Enabling TLS/SSL Only in the Directory

8.Set the preferences for client authentication.

Do not allow client authentication. With this option, the server ignores the client's certificate. This does not mean that the bind will fail.

Allow client authentication. This is the default setting. With this option, authentication is performed on the client's request. For more information about certificate-based authentication, see Section 6, “Using Certificate-Based Authentication”.

Require client authentication. With this option, the server requests authentication from the client.

If TLS/SSL is only enabled in the Directory Server and not the Directory Server Console, do not select Require client authentication checkbox.

NOTE

To use certificate-based authentication with replication, the consumer server must be configured either to allow or to require client authentication.

9.To verify the authenticity of requests, select the Check hostname against name in certificate for outbound SSL connections option. The server does this verification by matching the hostname against the value assigned to the common name (cn) attribute of the subject name in the being presented for authentication.

By default, this feature is disabled. If it's enabled and if the hostname does not match thecn attribute of the certificate, appropriate error and audit messages are logged. For example, in a replicated environment, messages similar to these are logged in the supplier server's log files if it finds that the peer server's hostname doesn't match the name specified in its certificate:

[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime error -12276 -

Unable to communicate securely with peer: requested domain name does not match the server's

certificate.)

[DATE] NSMMReplicationPlugin - agmt="cn=to ultra60 client auth" (ultra60:1924): Replication

bind with SSL client authentication failed: LDAP error 81 (Can't contact LDAP server)

Red Hat recommends enabling this option to protect Directory Server's outbound SSL connections against a man-in-the-middle (MITM) attack.

10.Click Save.

11.Restart the Directory Server. The Directory Server must be restarted from the command line.

407

Page 427
Image 427
HP UX Red Hat Direry Server Software manual Enabling TLS/SSL Only in the Directory