Complete Contents
About This Guide
Chapter 1 Introduction to iPlanet Web Server
Chapter 2 Administrating iPlanet Web Servers
Chapter 3 Setting Administration Preferences
Chapter 4 Managing Users and Groups
Chapter 5 Working with Server Security
Chapter 6 Managing Server Clusters
Chapter 7 Configuring Server Preferences
Chapter 8 Understanding Log Files
Chapter 9 Using SNMP to Monitor Servers
Chapter 10 Configuring the Server for Performance
Chapter 11 Extending Your Server with Programs
Chapter 12 Working with Configuration Styles
Chapter 13 Managing Server Content
Chapter 14 Controlling Access to Your Server
Chapter 15 Configuring Web Publishing
Chapter 16 Using Search
Appendix A HyperText Transfer Protocol
Appendix B ACL File Syntax
Appendix C Internationalized iPlanet Web Server
Appendix D Server Extensions for Microsoft FrontPage
Appendix E iPlanet Web Server User Interface
Glossary
Index
Administrator's Guide: Working with Server Security
Previous Next Contents Index Bookshelf


Chapter 5 Working with Server Security

This chapter describes how to activate the Secure Sockets Layer (SSL) protocol and other features designed to safeguard your data, deny intruders access, and designate who has access to the server. iPlanet Web Server incorporates the security architecture of all Netscape/iPlanet servers: it's built on industry standards and public protocols for maximum interoperability and consistency.

Before reading this chapter you should be familiar with the basic concepts of public-key cryptography. These concepts include encryption and decryption; public and private keys; digital certificates; and the SSL protocol. For more information, see Managing Servers with Netscape Console.

This chapter includes the following sections:


About iPlanet Web Server Security
iPlanet Web Server security is based on a number of interrelated and inter-dependent components, all of which work together to ensure that only authorized individuals can gain access to the server, that passwords or identities are not compromised, and that user identities can be trusted.

This section provides an overview for the following iPlanet Web Server security components:

Encryption
Encryption is the process of transforming information so it is unintelligible to anyone but the intended recipient. Decryption is the process of transforming encrypted information so that it is intelligible again. A cryptographic algorithm, also called a cipher, is a mathematical function used for encryption or decryption. iPlanet Web Server 4.1 includes support for various ciphers.types of ciphers.

The encryption process alone isn't enough to secure your server's confidential information. Once the information has been encrypted, and possibly transmitted to another server, a number called a key must be used with the encrypting cipher to produce the actual encrypted result, or to decrypt previously encrypted information. The encryption process uses two keys to achieve this result: a public key and a private key. The public key is published as part of a certificate; only the associated private key is safeguarded. (For more information about keys and certificates, see Managing Servers with Netscape Console.) Consequently, information encrypted with a public key can be decrypted only with the associated private key.

SSL Protocol
All Netscape/iPlanet 4.x servers support the SSL protocol for encrypted communication and PKCS#11 APIs for communication with software or hardware modules that perform cryptographic operations. You need to configure the Administration Server for SSL if you want to enable encryption and other cryptographic operations.

The SSL protocol supports the use of a variety of ciphers, for use in operations such as authenticating the server and client to each other, transmitting certificates, and establishing session keys. Clients and servers may support different cipher suites, or sets of ciphers, depending on factors such as the version of SSL they support, company policies regarding acceptable encryption strength, and government restrictions on export of SSL-enabled software. Among its other functions, the SSL handshake protocol determines how the server and client negotiate which cipher suites they will use to authenticate each other, to transmit certificates, and to establish session keys.

For more information regarding how to enable SSL for iPlanet Web Server, see Configuring Secure Sockets Layer (SSL).

FORTEZZA Encryption
FORTEZZA is an encryption system used by U.S. government agencies to manage sensitive but unclassified information. Use the Administration Server to configure your server to work with FORTEZZA. For information on installing the FORTEZZA hardware, see the documentation that came with your card reader.

FORTEZZA encryption support allows the web server to perform the following encryption tasks:

Note. iPlanet Web Server, Enterprise Edition 4.1 includes FORTEZZA support for Windows NT, Solaris, and HPUX platforms.

The FORTEZZA cipher standard is a hardware smartcard standard for secure storage of private keys. The FORTEZZA opertations are supported through an external PKCS#11 library. The library is added to the web server security modules database. The library handles all interfaces with external hardware (card readers) and all encryption functions. To iPlanet Web Server, Enterprise Edition, FORTEZZA support looks almost identical to any other PKCS#11 library.

Once added the the security modules database (secmod.db), the server treats the FORTEZZA modules as any other PKCS#11 module. The FORTEZZA module is flagged as the default provider of SSL services for FORTEZZA ciphers. Then, any FORTEZZA request handled by the server is handed off to the library (via calls to NSS libraries; nothing in the actual web server code actually invokes functions in the FORTEZZA library).

The run time layer, then, is just the server and the library (no different from any PKCS#11 module).

The pre-encrypted file support runs as a web server plugin. A request for a file with a given extension (.enc) is routed to the plugin which invokes a function in the NSS library to send the encrypted file as a stream back to the client (no actual calls to the FORTEZZA library need to be made). The client then decrypts the data on the other side (presuming the client has a certificate with the public key corresponding to the private key that encrypted the file).

