Glossary

access control. The process of controlling who is allowed to do what to a server, onscreen element, task, or directory entry. See also access control instruction (ACI), access control list (ACL).

access control instruction (ACI). A rule that permits or restricts access to a server, onscreen element, task, or directory entry.

access control list (ACL). A collection of ACIs used to perform complex authorization procedures.

administration domain. A collection of host systems and servers that share the same user directory.

Administration Server. An HTTP server that acts as the back end to iPlanet Console. A single instance of Administration Server manages operation requests from all servers installed in a server group.

Administration Server Administrator. The user who can log in to iPlanet Console even when an instance of Administration Server is not connected to an instance of Directory Server. The Administration Server Administrator is not in the user directory, but is created and stored locally (on the server machine) during installation of Administration Server.

administrator. A user who manages and configures servers.

attribute. A descriptive aspect of a directory entry. Consists of a label, an attribute type, and one or more attribute values. For example, a user entry might have an attribute called telephoneNumber that contains the value (555)555-5555.

authentication. Assurance that a party to a computerized transaction is not an impostor. Authentication typically involves the use of a password, certificate, PIN, or other information that can be used to validate identity over a computer network. See also certificate-based authentication, client authentication, password-based authentication, server authentication.

bind DN. A user ID, in the form of a distinguished name (DN), used with a password to authenticate to Netscape or iPlanet Directory Server.

browser. Software, such as Netscape Navigator, used to request and view World Wide Web material stored as HTML files. The browser uses the HTTP protocol to communicate with the host server. Also known as a client program.

CA. See certificate authority (CA).

CA certificate. A certificate that identifies a certificate authority. See also certificate authority (CA), root CA.

CA hierarchy. A hierarchy of CAs in which a root CA delegates the authority to issue certificates to subordinate CAs. Subordinate CAs can also expand the hierarchy by delegating issuing status to other CAs. See also certificate authority (CA), root CA.

certificate. Digital data that specifies the name of an individual, company, or other entity and certifies that a public key, which is also included in the certificate, belongs to that entity. A certificate is issued and digitally signed by a certificate authority (CA). A certificate's validity can be verified by checking the CA's digital signature using the techniques of public-key cryptography.

certificate-based authentication. Authentication using certificates. See server authentication, client authentication.

certificate authority (CA). A trusted issuer of certificates. CAs are responsible for verifying the identity of the person or entity that a certificate represents. A CA also renews and revokes certificates and generates CRLs. Certificate authorities can be independent third parties (such as those listed at https://certs.netscape.com/client.html) or a person or organization using certificate-issuing server software.

certificate authority workstation. A computer used to program Fortezza crypto cards.

certificate chain. A hierarchical series of certificates signed by successive certificate authorities. A certificate chain contains a CA certificate that identifies a certificate authority (CA) and that is used to sign certificates issued by that authority. This CA certificate can in turn be signed by the CA certificate of a parent CA, and so on up to a root CA.

certificate extensions. Data that is included with a certificate, but that is not part of the standard set of certificate information.

certificate group. A group of users who have a certificate containing a common attribute. For example, suppose a certificate is created for all users who have the attributes ou=Engineering, ou=Anytown. An administrator can create an "Anytown Engineers" certificate group that grants special access to users whose certificates contain these attributes. When a user presents the server with a certificate containing these attributes, he is identified as part of the Anytown Engineers certificate group and is then granted appropriate access rights.

certificate revocation list (CRL). A list of revoked certificates generated and signed by a certificate authority (CA).

cipher. A set of rules or directions used to perform cryptographic operations such as encryption and decryption.

cipher suite. Sets of ciphers.

CKL. See compromised key list (CKL).

client authentication. The process of identifying a client to a server using a name and password or a certificate and some digitally signed data. See also certificate-based authentication, password-based authentication, server authentication.

client program. See browser.

cloning. The act of copying the configuration data in one server to multiple servers of the same type.

compromised key list (CKL). A list of keys that have been compromised or otherwise tampered with.

