Managing Servers with Netscape Console: Administration Server Configuration

Complete Contents
Introduction
Chapter 1 Introducing Netscape Console
Chapter 2 The Netscape Server Family Setup Program
Chapter 3 Using Netscape Console
Chapter 4 User and Group Administration
Chapter 5 Using SSL
Chapter 6 Delegating Server Administration
Chapter 7 Using SNMP to Monitor Services
Chapter 8 Administration Server Basics
Chapter 9 Administration Server Configuration
Appendix A Distinguished Name Attributes and Syntax
Appendix B Administration Server Command Line Tools
Appendix C FORTEZZA
Appendix D Introduction to Public-Key Cryptography
Appendix E Introduction to SSL

Contents

Index

Chapter 9 Administration Server Configuration

This chapter describes the configuration options you can use with the Administration server.

This chapter contains the following sections:

Network Settings

Access Settings

Encryption Settings

Directory Settings

Network Settings

Network settings affect the way the Administration Server runs. You can change the system user account that runs the Administration Server. This is a user account you set up with your computer's operating system. (By default, the user is nobody on Unix, and LocalSystem on Windows NT.)

You can change the port number that the Administration Server listens to. The port number can be any number between 1 and 65535, but it is typically a random number greater than 1024. For security reasons, consider changing the port number regularly.

You can change the IP address for a server. This is useful if the host system is connected to multiple networks and you want to specify a single IP address the server should use for incomming requests and connections.

You can also specify which hosts are allowed to connect to the Administration Server.

To configure Administration Server network settings:

In Netscape Console, select the Administration Server you want to modify, and then click Open.

Click the Configuration tab, and then click Network.

Enter network settings:

Port. Enter the port number you want the Administration Server to use. The port number can be any number between 1 and 65535, but it is typically a random number greater than 1024.

IP Address. Enter the IP address you want the server to use for incoming requests and connections.

Server UID. Enter the system user account you want to use to run the Administration Server.

Connection Restrictions. Displays a list of hosts currently allowed to connect to the Administration Server. Use the drop-down list to indicate whether you're adding to the list by DNS name or by IP address. The list is evaluated first by host names, and then by IP addresses. Using IP addresses may provide faster authentication.

Add. Displays a dialog box for adding a host to the list of computers allowed to connect to the Administration Server.

Edit. Displays a dialog box for editing a Host IP address or DNS name on the list of computers allowed to connect to the Administration Server.

Remove. Removes a selected entry from the list of allowed hosts.

Click OK.

Access Settings

Access settings specify who is allowed to access these areas of the Administration Server:

Server group management - This includes all server management tasks such as starting, stopping, and configuring the servers in a group.

End-user page - This is the Administration Server html page that end users typically access to either modify their own user data, or to download shared software. See "End-User Access to the User Directory" on page 46 for more information.

Directory Server Gateway - The Directory Server Gateway is a service that provides web-based access to the entire user dirctory. The Directory Server Gateway must be installed before you can use this option. See the Administrator's Guide to Directory Server 4.0 for more information.

To set access settings for the Administration Server:

In Netscape Console, select the Administration Server you want to modify, and then click Open.

Click the Configuration tab, and then click Access.

Enter access information:

User name. Enter Netscape Console Administrator user ID. This is the user listed in the file <server_root>/admin-serv/config/admpw. This is the user name you entered during installation. This user has full access to all features in the Administration Server.

Password. Enter Netscape Console Administrator's password.

Confirm Password. Enter Netscape Console Administrator's password again to confirm it.

Enable end-user access. Select this option if you want to allow end users to access the end-user page. Users will be able to access the end-user page using the same URL that administrators do. But they will only see a single form with their user information. An end user can change his or her own password or update any other information stored in his or her own entry in the user database.

Enable Directory Server Gateway Access. By default, this option is selected for you. Deselect it to disable access to the Directory Server Gateway.

Click OK.

