HP UX Direry Server manual Using SSL/TLS with the Console, Overview of SSL/TLS

Page 61

6 Using SSL/TLS with the Console

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are protocols which set up secure, encrypted communication between an SSL/TLS server and a client which connects to it. In Directory Server, the Directory Server can be configured to communicate with LDAP over SSL, LDAPS. Likewise, the Administration Server can be configured to run over secure HTTP (HTTPS) rather than standard HTTP. Both the Directory Server and Administration Server are SSL servers.

The Console can be configured as an SSL client, which connects to the servers over SSL, and can be configured so that all Console operations are over SSL.

6.1 Overview of SSL/TLS

Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) set rules that govern authentication (identity verification) between two entities and set up encrypted communication between servers and clients. For Directory Server and Administration Server, TLS/SSL means that directory operations run over LDAPS (secure LDAP) and HTTPS (secure HTTP), respectively.

Secure communication depends on the ability to hide and uncover information by disguising it with complex codes. Both the TLS server (the application which is being contacted) and the TLS client (the user or application which contacts the server) have to be able to understand the encoded information.1

Cryptography encrypts and protects information using recognized algorithms and ciphers, or mathematical equations which can scramble information; sets of related algorithms and ciphers are called cipher suites. The equations are also used to unscramble the information as long as a server has the right information to decode the data; the decoder information is called a key. Keys come in two halves:

The private key is held by only one entity and encrypts (wraps) the information.

The public key matches the private key and can be used to decrypt information wrapped by the private key.

A certificate contains a public key that can be used to decrypt information, algorithms used for a digital signature (similar to a fingerprint), and identity information for the server or user.

In server authentication (the TLS method allowed by the Directory Console), the server presents a certificate (containing a public key, algorithms used for the digital signature, and server identity information) to the client. The client may be validated (authenticated) to the server through simple authentication, such as a username and password, or no authentication. With client authentication, both the server and client present certificates proving their identity.

TLS/SSL communication has two major parts: the SSL/TLS handshake (where the server and client authenticate their identities) and secure communication (the encrypted session between the client and server). Authentication and encryption are performed using secure materials, called certificates and keys.

The TLS handshake is when the server and client negotiate the parameters of the connection and generate the keys which will be used for secure communication:

1.The TLS client initiates contact with the TLS server. The client sends information about its TLS configuration to help the server negotiate the connection parameters:

The TLS/SSL version the client is using (all TLS/SSL versions are backward compatible)

A list of acceptable cipher suites

1.For HP-UX Directory Server, the Directory Server and Administration Server are the TLS servers, and the Directory Console or a user through LDAP tools or browsers are the TLS client.

6.1 Overview of SSL/TLS

61

Page 60 Page 62
Image 61
Page 60 Page 62
Contents HP-UX Directory Server console guide Page Table of Contents Glossary Index Console interface Overview of the consoleSimple system using the Console A more complex system Console menusServers and Applications tab Console tabsServers and Applications tab Users and Groups tabDirectory Server Console Server-specific consolesConfiguration Administration Server consoleTasks DirectoryManaging SSL certificates Launching the Console Basic Console tasksChanging the Console appearance Opening a directory or Administration Server windowChanging profile locations Restoring default font settings Changing console fonts # /opt/dirsrv/bin/hpds-idm-console Reordering table columns Basic Console tasks Changing the Console appearance Customizing the main window Working with custom views View menu, choose Custom View ConfigurationBasic Console tasks From the View menu, choose Custom View Configuration Switching to a custom viewSet the access control instructions Changing the Console appearance Page Editing domain, host, server group, and instance information Managing server instancesCreating and editing an admin domain Creating and removing admin domainsSelect Create New Admininistration Domain Select Remove Admininistration Domain Removing an admin domainCreating a new Directory Server instance Deleting a Directory Server instance Page Searching for users and groups Managing Directory Server users and groupsClick the Users and Groups tab Managing Directory Server users and groups Creating directory entries Directory and administrative usersManaging Directory Server users and groups Creating directory entries Certificate group could be based on having the string GroupsClick the Users and Groups tab Managing Directory Server users and groups Organizational units Click the Create button, and choose Organizational Unit Editing entries Modifying directory entriesAllowing sync attributes for entries Changing administrator entries Users and Groups, click Advanced Changing the configuration administrator and passwordChanging the admin password Adding users to the configuration administrators group Modifying directory entries Removing an entry from the directory Setting access controls Setting access controls Setting access permissions on console elements ACI Manager window, click the New button Setting access permissions on console elements Setting access controls Setting access permissions on console elements Setting access controls Overview of SSL/TLS Using SSL/TLS with the ConsoleInstalling certificates Generating a certificate request Organizational Unit optional OrganizationState/Province Country/regionClick Done to dismiss the Certificate Request Wizard Installing the certificateFollowing encoded text block This local fileInstalling certificates Go to the CA Certs tab, and click Install Installing certificates Using SSL/TLS with the Console Making connections to other servers Server Authentication Accepting connections from clients Client AuthenticationEnabling TLS/SSL Check the Use this Cipher Family checkbox Allow client authentication Do not allow client authenticationRequire client authentication Check the Use SSL in the Console box Enabling TLS/SSL Creating a password file for the Directory Server Creating password filesCreating a password file for the Administration Server Page Contacting HP Support and other resourcesRelated information HP-UX documentation set HP-UX Directory Server administration server guideTypographic conventions Troubleshooting resourcesPage Glossary Access rightsCGI DIT GSS-API Ldap NIS PTA Sasl TCP/IP Page Index Index
Related manuals
Manual 68 pages 26.36 Kb Manual 160 pages 39.12 Kb Manual 18 pages 3.79 Kb Manual 72 pages 14.95 Kb
Top Page Image Contents