Configuration Administrator. The person who can manage all resources in the iPlanet Console navigation tree.

Configuration Administrators group. A static group whose members have unrestricted access to the configuration directory. The group is stored in the configuration directory under the following DN:

ou=Groups, ou=TopologyManagement, o=NetscapeRoot

configuration directory. Typically, a subtree of a directory containing application and server configuration information. In large deployments, the configuration directory can be a separate instance of Directory Server.

connection restrictions. Rules that specify which hosts are allowed to connect to an instance of Administration Server.

CRL. See certificate revocation list (CRL).

crypto card. See Fortezza crypto card.

cryptographic algorithm. See cipher.

decryption. The unscrambling of data that has been encrypted. See also encryption.

Directory Server gateway. A collection of HTML forms that allows a browser to perform LDAP client functions, such as querying and accessing an instance of Directory Server.

distinguished name (DN). String representation of an entry's location in an LDAP directory. Every distinguished name is unique.

DN   . See distinguished name (DN).

DNS. Domain Name System. The system used by machines on a network to associate standard IP addresses (such as 172.17.66.98) with host names (such as www.iplanet.com). Machines typically get the IP address for a hostname from a DNS server, or they look it up in tables maintained on their systems.

dynamic group. A group into which members are automatically added based on their DN attributes.

eavesdropping. Surreptitious interception of information sent over a network by an entity for which the information is not intended.

encryption. The process of scrambling information in a way that disguises its meaning. See also decryption.

external security device. A key-pair and certificate database stored in an external device such as a smart card.

failover support. The ability to check multiple instances of Directory Server when authenticating a user. This is useful when the instance of Directory Server containing your primary user directory is not accessible.

Fortezza. A cryptographic system, developed by the US government, that combines the use of hardware-based tokens and software-based algorithms to secure electronic information exchange.

Fortezza crypto card. A PCMCIA card that contains a user's unique key, as well as certificate management approaches and encryption algorithms used by Fortezza.

gateway. See Directory Server gateway.

group. A collection of users who share a common attribute.

hostname. A name for a machine in the form machine.domain.dom, which is translated into an IP address. For example, www.iplanet.com is the machine www in the subdomain iplanet and com domain.

HTML. Hypertext Markup Language. The formatting language used for documents on the World Wide Web. HTML files are plain text files with formatting codes that tell browsers such as Netscape Navigator how to display text, position graphics and form items, and display links to other pages.

HTTP. Hypertext Transfer Protocol. The method for exchanging information between HTTP servers and clients.

impersonation. The act of posing as the intended recipient of information sent over a network. Impersonation can take two forms: spoofing and misrepresentation.

information panel. The right-hand side of the "Servers and Applications" tab in the main iPlanet Console window. Displays detailed information about a selected resource.

instance. See server instance.

internal security device. A key-pair and a certificate database stored in a software file on a host computer.

IP address. Internet Protocol address. A set of numbers, separated by dots, that specifies the actual location of a machine on the Internet (for example, 172.17.66.98).

IP spoofing. The forgery of client IP addresses.

iPlanet Console. The Java application used to manage iPlanet and Netscape servers as well as entries in the user directory.

JAR file. A compressed collection of Java class files.

JAR information file. A text file containing special scripting instructions. This file is used by modutil when handling JAR files.

key. (1) A number used by a cryptographic algorithm to encrypt or decrypt data. See also public key and private key. (2) Predefined commands and options that modutil interprets.

key and certificate database. A collection of keys and certificates used by a server instance or client.

key recovery. The ability to retrieve backups of encryption keys under carefully defined conditions.

LDAP. See Lightweight Directory Access Protocol (LDAP).

LDAP Data Interchange Format. See LDIF.

LDIF. LDAP Data Interchange Format. Format used to represent Directory Server entries in text form.

Lightweight Directory Access Protocol (LDAP). A subset of the X.500 protocol, LDAP is a communication standard used for storing and accessing information in directories.

managed devices. A piece of hardware or software that is controlled over SNMP.

managed object. Configuration and management settings that can be read and changed by an SNMP master agent.

management information base. See MIB.

master agent. See SNMP master agent.

member. A directory entry that is part of a group. For instance, in a dynamic group called Western Sales, members might include all users whose directory entries contain the RDN ou=Western Sales.

