JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0)
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Directory Server Administration

1.  Directory Server Tools

2.  Directory Server Instances and Suffixes

3.  Directory Server Configuration

4.  Directory Server Entries

5.  Directory Server Security

Using SSL With Directory Server

Managing Certificates

To View the Default Self-Signed Certificate

To Manage Self-Signed Certificates

To Request a CA-Signed Server Certificate

To Add the CA-Signed Server Certificate and the Trusted CA Certificate

To Renew an Expired CA-Signed Server Certificate

To Export and Import a CA-Signed Server Certificate

Configuring the Certificate Database Password

To Configure the Server So the User is Prompted for a Certificate Password

Backing Up and Restoring the Certificate Database for Directory Server

Configuring SSL Communication

Disabling Non Secure Communication

To Disable the LDAP Clear Port

Choosing Encryption Ciphers

To Choose an Encryption Cipher

Configuring Credential Levels and Authentication Methods

Setting SASL Encryption Levels in Directory Server

To Require SASL Encryption

To Disallow SASL Encryption

SASL Authentication Through DIGEST-MD5

To Configure the DIGEST-MD5 Mechanism

DIGEST-MD5 Identity Mappings

SASL Authentication Through GSSAPI

To Configure the Kerberos System

To Configure the GSSAPI Mechanism

GSSAPI Identity Mappings

Configuring LDAP Clients to Use Security

Using SASL DIGEST-MD5 in Clients

Specifying a Realm

Specifying Environment Variables

Examples of the ldapsearch Command

Using Kerberos SASL GSSAPI in Clients

To Configure Kerberos V5 on a Host

To Specify SASL Options for Kerberos Authentication

Example Configuration of Kerberos Authentication Using GSSAPI With SASL

Pass-Through Authentication

PTA Plug-In and DSCC

Configuring the PTA Plug-in

Setting up the PTA Plug-In

Configuring PTA to Use a Secure Connection

Setting the Optional Connection Parameters

Specifying Multiple Servers and Subtrees

6.  Directory Server Access Control

7.  Directory Server Password Policy

8.  Directory Server Backup and Restore

9.  Directory Server Groups, Roles, and CoS

10.  Directory Server Replication

11.  Directory Server Schema

12.  Directory Server Indexing

13.  Directory Server Attribute Value Uniqueness

14.  Directory Server Logging

15.  Directory Server Monitoring

Part II Directory Proxy Server Administration

16.  Directory Proxy Server Tools

17.  Directory Proxy Server Instances

18.  LDAP Data Views

19.  Directory Proxy Server Certificates

20.  Directory Proxy Server Load Balancing and Client Affinity

21.  Directory Proxy Server Distribution

22.  Directory Proxy Server Virtualization

23.  Virtual Data Transformations

24.  Connections Between Directory Proxy Server and Back-End LDAP Servers

25.  Connections Between Clients and Directory Proxy Server

26.  Directory Proxy Server Client Authentication

27.  Directory Proxy Server Logging

28.  Directory Proxy Server Monitoring and Alerts

Part III Directory Service Control Center Administration

29.  Directory Service Control Center Configuration

Index

Configuring SSL Communication

This section contains procedures that help you to choose encryption ciphers.

Disabling Non Secure Communication

When a server instance is created, both an LDAP clear port and a secure LDAP port (LDAPS) are created by default. However, there might be situations where you want to disable non-SSL communications so that the server communicates only through SSL.

The SSL connection is enabled with a default self-signed certificate. If you want to, you can install your own certificates. For instructions on managing certificates and disabling SSL after the server has been started, see Chapter 5, Directory Server Security. For an overview of certificates, certificate databases, and obtaining a CA-signed server certificate, see Oracle Directory Server Enterprise Edition Reference.

To Disable the LDAP Clear Port

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Disable the LDAP clear port.

    To disable the non secure point, you must bind to the LDAP secure port. This example shows a bind to the default LDAP secure port, 1636, on the host server host1.

    $ dsconf set-server-prop -h host1 -P 1636 ldap-port:disabled
  2. Restart the server for the change to take effect.
    $ dsadm restart /local/dsInst

    You can now no longer bind on the non secure port 1389.

Choosing Encryption Ciphers

A cipher is the algorithm used to encrypt and decrypt data. Generally speaking, the more bits that a cipher uses during encryption, the stronger or more secure the encryption is. Ciphers for SSL are also identified by the type of message authentication used. Message authentication is another algorithm that computes a checksum that guarantees data integrity.

When a client initiates an SSL connection with a server, the client and server must agree on a cipher to use to encrypt information. In any two-way encryption process, both parties must use the same cipher. The cipher used depends upon the current order of the cipher list kept by the server. The server chooses the first cipher presented by the client that matches a cipher in its list. The default cipher value for Directory Server is all, which means all known secure ciphers supported by the underlying SSL library. However, you can modify this value to only accept certain ciphers.

For more information about the ciphers that are available with Directory Server, see Oracle Directory Server Enterprise Edition Reference.

To Choose an Encryption Cipher

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Make sure that SSL is enabled for your server.

    See Configuring SSL Communication.

  2. View the available SSL ciphers.
    $ dsconf get-server-prop -h host -p port ssl-supported-ciphers
ssl-supported-ciphers  :  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
ssl-supported-ciphers  :  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
ssl-supported-ciphers  :  TLS_DHE_RSA_WITH_AES_256_CBC_SHA
ssl-supported-ciphers  :  TLS_DHE_DSS_WITH_AES_256_CBC_SHA 
...
  3. (Optional) If you want to keep a copy of non-encrypted data, export the data before setting the SSL ciphers.

    See Exporting to LDIF.

  4. Set the SSL ciphers.
    $ dsconf set-server-prop -h host -p port ssl-cipher-family:cipher

    For example, to set the cipher family to SSL_RSA_WITH_RC4_128_MD5 and SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, type:

    $ dsconf set-server-prop -h host1 -P 1636 ssl-cipher-family:SSL_RSA_WITH_RC4_128_MD5 \
 ssl-cipher-family:SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Enter "cn=Directory Manager" password:  
Before setting SSL configuration, export Directory Server data. 
Do you want to continue [y/n] ? y
Directory Server must be restarted for changes to take effect.
  5. (Optional) Add an SSL cipher to an existing list.

    If you already have a list of ciphers specified, and you want to add a cipher, use this command:

    $ dsconf set-server-prop -h host -p port ssl-cipher-family+:cipher

    For example, to add the SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA cipher, type:

    $ dsconf set-server-prop -h host1 -P 1636 \
 ssl-cipher-family+:SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  6. Restart the server for the changes to take effect.
    $ dsadm restart /local/dsInst
Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next