The whole configuration is managed through the Administration Server (or corresponding entries in the magnus.conf or obj.conf configuration files). The user interface enables users to select which certificate to use at run time, to collect multiple passwords (so that the server can log in to the FORTEZZA card as well as the default key database), and to allow the user to add Compromised Key Lists (CKLs)/Certificate Revocation Lists (CRLs).

When a CKL is added or updated, the certificate database is updated to make compromised keys known to the server. The NSS library validates FORTEZZA client requests against the compromised keys for each request to make sure that the client key is not a key known to be compromised.

The FORTEZZA module interoperates with the following standards and modules:

For more information regarding FORTEZZA encryption, see Managing Servers with Netscape Console.

FIPS-140 Compliance
You can configure iPlanet Web Server to be Federal Information Processing Standards (FIPS)-140 compliant. To make your server FIPS-140 compliant, you need to turn on the following two ciphers in your encryption preferences:

You can set encryption preferences in the Administration Server by clicking the Preferences tab and the Encryption Preferences link. You can also set the encryption preferences for an instance of the iPlanet Web Server in the Server Manager by clicking the Preferences tab and the Encryption Preferences link. For more information, see The Encryption Preferences Page.

Certificates
Over the Internet and many extranets and intranets, identification can take place with the aid of a certificate. A certificate consists of digital data that specifies the name of an individual, company, or other entity and certifies that a public key, which is also included in the certificate, belongs to that entity.

A certificate is issued and digitally signed by a Certificate Authority, or CA. A CA can be a company that sells certificates over the Internet, or it can be a department responsible for issuing certificates for your company's intranet or extranet. You decide which CAs you trust enough to serve as verifiers of other people's identities.

In addition to a public key and the name of the entity identified by the certificate, a certificate also includes additional information, such as an expiration date, the name of the CA that issued the certificate, and the "digital signature" of the issuing CA. For more information regarding the content and format of a certificate, see Managing Servers with Netscape Console.

Client and Server Authentication
Authentication is the process of confirming an identity. In the context of network interactions, authentication involves the confident identification of one party by another party. Certificates are one way of supporting authentication. Client authentication refers to the confident identification of a client by a server (that is, identification of the person assumed to be using the client software). Server authentication refers to the confident identification of a server by a client (that is, identification of the organization assumed to be responsible for the server at a particular network address).

Both clients and servers can have certificates. Also, clients can have multiple certificates, much like a person might have several different pieces of identification. For example, if you participate in newsgroup discussions with a Netscape Collabra Server called news.mozilla.com, you might find it possesses a certificate issued from a company named CertSafe, assuring you that this site is the one true news.mozilla.com. If you trust CertSafe's judgment, then you can trust that news.mozilla.com is the site it claims to be.

Conversely, you might be in charge of a company's internal Human Resources server. You could use your server's access-control features in conjunction with client authentication to allow only Human Resources employees access to certain directories. For more information on access control, see What Is Access Control?

How iPlanet Web Server Uses Certificates to Authenticate Users
Netscape/iPlanet servers support using client certificates to authenticate a user. There are two basic ways the server can use a client certificate:

Note. A Netscape/iPlanet server must have SSL turned on to use client certificates, and the Administration Server must trust the CA that issued the certificate to the client. For information on trusting CAs, see Managing Certificates.

You can configure the web server so that it refuses any client that doesn't have a client certificate from a trusted CA. This differs from access control in that all requests must be through SSL connections and they must be from clients who have certificates from trusted CAs. For details on configuring trusted CAs, see Managing Servers with Netscape Console.

Configuring iPlanet Web Server for SSL
This section explains how to get client certificate authentication working with iPlanet Web Server. When you have finished following the procedures outlined in this chapter, you will have a web server that requires a user to present a valid client SSL certificate in order to access restricted areas on the server. The certificate that the user presents must match the certificate that was published to the LDAP directory when it was issued.

This chapter focuses on setting up, installing, and managing the security components necessary to secure your iPlanet Web Server. To activate the SSL protocol for your iPlanet Web Server, you need to perform the various procedures described in the following sections:


Creating a New Server Instance
To use SSL with iPlanet Web Server, you must either have an existing instance of iPlanet Web Server 4.x that you want to be an SSL server or create a new instance to be an SSL server. If you have an existing instance of iPlanet Web Server that you want to simply convert to be an SSL server, you can skip this section. Otherwise, follow the steps described in this section to create a new instance of iPlanet Web Server, and then perform the remaining procedures outlined in this chapter to configure the new instance for SSL and client authentication.

To add another server instance, perform the following steps:

  1. Access the Administration Server and choose the Servers tab.

  2. Click the Add Server link.

  3. Enter the desired information for the specified fields.

  4. Click the radio button that corresponds to how you want the server to resolve IP addresses.

  5. Click OK.
For more information, see The Add Server Page.


Creating a Certificate Trust Database
A certificate database is a key-pair and certificate database installed on the local host. When you use an internal token, the certificate database is the database into which you install the key and certificate. In iPlanet Web Server 4.x, each server instance (including the Administration Server) has its own certificate/key pair which is referred to as a trust database.

