summaryrefslogtreecommitdiffstats
path: root/ldap/docs/dirhlp/help/configtab_rootnode3.htm
blob: ef6de3416974bca6986ae3e7da57e3306682476e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
<html>


<!--This html file is XHTML complaint, as set forth in the
w3c recommendations except for the following:
Lists work as they do in older versions on HTML and not as
directed in XHTML. 
The <a name=" "> tags have targets that use spaces. -->


<head>
<meta name="keywords" content="e-commerce, ecommerce, Netscape, Internet software, e-commerce applications, electronic commerce, ebusiness, e-business, enterprise software, net economy, software, ecommerce solutions, e-commerce services, AOL, America Online, netscape software, netscape solutions, marketplace, digital marketplace" />
<meta name="description" content="Netscape, an AOL Time Warner Company, produces the world renowned
Netscape Browser as well as top notch server software." />
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1" />
<meta name="templatebase" content="Authored in FrameMaker. Converted to HTML  in WebWorks Publisher. manual wdt 1.6" />
<meta name="LASTUPDATED" content="04/29/03 15:35:31" />
<title>Netscape Directory Server Help: Encryption Tab</title>


<!--The following is a javascript which determines whether the client
is on a Windows machine, or is on another type of operating system. Once
the operating system is determined, either a windows or other operating
system cascading style sheet is used. -->
<script type="text/JavaScript" src="/manual/en/slapd/help/sniffer.js">

</script>


</head>




<body text="#000000" link="#006666" vlink="#006666" alink="#333366" bgcolor="#FFFFFF">

<!--maincontent defines everything between the body tags -->
<!--start maincontent-->

<!--navigationcontent defines the top row of links and the banner -->
<!--start navigationcontent-->

<table border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>
<td><table border="0" cellspacing="0" cellpadding="0">
<tr>
<td valign="bottom" width="67">
<img src="/manual/en/slapd/help/netscape32.gif" height="32" width="32" border="0" alt="Netscape logo" />
</td>
<td valign="middle">
<span class="product">Netscape Directory Server</span>
<span class="booktitle">Console Help</span>
</td>
</tr>
</table>
</td>
</tr>

<tr>
<td>
<hr size="1" noshade="noshade" />








<span class="navigation">
<a style="text-decoration: none; color:#006666" href="/manual/en/slapd/index.htm">
DocHome
</a>
</span>
&nbsp;&nbsp;&nbsp;&nbsp;




</td>
</tr>
</table>

<!--end navigationcontent-->

<!--bookcontent defines the actual content of the file, sans headers and footers -->
<!--start bookcontent-->

<blockquote>
<br />
<p class="h1">
<a name="25232"> </a>
<a name="Encryption Tab"> </a>
Encryption Tab
</p>

<p class="text">
<a name="25233"> </a>
Use this tab to configure SSL for your directory. 
</p>
<p class="text">
<a name="25234"> </a>
<b>Enable SSL for this server.</b> Select this checkbox to enable SSL communications for the directory. Clear the checkbox to disable SSL.
</p>
<p class="text">
<a name="25235"> </a>
<b>Use this cipher family. </b>Select the checkbox next to the cipher family or families you want the server to use for SSL communications. 
</p>
<p class="text">
<a name="25236"> </a>
<b>Security Device.</b> Select the device you want the server to use.
</p>
<p class="text">
<a name="25237"> </a>
<b>Certificate.</b> Select the certificate you want the server to use. You must have a certificate set up on your system to use SSL.
</p>
<p class="text">
<a name="25238"> </a>
<b>Cipher settings. </b>Opens the Encryption Preferences dialog box, where you can select which ciphers you want the server to use from the cipher families you have already selected. By default, Directory Server comes with the following SSL ciphers:
</p>
<br />

<br/>
<table width="90%" border="1" cellspacing="0" cellpadding="4">
<tr>
<td valign="top">
<p class="tablehead">
<a name="28449"> </a>
SSL Cipher
</p></td>
<td valign="top">
<p class="tablehead">
<a name="28451"> </a>
Description
</p></td>
  
</tr>
<tr>
<td valign="top">
<p class="tabletext">
<a name="27774"> </a>
None
</p></td>
<td valign="top">
<p class="tabletext">
<a name="27776"> </a>
No encryption, only MD5 message authentication (rsa_null_md5).
</p></td>
  
</tr>
<tr>
<td valign="top">
<p class="tabletext">
<a name="27778"> </a>
RC4
</p></td>
<td valign="top">
<p class="tabletext">
<a name="27780"> </a>
RC4 cipher with 128-bit encryption and MD5 message authentication (rsa_rc4_128_md5).
</p></td>
  
</tr>
<tr>
<td valign="top">
<p class="tabletext">
<a name="27782"> </a>
RC4 (Export)
</p></td>
<td valign="top">
<p class="tabletext">
<a name="27784"> </a>
RC4 cipher with 40-bit encryption and MD5 message authentication (rsa_rc4_40_md5).
</p></td>
  
