HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
4. Click the Edit Trust button.
5. Set the CA trust options.
• Accepting connections from clients (Client Authentication)
This option sets whether to accept client, or user, certificates issued by the CA.
• Making connections to other servers (Server Authentication)
This option sets whether to accept server certificates issued by the CA.
• Click OK.
12.8.3 Changing security device passwords
Periodically change the settings for the security databases or devices.
1. In the Tasks tab, click the Manage Certificates button.
2. Click the CA Certs tab.
3. Choose a security device from the drop-down list.
4. Click the Password button.
5. In the Change Security Device Password dialog box, enter the old password, then enter and
confirm the new password.
6. Click OK.
12.8.4 Managing certificate lists
Certificate revocation lists (CRLs) allow CAs to specify certificates that client or server users should
no longer trust. If data in a certificate changes, a CA can revoke the certificate and list it in a CRL.
CRLs are produced and periodically updated by a CA, so updated CRLs can be added to the
Directory Server.
1. Obtain the CRL from the CA; these can usually be downloaded from the CA's website.
2. In the Tasks tab, click the Manage Certificates button.
3. Click the CA Certs tab.
4. At the top of the Managing Certificates window, choose a security device from the drop-down
menu.
5. Select the Revoked Certs tab.
6. Every loaded CRL is listed. To view a CRL, select the CRL and click Detail.
7. To add a CRL, click Add at the bottom of the window, and enter the full path to the CRL file.
8. Click OK.
12.9 Access based on the security strength of the connection
In some environments, access to the directory server will require certain level of encryption to be
used. Security Strength Factor (SSF) is used for additional security to set the level of encryption for
any connection in the directory server. This can be set through nsslapd-minssf configuration
parameter. By setting a minimum SSF value, all the insecure connections can be effectively disabled
for the directory server.
1. Add the nsslapd-minssf attribute to the cn=config.
ldapmodify -D "cn=directory manager" -w secret -h server.example.com -p 389
dn: cn=config
changetype: modify
replace: nsslapd-minssf
nsslapd-minssf: 128
2. Restart the server.
12.9 Access based on the security strength of the connection 497