A key-pair file contains both the public and private keys used for SSL encryption. You use the key-pair file when you request and install a certificate. The key-pair file is stored encrypted in the following directory:

When you create the key, you specify a password that you later use when you request the certificate and when you start a server that is using encrypted communications.

To create the certificate trust database, perform the following steps:

  1. Access the Administration Server and choose the Security tab.

  2. Type the password in Database Password.

  3. Re-type the password in Password (again).

  4. Click OK.
If no database exists, iPlanet Web Server creates the proper key and certificate database files and stores them in the alias/ directory (otherwise, iPlanet Web Server displays an error message).

For more information, see The Create a Trust Database Page.


Requesting a Certificate
After you generate a trust database, you must create a PKCS #10 certificate request and submit it to a Certificate Authority to obtain your server SSL certificate. To enable SSL for a particular server instance, you must obtain a server SSL certificate for the server, then configure the server to require client authentication and optionally to check users' client certificates against certificate information that a CA has published to the LDAP directory.

If your company has its own internal CA for issuing certificates, you should request your certificate from them. If you plan to purchase your certificate from a commercial CA, choose a CA and ask for the specific format of the information they require. (For more information on what some CAs require, see Required CA Information.)

Note. Not everyone who requests a certificate from a commercial CA is given one. Many CAs require you to prove your identity before issuing you a certificate. Also, it can take anywhere from a day to two months or more to approve a certificate. You are responsible for promptly providing all the necessary information to the CA.

To request a certificate, make sure you know what information your CA requires, and then perform the following steps:

  1. Access the Administration Server and choose the Security tab.

  2. Click the Request Certificate link.

  3. In the form that iPlanet Web Server displays, specify if this is a new certificate or a certificate renewal. Many certificates expire after a set period of time, such as six months or a year. Some CAs will automatically send you a renewal.

  4. Perform the following steps to specify how you want to submit the request for the certificate:

    1. If the CA expects to receive the request in an email message, check CA Email and enter the email address of the CA. For a list of CAs, click List of available certificate authorities.

    2. If you are requesting the certificate from an internal CA that is using Netscape Certificate Server, click CA URL and enter the URL for the Certificate Server. This URL should point to the certificate server's program that handles certificate requests. A sample URL might be: https://CA.mozilla.com:444/cms.

  5. From the drop-down list, select the cryptographic module for the key-pair file you want to use when requesting the certificate.

  6. Type the password for your key-pair file. This is the same password you specified when you created the trust database in Creating a Certificate Trust Database. The server uses the password to get your private key and encrypt a message to the CA. The server then sends both your public key and the encrypted message to the CA. The CA uses the public key to decrypt your message.

  7. Type your identification information. The format of this information varies by CA. For a general description of these fields, see Required CA Information. Note that most of this information usually isn't required for a certificate renewal.

  8. Double-check your work to ensure accuracy. The more accurate the information, the faster your certificate is likely to be approved.

  9. Click OK once you've checked that the information is correct. If your request is going to a certificate server, you'll be prompted to verify the form information before the request is submitted. You should re-read the information and then click OK to submit the request to the certificate server.
For more information, see The Request a Server Certificate Page.

The server generates a certificate request that contains your information. The request has a digital signature created with your private key. The CA uses a digital signature to verify that the request wasn't tampered with during routing from your server machine to the CA. In the rare event that the request is tampered with, the CA will usually contact you by phone.

If you chose to email the request, the server composes an email message containing the request and sends the message to the CA. Typically, the certificate is sent to you via email. If instead you specified a URL to a certificate server, your server uses the URL to submit the request to the Certificate Server. You might get a response via email or other means depending on the CA.

If the CA agrees to issue you a certificate, the CA will notify you. (In most cases, the CA will send your certificate via email. If your organization is using a certificate server, you may be able to search for the certificate by using the certificate server's forms.)

Once you receive the certificate, you can install it. In the meantime, you can still use your server without SSL.

Required CA Information
Whether you are requesting a server certificate from a commercial CA or an internal CA, you need to provide the following information:

All this information is combined as a series of attribute-value pairs called the distinguished name (DN), which uniquely identifies the subject of the certificate.

If you are purchasing your certificate from a commercial CA, you must contact the CA to find out what additional information they require before they issue a certificate. Most CAs require that you prove your identity. For example, they want to verify your company name and who is authorized by the company to administer the server, and they might ask whether you have the legal right to use the information you provide.

Some commercial CAs offer certificates that indicate a greater level of detail and veracity to vendors or individuals who provide greater proof of their identity. For example, you might be able to purchase a certificate stating that the CA has not only verified that you are the rightful administrator of the www.mozilla.com computer, but that you really are a company that has been in business for ten years and have no outstanding customer litigation against you. Generally, these certificates cost more than standard ones.


Installing and Managing Certificates and Certificate Lists
This section includes the following topics:

Installing Certificates
There are three types of certificates that you can install:

Each of these certificates is installed through the process described here.