Encryption Settings

All Netscape 4.0 servers support the SSL protocol and PKCS #11 APIs for encryption communication. Encryption prevents communication between the Administration Server and other servers from eavesdropping and tampering. You need to configure the Administration Server for SSL if it will communicate with SSL-enabled servers.

Before you can use SSL with the Administration Server, you must first enable and activate SSL on the server. The Certificate Setup Wizard in Netscape Console simplifies the enabling process for you. The following procedures walk you through using the Certificate Setup Wizard, and then activating SSL on the Administration Server.

Enabling SSL on a 4.x Administration Server
To enable SSL on a 4.x Administration Server:

In Netscape Console, in the navigation tree, select the Administration Server instance you want to use SSL encryption with.

Click Open Server to open the Administration Server Console.

In the Administration Server Console, from the Console menu, choose Certificate Setup Wizard.

Provide information as prompted. See "Obtaining and Installing a Certificate" on page 67 for detailed information.

Once you've obtained and installed a certificate, activate SSL as described in the next procedure.

Activating SSL on a 4.x Administration Server
The cipher family and preferences you specify here are used to provide SSL communication between Administration Server and Netscape Console.

To activate SSL on a 4.x Administration Server:

In Netscape Console, in the navigation tree, select the Administration Server instance you want to use SSL encryption with.

Click Open Server to open the Administration Server console, and then click Configure the Administration Server.

In the Configuration window, click Encryption.

Enter information as appropriate:

Enable SSL. Choose this option if you want to secure your enterprise with Secure Sockets Layers (SSL) encryption. The following are enabled only when you turn on SSL Encryption:

Cipher Family. When you enable SSL Encryption, the cipher families available to you are listed here. Select the cipher families you want to use.

Token to Use. Choose Internal (Software-based) if the key is stored in the local key database. All other choices available to you on this list are device-based. This means the key is stored on an external device such as a Smart Card.

Certificate. Certificate information is stored in the certificate database. If you're unsure of the Certificate to use, view the Certificate Management dialog for more information. To view the Certificate Management dialog, from the File menu, choose Certificate Management.

Cipher Preferences. A cipher is the algorithm used in encryption. This list displays the cipher preferences you've selected.

Click OK.

Directory Settings

The Directory Settings tell the Administration Server where to find the configuration directory and the user directory.

The Configuration Directory
When you install a server, you're asked for the location of the Directory Server that will store your server's configuration data. The Directory Server you specify contains the default configuration directory. The configuration directory is a subtree of the Directory Server. Data such as network topology information, console configuration, and server instance entries (SIEs) are stored in this subtree. Each time you install a server or change its configuration, the changes are stored in this subtree. For example, when you change a server's port number or turn on SNMP, the relevant data is stored in the configuration directory of the Directory Server.

Changing the Configuration Directory Server
You can designate a different host or port number for the configuration Directory Server.

Note. Changing the configuration Directory Server has serious and far-reaching impacts on the rest of the servers in the server group! If you change a setting here, you must make the same change in every server in the administration domain.

To change the configuration Directory Server settings:

In Netscape Console, choose an Administration Server and open it.

Click Configuration.

Click Configuration DS.

Modify settings as appropriate.

LDAP Host. Enter the host name of the configuration directory this Administration Server uses.

LDAP Port. Enter the port number for the configuration directory this Administration Server uses.

Use SSL. Select this option if the new configuration directory is already SSL enabled.

Click Save.

The User Directory
The user directory is a subtree of the Directory Server. It uses a suffix that you create, such as o=airius.com. The user directory is used for authentication and for local server management. It stores all user and group data, accounts data, group lists, and access control instructions (ACIs).

You can have more than one user directory in your enterprise. For example, to increase directory performance, one company might deploy three user directories, one in each of three geographic regions. Another company might deploy five user directories, one with each of five Mail Servers.

User Directory Settings
When you're installing a Netscape server, you are prompted to specify a user directory that is associated with the administrative domain. By default, a server group uses the same user directory associated with its domain. Also by default, an individual server uses the same user directory as its server group. There may be times when you need to override default user directory settings at the server, server group, or domain level.

