6 Using SSL/TLS with the Console

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are protocols which set up secure, encrypted communication between an SSL/TLS server and a client which connects to it. In Directory Server, the Directory Server can be configured to communicate with LDAP over SSL, LDAPS. Likewise, the Administration Server can be configured to run over secure HTTP (HTTPS) rather than standard HTTP. Both the Directory Server and Administration Server are SSL servers.

The Console can be configured as an SSL client, which connects to the servers over SSL, and can be configured so that all Console operations are over SSL.

6.1 Overview of SSL/TLS

Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) set rules that govern authentication (identity verification) between two entities and set up encrypted communication between servers and clients. For Directory Server and Administration Server, TLS/SSL means that directory operations run over LDAPS (secure LDAP) and HTTPS (secure HTTP), respectively.

Secure communication depends on the ability to hide and uncover information by disguising it with complex codes. Both the TLS server (the application which is being contacted) and the TLS client (the user or application which contacts the server) have to be able to understand the encoded information.1

Cryptography encrypts and protects information using recognized algorithms and ciphers, or mathematical equations which can scramble information; sets of related algorithms and ciphers are called cipher suites. The equations are also used to unscramble the information as long as a server has the right information to decode the data; the decoder information is called a key. Keys come in two halves:

The private key is held by only one entity and encrypts (wraps) the information.

The public key matches the private key and can be used to decrypt information wrapped by the private key.

A certificate contains a public key that can be used to decrypt information, algorithms used for a digital signature (similar to a fingerprint), and identity information for the server or user.

In server authentication (the TLS method allowed by the Directory Console), the server presents a certificate (containing a public key, algorithms used for the digital signature, and server identity information) to the client. The client may be validated (authenticated) to the server through simple authentication, such as a username and password, or no authentication. With client authentication, both the server and client present certificates proving their identity.

TLS/SSL communication has two major parts: the SSL/TLS handshake (where the server and client authenticate their identities) and secure communication (the encrypted session between the client and server). Authentication and encryption are performed using secure materials, called certificates and keys.

The TLS handshake is when the server and client negotiate the parameters of the connection and generate the keys which will be used for secure communication:

1.The TLS client initiates contact with the TLS server. The client sends information about its TLS configuration to help the server negotiate the connection parameters:

The TLS/SSL version the client is using (all TLS/SSL versions are backward compatible)

A list of acceptable cipher suites

1.For HP-UX Directory Server, the Directory Server and Administration Server are the TLS servers, and the Directory Console or a user through LDAP tools or browsers are the TLS client.

6.1 Overview of SSL/TLS

61

Page 61
Image 61
HP UX Direry Server manual Using SSL/TLS with the Console, Overview of SSL/TLS

UX Direry Server specifications

HP UX Directory Server is a robust and scalable solution designed for managing directory information within enterprise networks. Developed by Hewlett-Packard (HP), this server offers an extensive set of features tailored to meet the needs of organizations that require an efficient way to store, manage, and retrieve identity and access data.

One of the key features of HP UX Directory Server is its ability to handle large directories with significant volumes of data. Built on a highly optimized architecture, it provides excellent performance and can support millions of entries without sacrificing speed or reliability. This capability makes it an ideal choice for large-scale deployments in enterprises that require high availability and responsiveness.

In addition to its scalability, HP UX Directory Server supports a wide range of protocols, including LDAP (Lightweight Directory Access Protocol), which ensures seamless integration with diverse applications and systems across various platforms. The server maintains standards compliance, which facilitates interoperability and simplifies administration tasks.

Security is a top priority for HP UX Directory Server, offering an array of features to protect sensitive information. It supports secure data transmission via TLS/SSL protocols, ensuring encrypted communication between clients and servers. Advanced access controls allow administrators to define fine-grained permissions, helping to safeguard directory data against unauthorized access.

Another salient feature of HP UX Directory Server is its replication capabilities. The server can replicate directory data across multiple instances, ensuring data consistency and availability in distributed environments. This feature is essential for businesses operating across different geographical locations or requiring failover solutions for disaster recovery.

HP UX Directory Server also comes equipped with tools for data management, including an intuitive administration console for configuring and monitoring the server. Additionally, it offers customizable schema capabilities, enabling organizations to tailor the directory structure to fit their specific needs.

Integration with existing identity management solutions is streamlined through connectors and APIs, allowing organizations to extend their directory services and enhance user experience.

In summary, HP UX Directory Server is a powerful directory management solution that combines scalability, security, and integration flexibility. Its support for industry standards, advanced replication, and comprehensive administrative tools makes it an essential asset for organizations seeking to manage identity and access efficiently. By leveraging this technology, businesses can improve their operational efficiency and ensure a secure and organized approach to directory management.