HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

461

462

463

464

465

466

467

468

469

470

12 Managing SSL

To provide secure communications over the network, HP-UX Directory Server includes the LDAPS

communications protocol. LDAPS is the standard LDAP protocol, running over Transport Layer

Security (TLS, formerly Secure Sockets Layer or SSL). Directory Server also allows spontaneous

secure connections over otherwise-insecure LDAP ports, using the Start TLS LDAP extended operation.

This chapter describes how to use TLS/SSL with Directory Server.

Topics include:

• “Introduction to SSL in the Directory Server” (page 469)

• “Obtaining and installing server certificates” (page 471)

• “Using certutil” (page 477)

• “Starting the server with TLS/SSL enabled” (page 480)

• “Using external security devices” (page 485)

• “Setting security preferences” (page 485)

• “Using certificate-based authentication” (page 487)

• “Managing certificates for the Directory Server” (page 496)

12.1 Introduction to SSL in the Directory Server

The Directory Server supports TLS/SSL to secure communications between LDAP clients and the

Directory Server, between Directory Servers that are bound by a replication agreement, or between

a database link and a remote database. Directory Server can use TLS/SSL with simple authentication

(bind DN and password) or with certificate-based authentication.

Directory Server's cryptographic services are provided by Mozilla Network Security Services (NSS),

a library of TLS/SSL and base cryptographic functions. NSS includes a software-based cryptographic

token that is FIPS 140-2 certified.

Using TLS/SSL with simple authentication ensures confidentiality and data integrity. There are two

major benefits to using a certificate — smart card, token, or software-based — to authenticate to

the Directory Server instead of a bind DN and password:

• Improved efficiency

When using applications that prompt once for the certificate database password, then use

that certificate for all subsequent bind or authentication operations, it is more efficient than

continuously providing a bind DN and password.

• Improved security

The use of certificate-based authentication is more secure than non-certificate bind operations

because certificate-based authentication uses public-key cryptography. Bind credentials cannot

be intercepted across the network. If the certificate or device is lost, it is useless without the

PIN, so it is immune from third-party interference like phishing attacks.

The Directory Server is capable of simultaneous TLS/SSL and non-SSL communications. This means

that you do not have to choose between TLS/SSL or non-SSL communications for the Directory

Server; both can be used at the same time. Directory Server can also utilize the Start TLS extended

operation to allow TLS/SSL secure communication over a regular (insecure) LDAP port.

12.1.1 Enabling SSL: Summary of steps

To configure the Directory Server to use LDAPS, follow these steps:

12.1 Introduction to SSL in the Directory Server 469