6.3. Enabling TLS/SSL

In order to run the Red Hat Console over TLS/SSL, the Administration Server and Directory Server must also be configured to run in TLS/SSL.
This configures server authentication for the Console and the Red Hat Directory Server and Administration Server.
  1. Obtain server certificates and CA certs, and install them on the Directory Server. This is described in Section 6.2, “Installing Certificates”.
  2. Obtain and install server and CA certificates on the Administration Server. This is a similar process as for the Directory Server.

    NOTE

    It is important that the Administration Server and Directory Server have a CA certificate in common so that they can trust the other's certificates.
  3. If the default port number of 636 is not used, change the secure port setting.
    1. Change the secure port number in the Configuration>Settings tab of the Directory Server Console, and save.
    2. Restart the Directory Server[2]. It restarts over the regular port.
      service dirsrv restart slapd-example
  4. In the Configuration tab of the Directory Server Console, highlight the server name at the top of the table, and select the Encryption tab.
  5. Select the Enable SSL checkbox.
  6. Check the Use this Cipher Family checkbox.
  7. Select the certificate to use from the drop-down menu.
  8. Click Cipher Settings. By default, all ciphers are selected.
  9. Set the preferences for client authentication.
    • Do not allow client authentication. With this option, the server ignores the client's certificate. This does not mean that the bind will fail.
    • Allow client authentication. This is the default setting. With this option, authentication is performed on the client's request.
    • Require client authentication. With this option, the server requests authentication from the client. With this option, all clients must use a certificate to authenticate to the server, and no simple authentication (username/password) is allowed.

    NOTE

    To use client certificate-based authentication with replication, configure the consumer server either to allow or to require client authentication.
  10. To verify the authenticity of requests, select the Check hostname against name in certificate for outbound SSL connections option. The server does this verification by matching the hostname against the value assigned to the common name (cn) attribute of the subject name in the being presented for authentication. The hostname that is checked in the certificate is the same one set in the server name field in the request in Section 6.2.1, “Generating a Certificate Request”.
    By default, this feature is disabled. If it's enabled and if the hostname does not match the cn attribute of the certificate, appropriate error and audit messages are logged. Red Hat recommends enabling this option to protect Directory Server's outbound TLS/SSL connections against a man-in-the-middle (MITM) attack.
  11. Check the Use SSL in the Console box.

    NOTE

    This is the only option which sets whether the Red Hat Console will run over SSL.
  12. Hit Save.
  13. In the Administration Server Console, select the Configuration tab. Select the Encryption tab, check the Enable SSL checkbox, and fill in the appropriate certificate information.
    After TLS/SSL is enabled, then the Administration Server can only be connected to using HTTPS. All of the previous HTTP (standard) URLs for connecting to the Administration Server and its services no longer work. This is true whether connecting to the Administration Server using the Console or using a web browser.
  14. In the Configuration DS tab, change the port number to the new Directory Server secure port information, even if the default port of 636 is used. Check the Secure Connection checkbox.
  15. In the User DS tab, select the Set User Directory radio button, and fill in the Directory Server secure port information, the LDAP URL, and the user database information. Check the Secure Connection checkbox.
  16. Save the new TLS/SSL settings and Configuration DS and User DS information in the Administration Server Console.
  17. Restart the Directory Server. The server must be restarted from the command line.
    service dirsrv restart slapd-example
    When the server restarts, it prompts for the PIN or password to unlock the key database. This is the same password used when the server certificate and key were imported into the database.
    Using a pin.txt file to store the token database passwords allows the Directory Server to restart without prompting for the password. This is covered in Section 6.4.1, “Creating a Password File for the Directory Server”.
  18. Restart the Administration Server. The server must be restarted from the command line.
    service dirsrv-admin restart
    When the server restarts, it prompts for the PIN or password to unlock the key database. This is the same password used when the server certificate and key were imported into the database.
    Using a password.conf file to store the token database passwords allows the Administration Server to restart without prompting for the password. This is covered in Section 6.4.2, “Creating a Password File for the Administration Server”.

NOTE

After configuring SSL/TLS for the Administration Server, be certain that the address reads https when next logging into the Administration Server or Red Hat Console. With SSL/TLS, all connections to the Administration Server must be over HTTPS. Otherwise, the operation will time out, unable to find the server since it is running on a secure connection. After successfully connecting, a dialog box appears to accept the certificate. Click OK to accept the certificate (either only for that current session or permanently).


[2] This command is for Red Hat Enterprise Linux 5 (32-bit); for commands for other platforms, see the Directory Server Administrator's Guide.