HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software

engineCtrl=LOAD

engineCtrl=INIT

# Service-level configuration for SMTP server

[smtp-server]

# Use in server mode

client = no

accept = myServer.hp.com:25

connect = localhost:25

engineNum = 1

# Service-level configuration for POP3 server

[pop3]

# Use in server mode

client = no

accept = myServer.hp.com:110

connect = localhost:110

engineNum = 1

Stunnel and Secure LDAP Example

In this example, a Lightweight Directory Access Protocol (LDAP) client uses Stunnel to connect

to a secure LDAP server. The components in this topology are:

• The LDAP client, which is a web server using secure LDAP to authenticate HTTP clients.

The web server uses a local Stunnel endpoint to establish a TLS/SSL connection to the secure

LDAP server. The web server is running HP-UX Apache-based Web Server, which is based

on Apache version 2.0 and included in the HP-UX Web Server Suite.

• The Stunnel endpoint on the LDAP client. Stunnel establishes a TLS/SSL connection with

the secure LDAP server.

The private key used for the Stunnel certificate is protected by TPM.

• The secure LDAP server provided by Red Hat Directory Server 7.1 for HP-UX. The secure

LDAP server implements TLS/SSL; no Stunnel is needed on the secure LDAP server.

The web server and Stunnel run on the system myClient. Stunnel is configured to accept requests

on port 7777 and forward them to port 636 on the secure LDAP server. Port 7777 is an arbitrarily

selected port number that was previously unused; port 636 is the Internet Assigned Numbers

Authority (IANA) registered port number for secure LDAP.

The HP-UX Apache Web Server is configured to send LDAP requests to port 7777 on the local

host.

The secure LDAP server runs on the system myServer. The secure LDAP server is configured

to require client authentication; the directory entry with the DN cn=encryption,cn=config

has the nsSSLClientAuth attribute set to required.

Creating and Distributing TPM-Protected Certificates

The procedures for creating the certificate is the same as the procedure in “Step 1: Obtaining a

Certificate that Uses a TPM-Protected Private Key ” (page 41). The TPM-protected private key

is used for one entity only: the Stunnel certificate on the LDAP client.

Stunnel Configuration on myClient for Secure LDAP

On the LDAP client (myClient), Stunnel is configured to accept requests on port 7777 and

forward them to port 636 on the secure LDAP server. The Stunnel configuration file is similar to

the file listed in “Stunnel Configuration File on myClient for telnet” (page 46), with the

following service option entry:

[LDAPS-client]

# Use in client mode

client = yes

accept = localhost:7777

Stunnel Examples 51