HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
NOTE:
To use certificate-based authentication with replication, then configure the consumer server
either to allow or to require client authentication.
10. To verify the authenticity of requests, select the Check hostname against name in certificate
for outbound SSL connections option. The server does this verification by matching the host
name against the value assigned to the common name (cn) attribute of the subject name in
the being presented for authentication.
By default, this feature is disabled. If it is enabled and if the host name does not match the
cn attribute of the certificate, appropriate error and audit messages are logged. For example,
in a replicated environment, messages similar to these are logged in the supplier server's log
files if it finds that the peer server's host name does not match the name specified in its
certificate:
[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime error -12276 -
Unable to communicate securely with peer: requested domain name does not match the server's
certificate.)
[DATE] NSMMReplicationPlugin - agmt="cn=agmt1" (host2:389): Replication
bind with SSL client authentication failed: LDAP error 81 (Can't contact DAP server)
HP recommends enabling this option to protect Directory Server's outbound TLS/SSL connections
against a man-in-the-middle (MITM) attack.
11. Check the Use SSL in the Console box. Click Save.
12. In the Administration Server Console, select the Configuration tab. Select the Encryption tab,
check the Enable SSL checkbox, and fill in the appropriate certificate information.
13. In the Configuration DS tab, change the port number to the new Directory Server secure port
information. See “Changing Directory Server port Numbers” (page 22) for more information.
Do this even if the default port of 636 is used. Check the Secure Connection checkbox.
14. In the User DS tab, select the Set User Directory radio button, and fill in the Directory Server
secure port information, the LDAP URL, and the user database information. Check the Secure
Connection checkbox.
15. Save the new TLS/SSL settings and Configuration DS and User DS information in the
Administration Server Console.
16. Restart the Directory Server. The server must be restarted from the command line.
/opt/dirsrv/slapd-instance_name/restart-slapd
When the server restarts, it prompts for the PIN or password to unlock the key database. This
is the same password used when the server certificate and key were imported into the database.
To restart the Directory Server without the password prompt, create a PIN file or use a hardware
crypto device. For information on how to create a PIN file, see “Creating a password file for
the Directory Server” (page 484).
For more information about the commands to start, stop, and restart the Directory Server, see
“Starting and Stopping Servers” (page 19).
NOTE:
When next logging into the Directory Server Console, be certain that the address reads https;
otherwise, the operation will time out, unable to find the server because it is running on a secure
connection. After successfully connecting, a dialog box appears to accept the certificate. Click OK
to accept the certificate (either only for that current session or permanently).
12.4 Starting the server with TLS/SSL enabled 483