HP UX Direry Server manual Using SSL/TLS with the Console, Overview of SSL/TLS

6 Using SSL/TLS with the Console

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are protocols which set up secure, encrypted communication between an SSL/TLS server and a client which connects to it. In Directory Server, the Directory Server can be configured to communicate with LDAP over SSL, LDAPS. Likewise, the Administration Server can be configured to run over secure HTTP (HTTPS) rather than standard HTTP. Both the Directory Server and Administration Server are SSL servers.

The Console can be configured as an SSL client, which connects to the servers over SSL, and can be configured so that all Console operations are over SSL.

6.1 Overview of SSL/TLS

Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) set rules that govern authentication (identity verification) between two entities and set up encrypted communication between servers and clients. For Directory Server and Administration Server, TLS/SSL means that directory operations run over LDAPS (secure LDAP) and HTTPS (secure HTTP), respectively.

Secure communication depends on the ability to hide and uncover information by disguising it with complex codes. Both the TLS server (the application which is being contacted) and the TLS client (the user or application which contacts the server) have to be able to understand the encoded information.1

Cryptography encrypts and protects information using recognized algorithms and ciphers, or mathematical equations which can scramble information; sets of related algorithms and ciphers are called cipher suites. The equations are also used to unscramble the information as long as a server has the right information to decode the data; the decoder information is called a key. Keys come in two halves:

•The private key is held by only one entity and encrypts (wraps) the information.

•The public key matches the private key and can be used to decrypt information wrapped by the private key.

A certificate contains a public key that can be used to decrypt information, algorithms used for a digital signature (similar to a fingerprint), and identity information for the server or user.

In server authentication (the TLS method allowed by the Directory Console), the server presents a certificate (containing a public key, algorithms used for the digital signature, and server identity information) to the client. The client may be validated (authenticated) to the server through simple authentication, such as a username and password, or no authentication. With client authentication, both the server and client present certificates proving their identity.

TLS/SSL communication has two major parts: the SSL/TLS handshake (where the server and client authenticate their identities) and secure communication (the encrypted session between the client and server). Authentication and encryption are performed using secure materials, called certificates and keys.

The TLS handshake is when the server and client negotiate the parameters of the connection and generate the keys which will be used for secure communication:

1.The TLS client initiates contact with the TLS server. The client sends information about its TLS configuration to help the server negotiate the connection parameters:

•The TLS/SSL version the client is using (all TLS/SSL versions are backward compatible)

•A list of acceptable cipher suites

1.For HP-UX Directory Server, the Directory Server and Administration Server are the TLS servers, and the Directory Console or a user through LDAP tools or browsers are the TLS client.