When you receive a certificate from the CA, it will be encrypted with your public key so that only you can decrypt it. The server will use the key-pair file password you specify to decrypt the certificate when you install it. You can either save the email somewhere accessible to the server, or copy the text of the email and be ready to paste the text into the Install Certificate form, as described here.

A certificate chain is a hierarchical series of certificates signed by successive certificate authorities. A CA certificate identifies a certificate authority (CA) and is used to sign certificates issued by that authority. A CA certificate can in turn be signed by the CA certificate of a parent CA and so on up to a root CA.

Note. CAs' certificates for use in a certificate chain are installed using the same process as installing your own certificate. If your CA doesn't automatically send you their certificate, you should request it. However, many CAs include their certificate in the same email that contains your certificate. In this case, your server installs both certificates at the same time when you install your certificate. For more information on certificate chaining, see "Appendix D Introduction to Public-Key Cryptography," in Managing Servers with Netscape Console.

To install a certificate and associate it with an alias, perform the following steps:

  1. Access the Administration Server and choose the Security tab.

  2. Click the Install Certificate link.

  3. Check the type of certificate you are installing:

  4. If the certificate is for a chain, name the certificate. iPlanet Web Server displays this name in the Manage Certificates list. The name should be descriptive and can include spaces. For example, "United States Postal Service CA" is the name of the CA, and "VeriSign Class 2 Primary CA" describes both the CA and the type of certificate. If the certificate is for "this server," the Administration Server uses the name Server-Cert.

  5. Either type the full pathname to the saved email or paste the email text in the field called Message text (with headers). If you copy and paste the text, be sure to include the headers "Begin Certificate" and "End Certificate"—including the beginning and ending hyphens. Make sure you check the corresponding radio button for either the file or the text.

  6. Click OK.

  7. Click Add.
If you have just installed your own certificate, you can now activate SSL for your server. To activate SSL, see Activating SSL.

Managing Certificates
You can view, delete, or edit the trust settings of all the certificates installed on your server. This includes your own certificate and certificates from CAs.

To manage this list of certificates, perform the following steps:

  1. Access the Administration Server and choose the Security tab.

  2. Click the Manage Certificates link.

  3. Select a certificate file alias, and then click OK.

  4. To view more information about a certificate, click the link for the certificate. A window appears, containing information about that certificate. Figure 5.1 shows a sample.

    5. Figure 5.1    Certificate information includes the owner and who issued it.

  5. To trust the CA, click Trust. If the CA is already trusted, you can click Do Not Trust. By default, all CAs are not trusted.
For more information, see The Manage Server Certificates Page (Administration Server).

Note that trust settings refer specifically to whether a certificate is trusted as a signer of client certs (the user does not, for example, have to trust a CA after the CA issues a server certificate).

Managing Certificate Lists
The purpose of certificate revocation lists (CRLs) and compromised key lists (CKLs) is to make known any certificates and keys that either client or server users should no longer trust. If data in a certificate changes (for example, a user changes offices or leaves the organization) before the certificate expires, the certificate is revoked and its data appears in a CRL. If a key is tampered with or otherwise compromised, the key and its data appear in a CKL. Both CRLs and CKLs are produced and periodically updated by a CA.

This section includes the following topics:

Obtaining a CRL or CKL
To obtain a CRL or CKL from a Certificate Authority (CA), perform the following steps:

  1. Use a browser to go to the CA's website. Contact your CA administrator for the exact URL to use.

  2. Follow the CA's instructions for downloading the CRL or CKL to a local directory.
Once you've saved the CRL file or CKL file to a local directory, you can add information from it to the Trust Database.

Adding a CRL or CKL to the Trust Database
To add CRL or CKL to the trust database, perform the following steps:

  1. Access the Administration Server and choose the Security tab.

  2. Click the Install CRL/CKLs link.

  3. Click the File contains radio button for either Certificate Revocation List or Compromised Key List.

  4. In The CRL/CKL is in this file field, type the full path name tothe associated file.

  5. Click OK. If the list already exists in the database, the list you specify here will replace the existing list.
Managing CRLs
To manage CRLs, perform the following setps:

  1. Access the Administration Server and choose the Security tab.

  2. Click the Manage CRLs link.

  3. Click on the desired CRL for more information and options.

  4. Click a CRL to select it.

  5. To add the CRL to the trust database, click Add.
To delete CRL from the trust database, click View. In the Certificate window, click Delete.


Using Secure Sockets Layer (SSL)
After you have generated a key-pair file and installed your certificate, you can activate SSL for your Administration Server or any other iPlanet Web Server.

This section includes the following topics:

Activating SSL
To activate SSL for iPlanet Web Server, perform the steps described in Activating SSL.

URLs to an SSL-enabled iPlanet Web Administration Server are constructed using https instead of simply http. URLs that point to documents on an SSL-enabled server have this format:

For example, https://admin.mozilla.com:443. If you use the default secure http port number (443), you don't have to use the port number in the URL.

Specifying Ciphers
A cipher is an algorithm used in encryption. Some ciphers are more secure, or stronger, than others. Generally speaking, the more bits a cipher uses during encryption, the harder it is to decrypt the data.

When initiating an SSL connection with a server, a client lets the server know what ciphers it prefers for encrypting information. In any two-way encryption process, both parties must use the same ciphers. Because a number of ciphers are available, your server needs to be able to use the most popular ones.

