HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

481

482

483

484

485

486

487

488

489

490

/opt/dirsrv/sbin/restart-ds-admin

For more information about the commands to start, stop, and restart the Directory Server, see

“Starting and Stopping Servers” (page 19).

12.5 Using external security devices

A security module serves as a medium between the Directory Server and the SSL layer. The module

stores the keys and certificates used for encryption and decryption. The standard that defines these

modules is Public Key Cryptography Standard (PKCS) #11, so these modules are PKCS #11

modules.

By default, Directory Server uses build in security databases, key3.db and cert8.db, to store

the keys and certificates used by the servers.

It is also possible to use external security devices to store Directory Server certificates and keys.

For Directory Server to use an external PKCS #11 module, the module's drivers must be installed

in Directory Server.

To install an external security device:

1. Connect the device, and install its drivers on the server machine.

2. Open the Directory Server Console for the server instance with which to use the security device.

3. Open the Console in the top navigation menu, and select the Security, then the Configure

Security Modules item.

4. In the window, click the Install button.

5. In the configuration box, enter the full path to the driver file for the device and the name for

the module.

6. Click OK to save the new module driver.

12.6 Setting security preferences

The Directory Server supported several different ciphers, and the type of ciphers to use for TLS/SSL

communications are set by the user. A cipher is the algorithm used in encryption. Some ciphers

are more secure, or stronger, than others. Generally speaking, the more bits a cipher uses during

encryption, the more difficult it is to decrypt the key.

When a client initiates an TLS/SSL connection with a server, the client tells the server what ciphers

it prefers to use to encrypt information. In any two-way encryption process, both parties must use

the same ciphers. There are a number of ciphers available. The server needs to be able to use the

ciphers that will be used by client applications connecting to the server.

12.6.1 Available ciphers

This section lists information about the available ciphers for Directory Server encryption. Each

cipher has the following information:

• Directory Server name

The name of the cipher suite used when configuring the Directory Server. The Directory Server

uses this name both internally and in the Directory Server Console.

• Key exchange

The key exchange algorithm. DHE stands for Diffie-Hellman; DSS stands for Digital Signature

Standard. The 1024 bit ciphers are lower strength ciphers formerly used for export control.

• Encryption Algorithm

AES stands for the American Encryption Standard. DES stands for Data Encryption Standard.

12.5 Using external security devices 485