For example, you may need to change the user directory for a domain when you upgrade to a new Directory Server. Or you might want to temporarily change the user directory for a server group when you're testing a new Directory Server for the group, and you don't want to impact your existing user directory.

User Authentication and Directory Failover Support
When a user logs in to Netscape Console, he enters his user ID which is checked against the user directory. If the user ID cannot be authenticated in a user directory, the user cannot successfully log in to Netscape Console.

If you're using a Netscape Console 4.1 version or higher, you can list more than one user directory that can be used for authenticating users IDs. This is useful when the Directory Server that contains your primary user directory is not running or is not accessible. If the user directory has been replicated in other host locations, Netscape Console continues to check the user ID against each user directory in the list until authentication can be made.

To list user directories to be used for failover support, follow instructions for "Changing User Directory Settings for a Domain" on page 143 or "Changing User Directory Settings for a Server Group" on page 144. For information on replicating the user directory, see the Directory Server 4.0 Administrator's Guide.

Changing User Directory Settings for a Domain
You must be the Configuration Administrator or Domain Administrator to change the user directory settings for a domain.

Changing these settings will have serious and far-reaching impacts on the rest of the servers in the domain! If you make changes here, you must restart all the servers in the domain.

To change the user directory settings for a domain:

In Netscape Console, select a domain, then click Edit.

Modify domain information as appropriate.

Domain Name. Enter a fully qualified domain name.
Example: airius.mcom.com

Description. Enter a name that helps you identify this domain.

User Directory Host and Port. Specify the location of the user directory using the host computer's fully qualified domain name and port number. For authentication purposes, you can enter more than one user directory location separated by spaces.

Example:

Eros.Airius.com:389 Zeus.Airius.com:389

See "User Authentication and Directory Failover Support" on page 142 for more information.

If you specify more than one host computer, each one must be configured identically regarding the following settings:

Secure Connection. Select this option if the new user directory port is already enabled for SSL communication.

User Directory Subtree. Enter the location of the new user directory. Example: o=mcom.com

Bind DN. Enter the distinguished name for a user who has access permisions to the new user directory. Example: uid=ginac, ou=people, o=Airius.com.

Bind Password. Enter the password of the user above.

Click OK.

Changing User Directory Settings for a Server Group
To change the user Directory Server settings for a server group:

In Netscape Console, choose an Administration Server and open it.

Click Configuration.

Click User DS.

Modify settings as appropriate.

Use Default User Directory. Choose this option if you want to use the default user directory associated with the domain.

Set User Directory. Choose this option if you want to use a user directory other than the default associated with the domain.

Example:

Eros.Airius.com:389 Zeus.Airius.com:389

See "User Authentication and Directory Failover Support" on page 142 for more information

If you specify more than one host computer, each one must be configured identically regarding the following settings:

Secure Connection. Select this option if the new user directory port is already enabled for SSL communication.

User Directory Subtree. Enter the location of the new user directory. Example: o=mcom.com

Bind DN. Enter the distinguished name for a user who has access permisions to the new user directory. Example: uid=ginac, ou=people, o=Airius.com.

Bind Password. Enter the password of the user above.

Click OK.

Changing User Directory Settings for A Server
See the server's Administrator's Guide for detailed information.

Configure Administration Server - Network

Use this dialog box to specify hosts that are allowed to connect to the Administration Server.

Port. Enter the port number you want the Administration Server to use. The port number can be any number between 1 and 65535, but it is typically a random number greater than 1024.

IP Address. Enter the IP address you want the server to use for incoming requests and connections.

Server UID. Enter the system user account you want to use to run the Administration Server.

Connection Restrictions. Displays a list of hosts currently allowed to connect to the Administration Server. Use the drop-down list to indicate whether you're adding to the list by DNS name or by IP address. The list is evaluated first by host name, and then by IP addresses. Using IP addresses may provide faster authentication.

Add. Displays a dialog box for adding a host to the list of computers allowed to connect to the Administration Server.