You can choose ciphers from the SSL 2 protocol, as well as from SSL 3. Improvements were made to the protocol after version 2 that improve security and performance; you should not use SSL 2 unless you have a real need to service clients that are not capable of using SSL 3. Client certificates are not guaranteed to work with SSL 2 ciphers. To specify which ciphers your server can use, check them in the list. Unless you have a compelling reason not to use a specific cipher, you should check them all.

Another reason for not enabling all ciphers is to prevent SSL connections with less than optimal encryption.

Warning. You might not want to click the "No Encryption, only MD5 message authentication" checkbox. If no other ciphers are available on the client side, the server will use this, and no encryption will occur.

For more information regarding specific ciphers, see Managing Servers with Netscape Console.

Setting Security (SSL) Preferences
You can set preferences for using SSL encryption on any server. To set the SSL preferences for iPlanet Web Server, perform the steps described in Setting Encryption Preferences.

Adding a PKCS#11Module
iPlanet Web Server supports Public Key Cryptography Standard (PKCS) #11, which defines the interface used for communication between SSL and PKCS#11 modules. The PKCS#11 modules are used for standards-based connectivity to SSL hardware accelerators. You can import PKCS#11 modules in the form of .jar files or object files.

Guidelines for Installing a PKCS#11 Module
Even though you install an external PKCS#11 module, you still must create a Trust Database using the Internal (software) module. The PKCS#11 and SSL code relies on the default certificate and key databases.

If you do not create a Trust Database (using the Security tab "Create Database" link), one will be created for you when you request or install a certificate for an external PKCS#11 module. However, when a module is created for you, it has no password and cannot be accessed. This means that your external module will continue to work, but that you will not be able to create and install server certificates using the internal PKCS#11 module in the future.

For reference: If you allow a default database to be created without a password and later discover you want to use the internal PKCS#11 module, you can simply delete the existing database files:

For example, for the server named secure.example.com installed in

the files would be:

After deleting the existing databases, you can re-create them using the Security tab Create Database link.

If you install a certificate for your server into an external PKCS#11 module (for example, a hardware accelerator), the server will not be able to start using that certificate until you manually edit magnus.conf.

The server always tries to start with the certificate named "Server-Cert." However, certificates in external PKCS#11 modules include one of the module's token names in their identifier. For example, a sever certificate installed on an external smartcard reader called "smartcard0" would be named "smartcard0:Server-Cert."

To tell the server to start with that server certificate instead, you must edit magnus.conf and add the following line anywhere in the file:

To find out what value to use for $TOKENNAME, go to the server's Security tab and select the Manage Certificates link. When you log in to the external module where Server-Cert is stored, its certificates are displayed in the list in the $TOKENNAME:$NICKNAME form.

To Import a PKCS#11 Module
To import a PKCS#11 module, perform the following steps:

  1. Access the Administration Server and choose the Security tab.

  2. Click the Add PKCS#11 Module link.

  3. Type the path for the .jar file in Path to Jar File.

  4. Click OK.
For information on using PKCS#11, see The Install a New PKCS#11 Module Page.

Adding a FORTEZZA PKCS#11 Module
The library is the only integration per se done on the server side. The server gets use of the library for "free", as it appears like any other PKCS#11 library to the server. The user may be required to do further integration offline to ensure that the FORTEZZA library integrates with drivers for the FORTEZZA card reader.

Once the library is installed, the you need to acquire FORTEZZA credentials (a card with certificates) offline.

Note. The library must be installed with -ciphers FORTEZZA so that the NSS library recognizes it as the default service provider for FORTEZZA encryption.

The iPlanet Web Server is used to enable FORTEZZA ciphers, select a certificate from a FORTEZZA card for the server to use, and install a Compromised Key List (CKL). A CKL is the current list of revoked key material. The CKL needs to be loaded into the certificate database on both the client and the 4.x servers in order to use the FORTEZZA ciphers.

It is possible to run a server that uses a FORTEZZA certificate and an RSA certificate. There is no explicit integration required. The user will be able to select more than one certificate to be used as the server certificate. At connection time, the NSS libraries will handle selecting the appropriate certificate for the client connection during the SSL handshake.

If pre-encrypted file support is to be used, obj.conf needs to be modified to load the plugin.

Note. If you have the fortezza ciphers enabled on both your client and the server, the common cipher suite of communication should be FORTEZZA. This can be checked using the PageInfo on your client. Otherwise, there shoud not be any difference in the behaviour of the server.

For more information regarding FORTEZZA encryption, see Managing Servers with Netscape Console.

Using SSL Configuration File Directives
Installing an SSL-enabled server creates directive entries in the magnus.conf file (the server's main configuration file). These directives are briefly described in the following sections.

Security
The Security tells the server whether encryption (Secure Sockets Layer version 2 or version 3 or both) is enabled or disabled.

Syntax
Security value

value specifies if SSL is on or off. Set the value parameter to on to enable SSL; and to off to disable SSL.

If Security is set to on, and both SSL2 and SSL3 are enabled, then the server tries SSL3 encryption first. If that fails, the server tries SSL2 encryption. By default, security is off.

