7.4. Setting up TLS/SSL
7.4.1. TLS/SSL in Directory Server
- Improved efficiency. When using applications that prompt once for the certificate database password and then use that certificate for all subsequent bind or authentication operations, it is more efficient than continuously providing a bind DN and password.
- Improved security. The use of certificate-based authentication is more secure than non-certificate bind operations because certificate-based authentication uses public-key cryptography. Bind credentials cannot be intercepted across the network. If the certificate or device is lost, it is useless without the PIN, so it is immune from third-party interference like phishing attacks.
- Obtain and install a certificate for the Directory Server, and configure the Directory Server to trust the certification authority's (CA's) certificate.For information, see Section 7.3.1, “Obtaining and Installing Server Certificates”.
- Turn on TLS/SSL in the directory.For information, see Section 7.4, “Setting up TLS/SSL”.
- Configure the Admin Server connect to a TLS-enabled Directory Server.
- Optionally, ensure that each user of the Directory Server obtains and installs a personal certificate for all clients that will authenticate with TLS/SSL.
nobody. If you set a different account during the installation, like Red Hat recommends, use this user and group for a better security instead. The key and cert databases should be owned by the Directory Server user and should typically have read/write access for the owner with no access allowed to any other user (mode
0600). The PIN file should also be owned by the Directory Server user and set to read-only by this user, with no access to anyone other user (mode
ldapmodifyto edit the
7.4.2. Enabling TLS/SSL Only in the Directory Server
- Obtain and install CA and server certificates.
- Set the secure port for the server to use for TLS/SSL communications. In the Configuration area, select the Settings tab, and enter the value in the Encrypted Port field.The encrypted port number must not be the same port number used for normal LDAP communications. By default, the standard port number is
389, and the secure port is
- Select the Configuration tab, and then select the top entry in the navigation tree in the left pane. Select the Encryption tab in the right pane.
- Select the Enable SSL for this Server check box.
- Check the Use this Cipher Family check box.
- Select the certificate to use from the drop-down menu.
- Click Cipher Settings.By default, ALL in the TLS tab is selected. When ALL is set, the server selects safe ciphers internally.
- Set the preferences for client authentication.
If TLS/SSL is only enabled in the Directory Server and not the Directory Server Console, do not select Require client authentication check box.
- Do not allow client authentication. With this option, the server ignores the client's certificate. This does not mean that the bind will fail.
- Allow client authentication. This is the default setting. With this option, authentication is performed on the client's request. For more information about certificate-based authentication, see Section 7.10, “Using Client (Certificate-Based) Authentication”.
- Require client authentication. With this option, the server requests authentication from the client.
NoteTo use certificate-based authentication with replication, the consumer server must be configured either to allow or to require client authentication.
- To verify the authenticity of requests, select the Check host name against name in certificate for outbound SSL connections option. The server does this verification by matching the host name against the value assigned to the common name (
cn) attribute of the subject name in the being presented for authentication.By default, this feature is disabled. If it is enabled and if the host name does not match the
cnattribute of the certificate, appropriate error and audit messages are logged. For example, in a replicated environment, messages similar to these are logged in the supplier server's log files if it finds that the peer server's host name does not match the name specified in its certificate:
[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime error -12276 - Unable to communicate securely with peer: requested domain name does not match the server's certificate.) [DATE] NSMMReplicationPlugin - agmt="cn=to ultra60 client auth" (ultra60:1924): Replication bind with SSL client authentication failed: LDAP error 81 (Cannot contact LDAP server)Red Hat recommends enabling this option to protect Directory Server's outbound SSL connections against a man-in-the-middle (MITM) attack.
- Restart the Directory Server. The Directory Server must be restarted from the command line.
service dirsrv restart instanceWhen the server restarts, it prompts for the PIN or password to unlock the key database. This is the same password used when the server certificate and key were imported into the database.To restart the Directory Server without the password prompt, create a PIN file or use a hardware crypto device. See Section 7.4.4, “Creating a Password File for the Directory Server” for information on how to create a PIN file.
7.4.3. Enabling TLS/SSL in the Directory Server, Admin Server, and Console
- Obtain server certificates and CA certs, and install them on the Directory Server. This is described in Section 7.3.1, “Obtaining and Installing Server Certificates”.
- Obtain and install server and CA certificates on the Admin Server. This is a similar process as for the Directory Server.
NoteIt is important that the Admin Server and Directory Server have a CA certificate in common so that they can trust the other's certificates.
- Configure TLS/SSL for the Directory Server as described in Section 7.4.2, “Enabling TLS/SSL Only in the Directory Server”.
- Require SSL/TLS to connect to the Directory Server Console.
WarningThe Directory Server must already be configured to run in SSL and the server must already have been restarted before the Directory Server Console can be configured to use SSL. Configuring SSL/TLS for the server requires a server restart to load the new configuration, including the new secure port assignment. However, enabling SSL/TLS for the Console takes effect immediately. Therefore, if the Console has SSL/TLS enabled before the server is running in SSL/TLS, then the Console loses the connection to the server and cannot reconnect.To disable SSL/TLS in the Directory Server Console, use
ldapmodifyto edit the
- Reopen the Directory Server Console.
- In the Configuration tab, select the server, and open the Encryption tab.
- Check the Use SSL in the Console box.
- In the Admin Server Console, select the Configuration tab. Select the Encryption tab, check the Enable SSL check box, and fill in the appropriate certificate information.
- In the Configuration DS tab, change the port number to the new Directory Server secure port information. See Section 1.6, “Changing Directory Server Port Numbers” for more information. Do this even if the default port of
636is used. Check the Secure Connection check box.
- In the User DS tab, select the Set User Directory radio button, and fill in the Directory Server secure port information, the LDAP URL, and the user database information. Check the Secure Connection check box.
- Save the new TLS/SSL settings and Configuration DS and User DS information in the Admin Server Console.
- Restart the Admin Server. The server must be restarted from the command line.
service dirsrv-admin restartWhen the server restarts, it prompts for the PIN or password to unlock the key database. This is the same password used when the server certificate and key were imported into the database.To restart the Admin Server without the password prompt, create a PIN file or use a hardware crypto device. See Section E.2.9.4, “Creating a Password File for the Admin Server” for information on how to create a PIN file.
https; otherwise, the operation will time out, unable to find the server since it is running on a secure connection. After successfully connecting, a dialog box appears to accept the certificate. Click to accept the certificate (either only for that current session or permanently).
7.4.4. Creating a Password File for the Directory Server
/etc/dirsrv/slapd-instance_name. The file should be named
Internal (Software) Token:secret
Internal (Software) Token.
7.4.5. Starting the Directory Server with Expired Certificates
nsslapd-validate-certparameter sets how the Directory Server should respond when it attempts to start with an expired certificate:
warnallows the Directory Server to start successfully with an expired certificate, but it sends a warning message that the certificate has expired. This is the default setting.
onvalidates the certificate and will prevent the server from restarting if the certificate is expired. This sets a hard failure for expired certificates.
offdisables all certificate expiration validation, so the server can start with an expired certificate without logging a warning.
[root@server ~]# ldapmodify -D "cn=directory manager" -W -x -D "cn=directory manager" -w secret -p 636 -h server.example.com -x dn: cn=config changetype: modify replace: nsslapd-validate-cert nsslapd-validate-cert: on