HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

461

462

463

464

465

466

467

468

469

470

1. Obtain and install a certificate for the Directory Server, and configure the Directory Server to

trust the certification authority's (CA's) certificate.

For information, see “Obtaining and installing server certificates” (page 471).

2. Turn on TLS/SSL in the directory.

For information, see “Starting the server with TLS/SSL enabled” (page 480).

3. Configure the Administration Server connect to an SSL-enabled Directory Server.

4. Optionally, ensure that each user of the Directory Server obtains and installs a personal

certificate for all clients that will authenticate with TLS/SSL.

For information, see “Configuring Directory Server to accept certificate-based authentication

from LDAP clients” (page 489).

12.1.2 Command line functions for Start TLS

LDAP operations such as ldapmodify, ldapsearch, and ldapdelete can use TLS/SSL when

communicating with an SSL-enabled server or to use certificate authentication. Command Line

options also specify or enforce Start TLS, which allows a secure connection to be enabled on a

clear text port after a session has been initiated.

IMPORTANT:

These options to use Start TLS applies only for the Mozilla LDAP tools provided with HP-UX Directory

Server.

In the following example, a network administrator enforces Start TLS for a search for Mike Connor's

identification number:

ldapsearch -p 389 -ZZZ -P certificateDB -s base

-b "uid=mconnors,ou=people,dc=example,dc=com" "(attribute=govIdNumber)"

The -ZZZ option enforces Start TLS, and certificateDB gives the file name and path to the

certificate database.

NOTE:

The -ZZZ option enforces the use of Start TLS, and the server must respond that a Start TLS command

was successful. If the -ZZZ option is used and the server does not support Start TLS, the operation

is aborted immediately.

For information on the command line options available, see the HP-UX Directory Server configuration,

command, and file reference.

12.1.2.1 Troubleshooting Start TLS

With the -ZZ option, the following errors could occur:

• If there is no certificate database, the operation fails. See “Obtaining and installing server

certificates” (page 471) for information on using certificates.

• If the server does not support Start TLS, the connection proceeds in clear text. To enforce the

use of Start TLS, use the -ZZZ command option.

• If the certificate database does not have the certificate authority (CA) certificate, the connection

proceeds in clear text. See “Obtaining and installing server certificates” (page 471) for

information on using certificates.

470 Managing SSL