SSL2
The SSL2 directive tells the server whether Secure Sockets Layer, version 2 encryption is enabled or disabled. The Security directive dominates the SSL2 directive; if SSL2 encryption is enabled but the Security directive is set to off, then it is as though SSL2 were disabled.

Syntax
SSL2 value

value specifies whether SSL version 2 is enabled or disabled. Set the value parameter to on to enable SSL 2 and to off to disable SSL 2. By default, security is off.

SSL3
The SSL3 directive tells the server whether Secure Sockets Layer, version 3 security is enabled or disabled. The Security directive dominates the SSL3 directive; if SSL3 security is enabled but the Security directive is set to off, then it is as though SSL3 were disabled.

Syntax
SSL3 value

value specifies whether SSL version 3 is enabled or disabled. Set the value parameter to on to enable SSL 3, and to off to disable SSL 3. By default, security is off.

Ciphers
The Ciphers directive specifies the ciphers enabled for your server.

Syntax
Ciphers +rc4,+rc4export,+rc2,+rc2export,+des,+desede3

A + means the cipher is active, and a - means the cipher is inactive. Any cipher with export as part of its name is not stronger than 40 bits.

SSL3Ciphers
The SSL3Ciphers directive specifies which SSL 3 ciphers are enabled for your server.

Syntax
SSL3Ciphers +fortezza,+fortezza_null_md5,+rsa_rc4_128_md5,+rsa_3des_s ha,+rsa_des_sha,+rsa_rc4_40_md5,+rsa_rc2_40_md5,rsa_null_ md5,+rsa_des_56_sha,+rsa_rc4_56_sha

A + means the cipher is active, and a - means the cipher is inactive. Any cipher with 40 as part of its name is 40 bits.

SSL3SessionTimeout
The SSL3SessionTimeout directive controls SSL3 session caching.

Syntax
SSL3SessionTimeout seconds

seconds is the number of seconds until a cached SSL3 session becomes invalid. The default value is 86400 (24 hours). If the SSL3SessionTimeout directive is specified, the value of seconds is silently constrained to be between 5 and 86400 seconds.

SSLCacheEntries
Specifies the number of SSL sessions that can be cached.

SSLClientAuth
The SSLClientAuth directive specifies whether a client must have a certificate in order to communicate with the server. You don't need to turn on this directive to use client authentication with access control.

Syntax
SSLClientAuth value

value specifies if certificates are always required. Set the value parameter to on to require certificates, and to off to specify that certificates are not required.

SSLSessionTimeout
The SSLSessionTimeout directive controls SSL2 session caching.

Syntax
SSLSessionTimeout seconds

seconds is the number of seconds until a cached SSL2 session becomes invalid. The default value is 100. If the SSLSessionTimeout directive is specified, the value of seconds is silently constrained to be between 5 and 100 seconds.


Using Client Certificates
If you have enabled the Administration Server Preferences "Require client certificates" option, the server asks the client to send its certificate before the server will grant the request. The server doesn't care who the user is as long as that user has a valid certificate from a trusted CA. However, you can combine client certificates with access control so that in addition to being from a trusted CA, the user associated with the certificate must match the access-control rules. For more information, see Access Control Files. In addition, you can process information from client certificates. For more information, see the NSAPI Programmer's Guide for iPlanet Web Server.

Mapping Client Certificates to LDAP
This section describes the process iPlanet Web Server uses to map a client certificate to an entry in an LDAP directory.

When the server gets a request from a client, it asks for the client's certificate before proceeding. Netscape clients, such as Netscape Navigator and Netscape Communicator, send the client certificate to the server (with or without prompting the end user, depending on the browser's security configuration). (Note that you also need to set up the required ACLs; for more information, see ACL File Syntax).

The server then takes the CA listed in the certificate and tries to match it to a trusted CA listed in the Administration Server. If there isn't a match, some servers end the connection and some perform a different operation based on the failed match. iPlanet Web Server ends the connection. If there is a match, the server continues processing the request.

After the server checks that the certificate's CA is trusted, the server performs the following steps to map the certificate to an LDAP entry:

  1. Maps the subject (user's) DN from the user's cert to a branch point in the LDAP directory.

  2. Searches the LDAP directory for an entry that matches the information about the subject (end-user) of the client certificate.

  3. Optionally verifies the client certificate with one in the LDAP entry that corresponds to the DN.
The server uses a certificate mapping file called certmap.conf to determine how to do the LDAP search. The mapping file tells the server what values to take from the client certificate (such as the end-user's name, email address, and so on). The server uses these values to search for a user entry in the LDAP directory, but first the server needs to determine where in the LDAP directory it needs to start its search. The certificate mapping file also tells the server where to start.

Once the server knows where to start its search and what it needs to search for (step 1), it performs the search in the LDAP directory (step 2). If it finds no matching entry or more than one matching entry, and the mapping is not set to verify the certificate, the search fails. For a complete list of the expected search result behavior, see the following LDAP Search Results table. Note that you can specify the expected behavior in the ACL; for example, you can specify that iPlanet Web Server accepts only you if the certificate match fails. For more information regarding how to set the ACL preferences, see Access Control Files.