</tr>
<tr>
<td valign="top">
<p class="tabletext">
<a name="27786"> </a>
RC2 (Export)
</p></td>
<td valign="top">
<p class="tabletext">
<a name="27788"> </a>
RC2 cipher with 40-bit encryption and MD5 message authentication (rsa_rc2_40_md5).
</p></td>
  
</tr>
<tr>
<td valign="top">
<p class="tabletext">
<a name="27790"> </a>
DES
</p></td>
<td valign="top">
<p class="tabletext">
<a name="27792"> </a>
DES with 56-bit encryption and SHA message authentication (rsa_des_sha).
</p></td>
  
</tr>
<tr>
<td valign="top">
<p class="tabletext">
<a name="27794"> </a>
DES (FIPS)
</p></td>
<td valign="top">
<p class="tabletext">
<a name="27796"> </a>
FIPS DES with 56-bit encryption and SHA message authentication. This cipher meets the FIPS 140-1 U.S. government standard for implementations of cryptographic modules (rsa_fips_des_sha).
</p></td>
  
</tr>
<tr>
<td valign="top">
<p class="tabletext">
<a name="27798"> </a>
Triple-DES
</p></td>
<td valign="top">
<p class="tabletext">
<a name="27800"> </a>
Triple DES with 168-bit encryption and SHA message authentication (rsa_3des_sha).
</p></td>
  
</tr>
<tr>
<td valign="top">
<p class="tabletext">
<a name="27802"> </a>
Triple-DES (FIPS)
</p></td>
<td valign="top">
<p class="tabletext">
<a name="27804"> </a>
FIPS Triple DES with 168-bit encryption and SHA message authentication. This cipher meets the FIPS 140-1 U.S. government standard for implementations of cryptographic modules. (rsa_fips_3des_sha)
</p></td>
  
</tr>

</table>


<br />
<br />

<p class="text">
<a name="25239"> </a>
<b>Do not allow client authentication.</b> Select this option if you want client applications to connect to the server using only simple authentication.
</p>
<p class="text">
<a name="25240"> </a>
<b>Allow client authentication.</b> Select this option if you want client applications to be able to connect to the server using either simple authentication or client authentication.
</p>
<p class="text">
<a name="25241"> </a>
If you are using certificate-based authentication with replication, then you must select either "Allow client authentication" or "Require client authentication" on the consumer server.
</p>
<p class="text">
<a name="25242"> </a>
<b>Require client authentication. </b>Select this option if you want client applications to connect to the server using client authentication only. If you select this option, simple authentication is not allowed.
</p>
<p class="text">
<a name="14859"> </a>
<b>Use SSL in Netscape Console.</b> Select this checkbox if you want the communication between the Netscape Console and the directory to be secured using SSL.
</p>
<p class="text">
<a name="14866"> </a>
If you use this option with client authentication, communication between the Netscape Console and the server will take place over a secure channel, but without client authentication.
</p>
<p class="text">
<a name="28333"> </a>
<b>Check hostname against name in certificate for outbound SSL connections. </b>Select this check box if you want an SSL-enabled Directory Server (with certificate based client authentication turned on) to verify authenticity of a request by matching the hostname against the value assigned to the Common Name (CN) attribute of the subject name in the certificate being presented. 
</p>
<p class="text">
<a name="28412"> </a>
By default, this feature is disabled. If you enable it and if the hostname does not match the CN attribute of the certificate, appropriate error and audit messages are logged. For example, in a replicated environment, messages similar to these are logged in the supplier server's log files if it finds that the peer server's hostname doesn't match the name specified in its certificate:
</p>
<p class="text">
<a name="28356"> </a>
<code>[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime error -12276 - Unable to communicate securely with peer: requested domain name does not match the server's certificate.)</code>
</p>
<p class="text">
<a name="28357"> </a>
<code>[DATE] NSMMReplicationPlugin - agmt="cn=to ultra60 client auth" (ultra60:1924): Replication bind with SSL client authentication failed: LDAP error 81 (Can't contact LDAP server)</code>
</p>
<p class="text">
<a name="28361"> </a>
It is recommended that you turn this attribute on to protect Directory Server's outbound SSL connections against a Man In The Middle (MITN) attack.
</p>
<p class="h2">
<a name="20476"> </a>
<a name="See also"> </a>
See also
</p>


<p class="text">
<a name="20477"> </a>
<a href="../en/slapd/ag/ssl.htm">Managing SSL</a>
</p>

</blockquote>
<!--end bookcontent-->
<!--footercontent defines the bottom navigation and the copyright. It also includes
the revision date-->
<!--start footercontent-->


<br />
<br />








<span class="navigation">
<a style="text-decoration: none; color:#006666" href="/manual/en/slapd/index.htm">
DocHome
</a>
</span>
&nbsp;&nbsp;&nbsp;&nbsp;



        
<hr noshade="noshade" size="1" />
<p class="copy">&copy; 2001 Sun Microsystems, Inc. Portions copyright 1999, 2002-2003 Netscape Communications Corporation. All rights reserved.</p>
<br />
<p class="update">Last Updated <b>April 29, 2003</b></p>
    

<!--end footercontent-->
<!--end maincontent-->
</body>
</html>