MIB. Management Information Base. A tree-like hierarchy that defines managed objects.

migration. The act of importing settings from one version of a server to a later version of the same server.

misrepresentation. The presentation of an entity as a person or organization that it is not. For example, a web site might pretend to be a furniture store when it is really just a site that takes credit-card payments but never sends any goods. Misrepresentation is one form of impersonation. See also spoofing.

modutil. The Security Module Database Tool. A command-line utility for managing PKCS #11 module information stored in secmod.db files or hardware tokens.

native agent. An SNMP master agent that is built into a version of the UNIX operating system.

navigation tree. The graphical representation in iPlanet Console of a network topology. A navigation tree contains all resources that are registered in a configuration directory.

network management application. An application that shows information about managed devices.

network management station (NMS). The machine used to monitor and configure managed devices.

network topology. See topology.

NMS. See network management station (NMS).

nonrepudiation. The inability of a sender of information to claim that the information was never sent. A digital signature provides one form of nonrepudiation.

object class. A definition of a type of directory entry. An object class includes definitions of the attributes that are contained in a directory entry.

organizational unit. A directory entry that can include a number of groups. Usually represents a division, department, or other discrete business group.

ou. Abbreviation for organizational unit in a distinguished name (DN).

password-based authentication. Authentication using passwords.

PKCS #11. The public-key cryptography standard that governs cryptographic security devices such as smart cards.

PKCS #11 module. A driver for a device that provides cryptographic services such as encryption and decryption via the PKCS #11 interface. A PKCS #11 module can be implemented in either hardware or software, and always contains one or more slots. Each of these slots, which can be implemented physically in hardware or conceptually in software, can contain a security device. iPlanet Console includes a built-in software PKCS #11 module.

port number. A way to identify a specific process to which a network message is to be forwarded when it arrives at a server.

POSIX . Portable Operating System Interface for UNIX, is a standard for the interface between UNIX and application programs.

private key. One of a pair of keys used in public-key cryptography. The private key is kept secret and is used to decrypt data encrypted with the corresponding public key.

protocol. A set of rules that describes how devices on a network exchange information.

public key. One of a pair of keys used in public-key cryptography. The public key is distributed freely and published as part of a certificate. It is typically used to encrypt data sent to the public key's owner, who then decrypts the data with the corresponding private key.

public-key encryption. A set of encryption techniques that use a public key and a private key.

public-key infrastructure (PKI). The standards and services that facilitate the use of public-key encryption and certificates in a networked environment.

RDN. See relative distinguished name (RDN).

RDN Keyword . An abbreviation that is part of a distinguished name.

registration authority (RA). An entity that receives and authenticates certificate requests, and then forwards them to a CA.

relative distinguished name (RDN). The name of a directory entry, before the entry's ancestors have been appended to the string to form the full distinguished name.

resource. An object in an iPlanet topology. Examples of resources include administration domains, hosts, and server instances.

RFC. Request For Comments. Procedures or standards documents submitted to the Internet community. Readers can send comments on the technologies before they become accepted standards.

root CA. The certificate authority (CA) with a self-signed certificate at the top of a certificate chain. See also CA certificate.

schema. Definitions describing what types of information can be stored as entries in the directory. When information that does not match the schema is stored in the directory, clients attempting to access the directory may be unable to display the proper results.

schema checking. Ensures that new or modified directory entries conform to the defined schema. Schema checking is turned on by default; users will receive an error if they try to save an entry that does not conform to the schema.