Table 5.1 LDAP Search Results
LDAP Search Result
Certificate Verification ON
Certificate Verification OFF
No entry found
Authorization fails
Authorization fails
Exactly one entry found

Authorization succeeds
More than one entry found

Authorization fails

After the server finds a matching entry and certificate in the LDAP directory, it can use that information to process the transaction. For example, some servers use certificate-to-LDAP mapping to determine access to a server.

The following section describes the certmap.conf file. You need to edit this file to fit the entries in your LDAP directory and to match the certificates you expect your users to have.

Using the certmap.conf File
The certificate mapping file determines how a server should look up a user entry in the LDAP directory. You edit this file and add entries to match the organization of your LDAP directory and to list the certificates you want your users to have. Specifically, the mapping file defines the following information:

The certificate mapping file is located in the following location:

The file contains one or more named mappings, each applying to a different CA. A mapping has the following syntax:

The first line specifies a name for the entry and the attributes that form the distinguished name found in the CA certificate. The name is arbitrary; you can define it to be whatever you want. However, issuerDN must exactly match the issuer DN of the CA who issued the client certificate. For example, the following two issuerDN lines differ only in the spaces separating the attributes, but the server treats these two entries as different:

The second and subsequent lines in the named mapping match properties with values. The certmap.conf file has six default properties (you can use the certificate API to customize your own properties):

For more information on these properties, refer to the examples described in Example Mappings.

Creating Custom Properties
You can use the client certificate API to create your own properties. For information on programming and using the client certificate API, see NSAPI Programmer's Guide for iPlanet Web Server.

Once you have a custom mapping, you reference the mapping as follows:

For example:

Example Mappings
The certmap.conf file should have at least one entry. The following examples illustrate the different ways you can use the certmap.conf file.

Example #1

This example represents a certmap.conf file with only one "default" mapping:

Using this example, the server starts its search at the LDAP branch point containing the entry ou=<orgunit>, o=<org>, c=<country> where the text in <> is replaced with the values from the subject's DN in the client certificate.

The server then uses the values for email address and userid from the certificate to search for a match in the LDAP directory. When it finds an entry, the server verifies the certificate by comparing the one the client sent to the one stored in the directory.

Example #2

The following example file has two mappings: a default one and another for the US Postal Service:

When the server gets a certificate from anyone other than the US Postal Service, it uses the default mapping, which starts at the top of the LDAP tree and searches for an entry matching the client's email and userid. If the certificate is from the US Postal Service, the server starts its search at the LDAP branch containing the organizational unit and searches for matching email addresses. Also note that if the certificate is from the USPS, the server verifies the certificate; other certificates are not verified.

Warning. The issuer DN (that is, the CA's information) in the certificate must be identical to the issuer DN listed in the first line of the mapping. In the previous example, a certificate from an issuer DN that is o=United States Postal Service,c=US won't match because there isn't a space between the o and the c attributes.

Example #3

The following example uses the CmapLdapAttr property to search the LDAP database for an attribute called certSubjectDN whose value exactly matches the entire subject DN taken from the client certificate.

If the client certificate subject is:

the server first searches for entries that contain the following information:

If one or more matching entries are found, the server proceeds to verify the entries. If no matching entries are found, the server will use DNComps and FilterComps to search for matching entries. In this example, the server would search for uid=Walt Whitman in all entries under o=LeavesOfGrass Inc, c=US.

Note. This example assumes the LDAP directory contains entries with the attribute certSubjectDN.


Changing the Trust Database/Key Pair File Password
It's a good practice to change your trust database/key pair file password periodically. If your Administration Server is SSL enabled, this password is required when starting the server. Changing your password periodically adds an extra level of server protection.

For a list of guidelines to consider when changing a password, see Guidelines for Creating Hard-to-Crack Passwords.

To change your trust database/key pair file) password, perform the following steps:

  1. Access the Administration Server and choose the Security tab.

  2. Click the Change Password link.

  3. Type the required information and click OK.
For more information, see The Change the Key Pair File Password Page.


Migrating Enterprise Server 3.x Certificates
If you need to migrate certificates from an Enterprise Server 3.6 to iPlanet Web Server 4.x make sure that the 4.x iPlanet Web Administration Server user has read and write permissions on the old 3.6 database files. The files are <alias>-cert.db and <alias>-key.db, located in the <3.6_server_root>/alias directory.

Keys and certificates are migrated as part of the migration process only if your server has security enabled. You can also migrate keys and certificates by themselves using the Security tabs in the Administration Server page and the Server Manager page.

In Enterprise Server 3.6, a certificate/key pair was referred to by an alias which could be used by multiple server instances. The administration server managed all the aliases and their constituent certificates. In iPlanet Web Server 4.x, each server instance (including the Administration Server) has its own certificate/key pair which is referred to as a trust database instead of an alias. You manage the trust database and its constituent certificates, including the server certificate and all the included Certificate Authorities, from the Server Manager's Security tab. The certificate and key database files are now named after the server instance that uses them. If multiple 3.6 server instances use the same alias, when you migrate each instance the certificate/key pair are migrated and named for the new server instance.