Edit. Displays a dialog box for editing a Host IP address or DNS name on the list of computers allowed to connect to the Administration Server.

Remove. Removes a selected entry from the list of allowed hosts.

Add or Edit Host Name

Use this dialog box when you want to add to the list of hosts allowed to connect to the Administration Server. Enter a fully qualified host name. Wildcards are acceptable. Example: *.airius.com.

Add or Edit IP Address

Use this dialog box when you want to add to the list of hosts allowed to connect to the Administration Server. Enter an IP address. Wildcards are acceptable. Example: 236.45.*

Configure Administration Server - Access

Use this dialog box to enter settings for the Administration Server Administrator.

User name. Enter the user ID for the Administration Server Administrator. This is the user listed in the file server_root>/admin-serv/config/admpw. This is the user name you entered during installation. The Administration Server Administrator has full access to all features in the Administration Server.

Password. Enter the superuser's password.

Confirm Password. Enter the superuser's password again to confirm it.

Enable end-user access. Select this option if you want to allow end users to access the user databse. Users will be able to access the Administration Page using the same URL that administrators do. But they will only see a single form with their user information. An end user can change his or her own password or update any other information stored in his or her own entry in the user database.

Enable Directory Server Gateway Access. The Directory Server Gateway is a service that provides web-based access to the entire user dirctory. By default, this access is enabled. Deselect it to disable access to the Directory Server Gateway. The Directory Server Gateway must be installed before you can use this option. See the Administrator's Guide to Directory Server 4.0 for more information.

See Also

"Network Resources and Administrative Privileges"

Configure Administration Server Encryption

Use this dialog box to enable Secure Sockets Layer (SSL) encryption.

Enable SSL. Choose this option if you want to secure your enterprise with Secure Sockets Layers (SSL) encryption. The following are enabled only when you turn on SSL Encryption:

Cipher Family. When you enable SSL encryption, the cipher families available to you are listed here. Select the cipher families you want to use.

Token to Use. Choose Internal (Software-based) if the key is stored in the local key database. All other choices available to you on this list are device-based. This means that the key is stored on an external device such as a smart card.

Certificate. Certificate information is stored in the certificate database. If you're of which certificate to use, view the Certificate Management dialog box for more information. To view the Certificate Management dialog, from the File menu, choose Certificate Management.

Cipher Preferences. A cipher is the algorithm used in encryption. This list displays the cipher preferences you've selected.

See Also

"Activating SSL"
"The SSL Protocol"

Configure Administration Server - Configuration DS

These settings specify the location of the Directory Server that contains your configuration directory.

Note. Changing these settings will have serious and far-reaching impacts on the rest of the servers in the server group! For example, if you change the port number here, you must reflect that change in every server in the administration domain.

LDAP Host. Enter the host name of the configuration directory that this Administration Server uses.

LDAP Port. Enter the port number for the configuration directory that this Administration Server users.

Secure Connection. Select this option if the configuration directory is already SSL enabled.

See Also

"Changing the Configuration Directory Server"

Configure Administration Server - User DS

These settings specify the location of the user directory that is used for authentication and for local server management.

Use Default User Directory. Choose this option if you want to use the user directory associated with the domain. Its LDAP URL is displayed here.

Set User Directory. Choose this option if you want to use a user directory other than the default associated with the domain.

LDAP Host and Port. Specify the location of the user directory using the host computer's fully qualified domain name and port number. For authentication purposes, you can enter more than one user directory location separated by spaces.

Example: Eros.Airius.com:389 Zeus.mcom.com:389

See "User Authentication and Directory Failover Support" on page 142 for more information.

Note. If you specify more than one host computer in this field, each one must be configured identically regarding the following settings:

Secure Connection. Select this option if the new user directory port is already enabled for SSL communication.

User Directory Subtree. Enter the location of the new user directory. Example: o=mcom.com

Bind DN. Enter the distinguished name for a user who has access permisions to the new user directory. Example: uid=ginac, ou=people, o=Airius.com.

Bind Password. Enter the password of the user above.

See Also

"User Directory Settings"