 |
» |
|
|
|
The LDAP-UX Client Services provides SSL (Secure Socket Layer) support
to secure communication between LDAP clients and the Directory Servers.
The LDAP-UX Client Services supports SSL with password as the credential,
using simple bind to ensure confidentiality and data integrity between clients
and servers. The LDAP-UX Client Services supports Microsoft Windows 2000
Active Directory Server (ADS) and Netscape Directory Server (NDS)
over SSL. For detailed information on how to enable SSL communication
over LDAP for your Windows 2000 Active Directory Server, refer to Microsoft Knowledge
Base Article Q247078 at http://support.microsoft.com/default.aspx?scid=kb;en-us:247078 Configuring
the LDAP-UX Client to Use SSL | |
You can choose to enable SSL with LDAP-UX when you run the
setup program. If you want to use SSL, you must install Certificate
Authority (CA) certificate on your LDAP-UX Client and configure
your LDAP directory server to support SSL before you run the setup
program. Steps to
Download the CA Certificate from Windows 2000 CA ServerDownloading the certificate database from the Netscape Communicator is
one way to set up the certificate batabase into your LDAP-UX Client. The following steps show you an example on how to download
the Certificate Authority (CA) certificate from Windows 2000 Certificate Authority
Server using Netscape Communicator 4.75: Log in to your system
as root. Use Netscape Communicator to
connect to your Certificate Authority Server. The following shows
an example of using a link to connect to your CA Server: http://ADS servername/CertSrv Enter “administrator” as the usename and
the user’s password for Active Directory Server. Select a task, retrieve the CA certificate or certificate revocation
list, in the Microsoft Certificate Services screen. Then,
click the Next button. Click the “Install this CA certificate” link
in the retrieve the CA certificate or
certificate revocation list window to allow your LDAP-UX
client to trust certificates issued from this Certificate Authority. Click the Next button
in the window box which prompts that you are about to go through
the process of accessing a Certificate Authority. This has serious
implications on the security of future encrytions using Netscape. Click the Next button
in the window box which prompts that a CA certifies the identity
of . By accepting the CA, you will allow Netscape Communicator to
connect to and receive information from any site that it certifies
without prompting you or warning you. Click the Next button
in the window box which prompts that here is the certificate for
this CA. Examine it carefully. The Certificate Fingeprint can be
used to verify that this authority is who they say they are. Check the “access
the CA for certifying network sites”, “
access the CA for certifying e-mail
users” and “access the CA
for certifying software developers” checkboxes
in the new CA window screen. Click the Next button
in the new CA box screen which prompts that by accepting this CA,
you have told Netscape Communicator to connect to and receive information
from any site that it certifies without warning you or prompting
you. Enter a short name to identify
this CA in the Name box of new CA window screen. Click the finish button
to complete the installation of CA certificate. The Windows 2000 CA certificate
will be downloaded to the following two files on your LDAP-UX Client: /.netscape/cert7.db /.netscape/key3.db You can simply copy the /.netscape/cert7.db file
to /etc/opt/ldapux/cert7..db and /.netscape/key3.db file
to /etc/opt/ldapux/key3.db.
| | | |  | NOTE: For the multiple domain environment, you just need to
download the certificate database files, cert7.db and key3.db, from
one domain, no additional action is required.You may use the unsupported /opt/ldapux/contrib/bin/certutil command
line tool to create the certificate database files, cert7.db and key3.db.
For detailed command options and their arguments, refer to Using
the Certificate Database Tool available
at http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html. The certificate database files, cert7.db and key3.db,
will be downloaded to either /.netscape or /.mazilla/default/*.slt directory
on your client system depending on the version of Netscape Communicator
that you use. If you download the Certificate Authority certificate
using Netscape Communicator 7.0, the certificate database files, cert7.db and key3.db, will
be downloaded to /.mazilla/default/*.slt directory. If you download the Certificate Authority certificate using
Netscape Communicator 4.75, the certificate database files, cert7.db and key3.db, will
be downloaded to /.netscape directory | | | | |
If your browser does not generate cert7.db and key3.db security database files, you must export the certificate
(preferably the root certificate of the Certificate Authority that
signed the LDAP server’s certificate) from your certificate
server as a Base64-Encoded certificate and use the certutil utility to create the cert7.db and key3.db security database files. | | | | | NOTE: The mozila browser on HP-UX 11i v2 system does not generate
security database files, cert7.db and key3.db. You can use the certutil utility to create them. | | | | |
Steps to
create database files using the certutil utilityThe following steps show you an example on how to create the
security database files, cert7.db and key3.db on your client system using the certutil utility: Retrieve the Base64-Encoded certificate
from the certificate server and save it. For example, get the Base64-Encoded certificate from the certificate server
and save it as the /tmp/mynew.cert file. This file looks like: --------------- BEGIN CERTIFICATE ------------------------------------
-MIICJjCCAY+gAwIBAgIBJDANBgkghkiG9w0BAQQFADBxMQswCQYDVQQGEwJVUzEL
MAkga1UECBMCQ2ExEjAQBgNVBAcTCWN1cGVvsG1ubzEPMA0GA1UEChmgAhaUy29T
MRIwEAYDVQQLEw1RR1NMLUxkYXAxHDAaBgNVBAMTE0N1cnRpzmljYXR1IE1hbmFn
4I2vvzz2i1Ubq+Ajcf1y8sdafuCmqTgsGUYjy+J1weM061kaWOt0HxmXmrUdmenF
skyfHyvEGj8b5w6ppgIIA8JOT7z+F0w+/mig=
--------------- END CERTIFICATE -------------------------------------- |
Use the rm command to remove the old database files, /etc/opt/ldapux/cert7.db and /etc/opt/ldapux/key3.db: rm -f /etc/opt/ldapux/cert7.db /etc/opt/ldapux/key3.db Use the certutil utility with the -N option to initialize the new database: /opt/ldapux/contrib/bin/certutil -N -d /etc/opt/ldapux Add the Certificate Authority (CA) certificate or the
LDAP server’s certificate to the security database: Use the certutil command to add a CA certificate to the database: For example, the following command adds the CA certificate, my-ca-cert, to the security database directory, /etc/opt/ldapux, with the Base64-Encoded certificate request file, /tmp/mynew.cert: /opt/ldapux/contrib/bin/certutil -A -n my-ca-cert -t \ "C,," -d /etc/opt/ldapux -a -i /tmp/mynew.cert | | | | | NOTE: The -t "C,," represents the minimum trust attributes that
may be assigned to the CA certificate for LDAP-UX to successfully
use SSL to connect to the LDAP directory server. If you have other applications
that use the CA certificate for other functions, then you may wish
to assign additional trust flags. See http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html for
additional information. | | | | |
Use the certutil command to add the LDAP server’s certificate
to the security database: For example, the following command adds the LDAP server’s certificate, my-server-cert, to the security database directory, /etc/opt/ldapux, with the Base64-Encoded certificate request file, /tmp/mynew.cert: /opt/ldapux/contrib/bin/certutil -A -n my-server-cert -t \ "P,," -d /etc/opt/ldapux -a -i /tmp/mynew.cert | | | | | NOTE: The -t "p,," represents the minimum trust attributes that
may be assigned to the LDAP server’s certificat for LDAP-UX
to successfully use SSL to connect to the LDAP directory server.
See http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html for
additional information. | | | | |
|
Printable version