The migration not only migrates the server certificate, it migrates the whole trust database associated with the server instance. All the Certificate Authorities (CAs) in your 3.6 database are migrated to the 4.x database. If they duplicate the 4.x CAs, you use the 3.6 CA until it expires, then the 4.x CA. Do not attempt to delete duplicate CAs.


Additional Server Security Considerations
There are other security risks besides someone trying to break your encryption. Networks face risks from external and internal hackers, using a variety of tactics to gain access to your server and the information on it.

So in addition to enabling SSL on your server, you should take extra security precautions. For example, put the server machine into a secure room, and don't allow untrusted individuals to upload programs to your server.

The following sections describe the most important things you can do to make your server more secure:

Limit Physical Access
This simple security measure is often forgotten. Keep the server machine in a locked room that only authorized people can enter. This prevents anyone from hacking the server machine itself.

Also, protect your machine's administrative (root) password, if you have one.

Limit Administration Access
If you use remote configuration, be sure to use access control to allow administration from only a few users and computers. If you want your Administration Server to provide end-user access to the LDAP server or local directory information, consider maintaining two Administration Servers and using cluster management so that the SSL-enabled Administration Server acts as the master server and the other Administration Server is available for end-users' access. For more information regarding clusters, see About Clusters.

You should also turn on encryption for the Administration Server. If you don't use an SSL connection for administration, then you should be cautious when performing remote server administration over an unsecure network. Anyone could intercept your administrative password and reconfigure your servers.

Choose Good Passwords
You use a number of passwords with your server—the administrative password, the private key password, database passwords, and so on. Your administrative password is the most important password of all, since anyone with that password can configure any and all servers on your computer. Most important after that is your private key password. If someone gets your private key and your private key password, they can create a fake server that appears to be yours, or intercept and change communications to and from your server.

A good password is one you'll remember but others won't guess. For example, you could remember MCi12!mo as "My Child is 12 months old!" A bad password is your child's name or birthdate.

Guidelines for Creating Hard-to-Crack Passwords
There are some simple guidelines that will help you create a stronger password.

It is not necessary to incorporate all of the following rules in one password, but the more of the rules you use, the better your chances of making your password hard to crack:

Secure Your Key-Pair File
Make sure your key-pair file is protected. The Administration Server stores key-pair files in the directory server_root/alias. Consider making the files and directory readable only to Netscape/iPlanet servers installed on your computer. It's also important to know if the file is stored on backup tapes or is otherwise available for someone to intercept. If so, you must protect your backups as completely as your server.

Limit Other Applications on the Server
Carefully consider all applications that run on the same machine as the server. It's possible to circumvent your server's security by exploiting holes in other programs running on your server. Disable all unnecessary programs and services. For example, the Unix sendmail daemon is difficult to configure securely and it can be programmed to run other possibly detrimental programs on the server machine.

Unix/Linux
Carefully choose the processes started from inittab and rc scripts. Don't run telnet or rlogin from the server machine. You also shouldn't have rdist on the server machine (this can distribute files but it can also be used to update files on the server machine).

Windows NT
Carefully consider which drives and directories you share with other machines. Also, consider which users have accounts or Guest privileges.

Similarly, be careful about what programs you put on your server or allow other people to install on your server. Other people's programs might have security holes. Worst of all, someone might upload a malicious program designed specifically to subvert your security. Always examine programs carefully before you allow them on your server.

Prevent Clients from Caching SSL Files
You can prevent pre-encrypted files from being cached by a client by adding the following line inside the <HEAD> section of a file in HTML:

Limit Ports
Disable any ports not used on the machine. Use routers or firewall configurations to prevent incoming connections to anything other than the absolute minimum set of ports. This means that the only way to get a shell on the machine is to physically use the server's machine, which should be in a restricted area already.

Know Your Server's Limits
The server offers secure connections between the server and the client. It can't control the security of information once the client has it, nor can it control access to the server machine itself and its directories and files.

Being aware of these limitations helps you know what situations to avoid. For example, you might acquire credit card numbers over an SSL connection, but are those numbers stored in a secure file on the server machine? What happens to those numbers after the SSL connection is terminated? You should be responsible for securing any information clients send to you through SSL.

Consider Additional Measures for Unprotected Servers
If you want to have both protected and unprotected servers, you should operate the unprotected server on a different machine from the protected one. If your resources are limited and you must run an unprotected server on the same machine as your protected server, do the following.

The purpose of chroot is to allow you to create a second root directory to limit the server to specific directories. You'd use this feature to safeguard an unprotected server. For example, you could say that the root directory is
/d1/ms. Then any time the web server tries to access the root directory, it really gets /d1/ms. If it tries to access /dev, it gets /d1/ms/dev and so on. This allows you to run the web server on your Unix/Linux system, without giving it access to all the files under the actual root directory.

However, if you use chroot, you need to set up the full directory structure that iPlanet Web Server needs, under the alternative root directory, as shown in the following illustration:

Figure 5.2   

Example Chroot Directory Structure

For more information regarding how to implement chroot in the magnus.conf file, see the NSAPI Programmer's Guide for iPlanet Web Server.

 

© Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.