Manualshelf

HP CIFS Server Administrator Guide Version A.02.04.04 (5070-6710, October 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
61626364656667686970
For the latest LDAP Integration software, download the product from the following web site:
http://www.hp.com/go/softwaredepot
Enter LDAP-UX Integration for HP-UX in the search field.
Strong Authentication Support
When you enable LDAP server signing with required signing for strong authentication support on
a Windows 2000/2003 ADS Domain Controller (DC), you can enable an extended operation of
Transport Layer Security (TLS) protocol called startTLS on an HP CIFS Server to provide signing
negotiation with a Windows ADS DC. The SSL/TLS protocol provides secure communication
between an HP CIFS Server and a Windows 2000/2003 ADS DC. You have flexibility to use an
un-encrypted port, 389, to establish an encrypted connection when using the startTLS feature.
If you want to enable startTLS for strong authentication support, you must perform the following
tasks before you follow the instructions to run the kinit and net ads join commands as
described in “Step-by-step Procedure” (page 74) to join an HP CIFS Server to a Windows
2000/2003 ADS domain as a domain member server:
Install Certification Authority (CA) on a Windows ADS Server.
Download and install the certificate database files, cert8.db and key3.db on the HP CIFS
Server machine from a Windows CA Server.
Configure HP CIFS Server to enable the startTLS feature.
Steps to install Certification Authority (CA) on a Windows ADS Server
You need to install SSL/TLS Certification Authority (CA) on a Windows ADS Server before you
download the certificate database file, cert8.db and key3.db, on your HP CIFS Server machine.
If you have installed MS IIS Service, you must stop and restart MS IIS Service while installing CA.
NOTE: If a previous CA has been installed on your Windows ADS Server and the CA services
do not work, you must remove them before you reinstall CA. For detailed information on how to
manually remove Windows Certificate Authority from a Windows 2000/2003 domain, refer to
a document from Microsoft at:
http://support.microsoft.com/kb/555151/en-us
The following steps show you how to install MS CA on a Windows ADS Server using MS Certificate
Service Installation Wizard:
1. Select Control Panel -> ADD-Remove Programs -> Add-Remove Windows Components
2. Check Certificate Service
3. Check Application Server
4. Click Next button
5. Select Enterprise Root Certificate Authority
6. Provide a common name (CN) for the system. It must be a fully qualified domain name.
7. Specify Certificate database settings log location. For example,
C:\Windows\system32\CertLog
8. To install CA services, you must temperately stop MS IIS Service if you have installed it. Then,
restart it after installation of CA services is completed.
9. Run Certificate Services in Administrator Tools to verify that installation of Windows Certificate
Authority succeeds
10. Access web browser at:
http://ads_CA_server/certsrv
70 Windows 2003 and Windows 2008 Domains