HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
12.4.1 Enabling TLS/SSL only in the Directory Server
1. Obtain and install CA and server certificates.
2. Set the secure port for the server to use for TLS/SSL communications.
The encrypted port number must not be the same port number used for normal LDAP
communications. By default, the standard port number is 389, and the secure port is 636.
a. Change the secure port number in the Configuration>Settings tab of the Directory Server
Console.
b. Restart the Directory Server. It restarts over the regular port.
3. In the Directory Server Console, select the Configuration tab, then select the top entry in the
navigation tree in the left pane. Select the Encryption tab in the right pane.
4. Select the Enable SSL for this Server checkbox.
5. Check the Use this Cipher Family checkbox.
6. Select the certificate to use from the drop-down menu.
7. Click Cipher Settings.
The Cipher Preference dialog box opens. By default, all ciphers are selected.
8. Set the preferences for client authentication.
• Do not allow client authentication
With this option, the server ignores the client's certificate. This does not mean that the
bind will fail.
• Allow client authentication
This is the default setting. With this option, authentication is performed on the client's
request. For more information about certificate-based authentication, see “Using
certificate-based authentication” (page 487).
• Require client authentication
With this option, the server requests authentication from the client.
If TLS/SSL is only enabled in the Directory Server and not the Directory Server Console, do
not select Require client authentication checkbox.
NOTE:
To use certificate-based authentication with replication, the consumer server must be configured
either to allow or to require client authentication.
9. To verify the authenticity of requests, select the Check hostname against name in certificate
for outbound SSL connections option. The server does this verification by matching the host
name against the value assigned to the common name (cn) attribute of the subject name in
the being presented for authentication.
By default, this feature is disabled. If it is enabled and if the host name does not match the
cn attribute of the certificate, appropriate error and audit messages are logged. For example,
in a replicated environment, messages similar to these are logged in the supplier server's log
files if it finds that the peer server's host name does not match the name specified in its
certificate:
[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime error -12276 -
Unable to communicate securely with peer: requested domain name does not match the server's
certificate.)
[DATE] NSMMReplicationPlugin - agmt="cn=agmt1" (host2:389): Replication
bind with SSL client authentication failed: LDAP error 81 (Can't contact LDAP server)
HP recommends enabling this option to protect Directory Server's outbound TLS/SSL connections
against a man-in-the-middle (MITM) attack.
12.4 Starting the server with TLS/SSL enabled 481