockets Layer (SSL). For information about how to configure SSL between clients and Directory Proxy Server, see Configuring Listeners Between Clients and Directory Proxy Server in Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide

Directory Proxy Server supports the Start TLS extended operation. StartTLS can be used to provide security over a regular LDAP connection. With StartTLS, clients can bind to a non-secure port and then use the TLS protocol to initiate a secure connection.

Ciphers and Protocols for Directory Proxy Server

The ciphers and protocols that can be used by Directory Proxy Server depend on the JVM that is used. By default, Directory Proxy Server uses the default ciphers and protocols for the JVM.

You can retrieve a list of ciphers and protocols by using the dpconf command:

Enabled ciphers

The list of ciphers that are currently enabled for both the LDAP and LDAPS listeners. Because the LDAP and LDAPS listeners are synchronized, the properties are part of the global server configuration, and not the listener configuration.

Supported ciphers

The list of ciphers supported by the JVM for Directory Proxy Server.

Enabled protocols

The list of protocols that are currently enabled for both the LDAP and LDAPS listeners. Because the LDAP and LDAPS listeners are synchronized, the properties are part of the global server configuration, and not the listener configuration.

Supported protocols

The list of protocols supported by the JVM for Directory Proxy Server.

For reference information about cipher suites, see Cryptographic Algorithms Used With SSL. For information about how to choose ciphers, see Choosing SSL Ciphers and SSL Protocols for Directory Proxy Server in Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide.