9.4. Enabling TLS
- The LDAPS protocol: TLS encryption is used directly after the connection has been established.
- The
STARTTLS
command over the LDAP protocol: The connection is unencrypted until the client sends theSTARTTLS
command.
Important
9.4.1. Enabling TLS in Directory Server
9.4.1.1. Enabling TLS in Directory Server Using the Command Line
- Request and install the certificate:
- For a certificate issued by a Certificate Authority (CA):
- Create a Certificate Signing Request (CSR). See Section 9.3.1.1, “Creating a Certificate Signing Request Using the Command Line”
- Import the CA certificate. See Section 9.3.2.1, “Installing a CA Certificate Using the Command Line”.
- Import the server certificate issued by the CA. See Section 9.3.4.1, “Installing a Server Certificate Using the Command Line”.
- For a self-signed certificate, see Section 9.3.5, “Generating and Installing a Self-signed Certificate”.
- Enable TLS and set the LDAPS port:
# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-securePort=636 nsslapd-security=on Successfully replaced "nsslapd-securePort" Successfully replaced "nsslapd-security"
- Display the name of the server certificate in the NSS database:
# dsconf -D "cn=Directory Manager" ldap://server.example.com security certificate list Certificate Name: Server-Cert Subject DN: CN=server.example.com Issuer DN: CN=Example CA Expires: 2022-07-29 11:10:14 Trust Flags: ,,
You need the nickname in the next step. - To enable the RSA cipher family, setting the NSS database security device, and the server certificate name:
# dsconf -D "cn=Directory Manager" ldap://server.example.com security rsa set --tls-allow-rsa-certificates on --nss-token "internal (software)" --nss-cert-name Server-Cert
Note
By default, the name of the security device in the NSS database isinternal (software)
. - Optionally, update the list of ciphers Directory Server supports. For details, see Section 9.4.1.3.2, “Displaying and Setting the Ciphers Used by Directory Server Using the Command Line”.
- Optionally, enable certificate-based authentication. For details, see Section 9.9, “Using Certificate-based Client Authentication”.
- Optionally, create a password file to enable Directory Server to start without prompting for the password of the NSS database. For details, see Section 9.4.1.5, “Creating a Password File for Directory Server”.
- Restart the Directory Server instance:
# dsctl instance_name restart
If you set a password on the NSS database and did not create a password file, Directory Server prompts for the password of the NSS database. For details, see Section 9.4.1.4, “Starting Directory Server Without a Password File”.
9.4.1.2. Enabling TLS in Directory Server Using the Web Console
- Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
- Select the instance.
- Create a CSR. See Section 9.3.1, “Creating a Certificate Signing Request”.
- Import the Certificate Authority (CA) certificate. See Section 9.3.2.2, “Installing a CA Certificate Using the Web Console”.
- Import the server certificate issued by the CA. See Section 9.3.4.2, “Installing a Server Certificate Using the Web Console”.
- Open the Security entry.menu, and select the
- On the Security Configuration tab:
- Click Security Enabled.
- Select the certificate's nickname in the Server Certificate Name field.
- Optionally, change the settings for the minimum and maximum TLS version that the server should support.
- Optionally, configure client authentication to enable users to authenticate using certificates. For details, see Section 9.9, “Using Certificate-based Client Authentication”.
- Click.
- Optionally, create a password file to enable Directory Server to start without prompting for the password of the NSS database. For details, see Section 9.4.1.5, “Creating a Password File for Directory Server”.
- Restart the Directory Server instance. See Section 1.5.2, “Starting and Stopping a Directory Server Instance Using the Web Console”If you set a password on the NSS database and did not create a password file, Directory Server prompts for the password of the NSS database. For details, see Section 9.4.1.4, “Starting Directory Server Without a Password File”.
9.4.1.3. Setting Encryption Ciphers
9.4.1.3.1. Displaying the Default Ciphers
nsSSL3Ciphers
parameter is not set in the cn=encryption,cn=config
entry, Directory Server uses the default ciphers of the Network Security Service (NSS). To display the default ciphers:
# /usr/lib64/nss/unsupported-tools/listsuites | grep -B1 --no-group-separator "Enabled" TLS_AES_128_GCM_SHA256: 0x1301 TLS 1.3 TLS 1.3 AES-GCM 128 AEAD Enabled FIPS Domestic TLS_CHACHA20_POLY1305_SHA256: 0x1303 TLS 1.3 TLS 1.3 CHACHA20POLY1305 256 AEAD Enabled Domestic ...
9.4.1.3.2. Displaying and Setting the Ciphers Used by Directory Server Using the Command Line
Displaying all Available Ciphers
# dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers list --supported TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ...
Displaying the Ciphers Directory Server Uses
# dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers list --enabled TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 ...
# dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers list default +tls_rsa_aes_128_sha +tls_rsa_aes_256_sha ...
default
keyword refers to the preferred default ciphers provided by the NSS. See Section 9.4.1.3.1, “Displaying the Default Ciphers”.
Important
nsSSL3Ciphers
attribute to generate the list of ciphers which are actually used. However, if you enabled weak ciphers in nsSSL3Ciphers
, but set the allowWeakCiphers
parameter to off
, which is the default, Directory Server only uses the strong ciphers and displays them in the nsSSLSupportedCiphers
read-only attribute.
Updating the List of Enabled Ciphers
- Display the list of currently enabled ciphers. See the section called “Displaying the Ciphers Directory Server Uses”.
- To enable only specific ciphers, update the
nsSSL3Ciphers
attribute. For example, to enable only theTLS_RSA_WITH_AES_128_GCM_SHA256
cipher:# dsconf -D "cn=Directory Manager" ldap://server.example.com security ciphers set "-all,+TLS_RSA_WITH_AES_128_GCM_SHA256"
- Restart the Directory Server instance:
# dsctl instance_name restart
- Optionally, display the list of enabled ciphers to verify the result. See the section called “Displaying the Ciphers Directory Server Uses”.
9.4.1.3.3. Displaying and Setting the Ciphers Used by Directory Server Using the Web Console
- Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
- Select the instance.
- Open the Security entry.menu, and select the
- On the Cipher Preferences tab, Directory Server displays the currently enabled ciphers.
- If you use different ciphers than the default, select Default Ciphers in the Ciphers Suite field to automatically enable the default ciphers. For details, see Section 9.4.1.3.1, “Displaying the Default Ciphers”.Alternatively, you can set Ciphers Suite to:
All Ciphers
to enable all ciphers. Optionally, disable specific ciphers in the Deny Specific Ciphers field.No Ciphers
to disable all ciphers. Optionally, enable specific ciphers in the Allow Specific Ciphers field.
- Click.
- If you updated the list of ciphers, restart the Directory Server instance. See Section 1.5.2, “Starting and Stopping a Directory Server Instance Using the Web Console”
9.4.1.4. Starting Directory Server Without a Password File
- If the
ns-slapd
Directory Server process is started by thesystemctl
command,systemd
prompts for the password and automatically passes the input to thesystemd-tty-ask-password-agent
utility. For example:# systemctl start dirsrv Enter PIN for Internal (Software) Token:
- In rare cases, when the
ns-slapd
Directory Server process is not started by thesystemctl
utility and is detached from the terminal, a message is send to all terminals using thewall
command. For example:Broadcast message from root@server (Fri 2017-01-01 06:00:00 CET): Password entry required for 'Enter PIN for Internal (Software) Token:' (PID 1234). Please enter password with the systemd-tty-ask-password-agent tool!
To enter the password, run:# systemd-tty-ask-password-agent Enter PIN for Internal (Software) Token:
9.4.1.5. Creating a Password File for Directory Server
/etc/dirsrv/slapd-instance_name/pin.txt
file. This enables Directory Server to start automatically without prompting for this password.
Warning
- Create the
/etc/dirsrv/slapd-instance_name/pin.txt
file with the following content:- If you use the NSS software cryptography module, which is the default:
Internal (Software) Token:password
- If you use a Hardware Security Module (HSM):
name_of_the_token:password
- Set the permissions:
# chown dirsrv:dirsrv /etc/dirsrv/slapd-instance_name/pin.txt # chmod 400 /etc/dirsrv/slapd-instance_name/pin.txt
9.4.1.6. Managing How Directory Server Behaves If the Certificate Has Been Expired
nsslapd-validate-cert
parameter. You can set it to the following values:
warn
: The Directory Server instance starts and log a warning about the expired certificate into the/var/log/dirsrv/slapd-instance_name/error
log file. This is the default setting.on
: Directory Server validates the certificate and the instance fails to start if the certificate has expired.off
: Directory Server does not validate the certificate expiration date. The instance starts and no warning will be logged.
Example 9.3. Preventing Directory Server to Start If the Certificate Has Been Expired
- Set the
nsslapd-validate-cert
parameter toon
:# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-validate-cert=on Successfully replaced "nsslapd-validate-cert"
- Restart the Directory Server instance:
# dsctl instance_name restart
9.4.2. Adding the CA Certificate Used By Directory Server to the Trust Store of Red Hat Enterprise Linux
STARTTLS
command over LDAP, Directory Server uses this certificate to encrypt the connection. Client utilities use the CA certificate to verify if the server's certificate is valid. By default, these utilities cancel the connection if they do not trust the certificate of the server.
Example 9.4. Possible Connection Errors If Clients Utilities Do Not Use the CA Certificate
dsconf
# dsconf -D "cn=Directory Manager" ldaps://consumer.example.com:636 config get Error: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)'}
ldapsearch
# ldapsearch -H ldaps://server.example.com:636 -D "cn=Directory Manager" -W -b "dc=example,dc=com" -x Enter LDAP Password: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
- If you do not have a local copy of the CA certificate used by Directory Server:
- List the certificates in the server's NSS database:
# certutil -d /etc/dirsrv/slapd-instance_name/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Example CA C,, Server-Cert u,u,u
- Use the nickname of the CA certificate in the NSS database to export the CA certificate:
# certutil -d /etc/dirsrv/slapd-instance_name/ -L -n "Example CA" -a > /tmp/ds-ca.crt
- Copy the CA certificate to the
/etc/pki/ca-trust/source/anchors/
directory. For example:# cp /tmp/ds-ca.crt /etc/pki/ca-trust/source/anchors/
- Rebuild the CA trust database:
# update-ca-trust