Secure Sockets Layer (SSL). A protocol that allows mutual authentication between a client and server for the purpose of establishing an authenticated and encrypted connection. SSL runs above TCP/IP and below HTTP, LDAP, IMAP, NNTP, and other high-level network protocols. See also authentication, encryption.

security device. A hardware or software device that is associated with a slot in a PKCS #11 module. It provides cryptographic services and optionally stores certificates and keys. See also internal security device, external security device.

self-signed certificate. A certificate that is digitally signed by the same entity that the certificate identifies.

server. Instances of server software that provide specific services such as a directory database, and messaging, and publishing.

server authentication. The process of identifying a server to a client. See also certificate-based authentication.

server certificate. A single certificate, associated only with your server, that identifies your server to clients. See also certificate.

server certificate chain. A collection of certificates automatically generated for you by your company's internal certificate server or a known CA. The certificates in a chain trace back to the original CA, providing proof of identity. See also certificate chain.

server group. The servers in a server root that are managed by a single instance of iPlanet Administration Server.

server instance. An individual server that shares a machine with other servers of the same type. Instances are virtual servers that share a single installation of a product. For example, if an ISP handles mail for siroe.com, it can install iPlanet Messaging server and create a single instance. If the ISP begins handling mail for another domain, it can create a second instance of Messaging server on the same computer without installing any additional software.

server root. A folder that holds server programs and configuration, maintenance, and information files. The servers in a server root make up a server group.

session. See SSL session.

session key. Symmetric keys used to encrypt and decrypt information exchanged during an SSL session and to verify its integrity.

Simple Network Management Protocol (SNMP). A protocol used to exchange data about network activity. SNMP defines a standard method of communication used to manage products from different vendors..

single sign-on. The capability for a user to log in once, using a single password, and get authenticated access to all network resources—without sending any passwords over the network.

slot. The portion of a PKCS #11 module that contains a security device. A slot can be implemented in either hardware or software.

smart card. A small device (typically about the size of a credit card), that contains a microprocessor and is capable of storing keys and certificates, as well as performing cryptographic operations. Smart cards implement some or all of the PKCS #11 interface.

SNMP. See Simple Network Management Protocol (SNMP).

SNMP master agent. Software that exchanges information between SNMP subagents and a network management station.

SNMP subagent. Software that gathers information about a managed device and passes the information to the SNMP master agent.

Socket. Another term for a logical port through which communication takes place.

spoofing. The act of pretending to be someone else. Examples: a person pretending to have the email address jdoe@iplanet.com, or a computer that identifies itself as www.iplanet.com when it is not. Spoofing is one form of impersonation. See also misrepresentation, impersonation.

SSL. See Secure Sockets Layer (SSL).

SSL handshake. An exchange of messages that allows the server to authenticate itself to the client using public-key techniques, and then allows the client and the server to cooperate in the creation of symmetric keys.

SSL session. The period of interaction between a server and a client that follows the SSL handshake.

static group. A group that only changes when an administrator adds or removes members.

subagent. See SNMP subagent.

subject. The person, company, or other entity identified by the subject name of a certificate.

subject name. A distinguished name (DN) that uniquely describes the person, company, or other entity that a certificate is issued for.

symmetric key encryption. An encryption method that uses the same cryptographic key to encrypt and decrypt a given message.

symmetric keys. A pair of keys that are used for rapid encryption, decryption, and tamper detection during an SSL session.

TCP/IP. Transmission Control Protocol/Internet Protocol. The main network protocol for the Internet and for enterprise (company) networks.

token. See security device.

topology. A hierarchical representation of all the resources that are registered in a configuration directory.

trap message. Messages sent by a managed device to the network management station.

trust database. A collection of trusted certificates and public keys.

trusted CA certificate. A single certificate that is automatically generated for you by your company's internal certificate server or a known CA. A trusted CA certificate is used to authenticate clients.

URL. Uniform Resource Locator. The addressing system used by servers and clients when requesting documents. A URL is often called a location. The format of a URL is [protocol]://[machine:port]/[document]. The port number is necessary only on selected servers, and it is often assigned by the server.

Sample URLs: http://www.iplanet.com/index.html

ldap://directory.iplanet.com:4345/o=iplanet.com

user directory. Typically, a directory subtree containing user and group entries. In large deployments, the user directory can be a separate instance of Directory Server.