path: root/ldap/docs/dirhlp/help/configtab_rootnode3.htm

<html>


<!--This html file is XHTML complaint, as set forth in the
w3c recommendations except for the following:
Lists work as they do in older versions on HTML and not as
directed in XHTML. 
The <a name=" "> tags have targets that use spaces. -->


<head>
<meta name="keywords" content="e-commerce, ecommerce, Netscape, Internet software, e-commerce applications, electronic commerce, ebusiness, e-business, enterprise software, net economy, software, ecommerce solutions, e-commerce services, AOL, America Online, netscape software, netscape solutions, marketplace, digital marketplace" />
<meta name="description" content="Netscape, an AOL Time Warner Company, produces the world renowned
Netscape Browser as well as top notch server software." />
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1" />
<meta name="templatebase" content="Authored in FrameMaker. Converted to HTML  in WebWorks Publisher. manual wdt 1.6" />
<meta name="LASTUPDATED" content="04/29/03 15:35:31" />
<title>Netscape Directory Server Help: Encryption Tab</title>


<!--The following is a javascript which determines whether the client
is on a Windows machine, or is on another type of operating system. Once
the operating system is determined, either a windows or other operating
system cascading style sheet is used. -->
<script type="text/JavaScript" src="/manual/en/slapd/help/sniffer.js">

</script>


</head>




<body text="#000000" link="#006666" vlink="#006666" alink="#333366" bgcolor="#FFFFFF">

<!--maincontent defines everything between the body tags -->
<!--start maincontent-->

<!--navigationcontent defines the top row of links and the banner -->
<!--start navigationcontent-->

<table border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>
<td><table border="0" cellspacing="0" cellpadding="0">
<tr>
<td valign="bottom" width="67">
<img src="/manual/en/slapd/help/netscape32.gif" height="32" width="32" border="0" alt="Netscape logo" />
</td>
<td valign="middle">
<span class="product">Netscape Directory Server</span>
<span class="booktitle">Console Help</span>
</td>
</tr>
</table>
</td>
</tr>

<tr>
<td>
<hr size="1" noshade="noshade" />








<span class="navigation">
<a style="text-decoration: none; color:#006666" href="/manual/en/slapd/index.htm">
DocHome
</a>
</span>
&nbsp;&nbsp;&nbsp;&nbsp;




</td>
</tr>
</table>

<!--end navigationcontent-->

<!--bookcontent defines the actual content of the file, sans headers and footers -->
<!--start bookcontent-->

<blockquote>
<br />
<p class="h1">
<a name="25232"> </a>
<a name="Encryption Tab"> </a>
Encryption Tab
</p>

<p class="text">
<a name="25233"> </a>
Use this tab to configure SSL for your directory. 
</p>
<p class="text">
<a name="25234"> </a>
<b>Enable SSL for this server.</b> Select this checkbox to enable SSL communications for the directory. Clear the checkbox to disable SSL.
</p>
<p class="text">
<a name="25235"> </a>
<b>Use this cipher family. </b>Select the checkbox next to the cipher family or families you want the server to use for SSL communications. 
</p>
<p class="text">
<a name="25236"> </a>
<b>Security Device.</b> Select the device you want the server to use.
</p>
<p class="text">
<a name="25237"> </a>
<b>Certificate.</b> Select the certificate you want the server to use. You must have a certificate set up on your system to use SSL.
</p>
<p class="text">
<a name="25238"> </a>
<b>Cipher settings. </b>Opens the Encryption Preferences dialog box, where you can select which ciphers you want the server to use from the cipher families you have already selected. By default, Directory Server comes with the following SSL ciphers:
</p>
<br />

<br/>
<table width="90%" border="1" cellspacing="0" cellpadding="4">
<tr>
<td valign="top">
<p class="tablehead">
<a name="28449"> </a>
SSL Cipher
</p></td>
<td valign="top">
<p class="tablehead">
<a name="28451"> </a>
Description
</p></td>
  
</tr>
<tr>
<td valign="top">
<p class="tabletext">
<a name="27774"> </a>
None
</p></td>
<td valign="top">
<p class="tabletext">
<a name="27776"> </a>
No encryption, only MD5 message authentication (rsa_null_md5).
</p></td>
  
</tr>
<tr>
<td valign="top">
<p class="tabletext">
<a name="27778"> </a>
RC4
</p></td>
<td valign="top">
<p class="tabletext">
<a name="27780"> </a>
RC4 cipher with 128-bit encryption and MD5 message authentication (rsa_rc4_128_md5).
</p></td>
  
</tr>
<tr>
<td valign="top">
<p class="tabletext">
<a name="27782"> </a>
RC4 (Export)
</p></td>
<td valign="top">
<p class="tabletext">
<a name="27784"> </a>
RC4 cipher with 40-bit encryption and MD5 message authentication (rsa_rc4_40_md5).
</p></td>
  
</tr>
<tr>
<td valign="top">
<p class="tabletext">
<a name="27786"> </a>
RC2 (Export)
</p></td>
<td valign="top">
<p class="tabletext">
<a name="27788"> </a>
RC2 cipher with 40-bit encryption and MD5 message authentication (rsa_rc2_40_md5).
</p></td>
  
</tr>
<tr>
<td valign="top">
<p class="tabletext">
<a name="27790"> </a>
DES
</p></td>
<td valign="top">
<p class="tabletext">
<a name="27792"> </a>
DES with 56-bit encryption and SHA message authentication (rsa_des_sha).
</p></td>
  
</tr>
<tr>
<td valign="top">
<p class="tabletext">
<a name="27794"> </a>
DES (FIPS)
</p></td>
<td valign="top">
<p class="tabletext">
<a name="27796"> </a>
FIPS DES with 56-bit encryption and SHA message authentication. This cipher meets the FIPS 140-1 U.S. government standard for implementations of cryptographic modules (rsa_fips_des_sha).
</p></td>
  
</tr>
<tr>
<td valign="top">
<p class="tabletext">
<a name="27798"> </a>
Triple-DES
</p></td>
<td valign="top">
<p class="tabletext">
<a name="27800"> </a>
Triple DES with 168-bit encryption and SHA message authentication (rsa_3des_sha).
</p></td>
  
</tr>
<tr>
<td valign="top">
<p class="tabletext">
<a name="27802"> </a>
Triple-DES (FIPS)
</p></td>
<td valign="top">
<p class="tabletext">
<a name="27804"> </a>
FIPS Triple DES with 168-bit encryption and SHA message authentication. This cipher meets the FIPS 140-1 U.S. government standard for implementations of cryptographic modules. (rsa_fips_3des_sha)
</p></td>
  
</tr>

</table>


<br />
<br />

<p class="text">
<a name="25239"> </a>
<b>Do not allow client authentication.</b> Select this option if you want client applications to connect to the server using only simple authentication.
</p>
<p class="text">
<a name="25240"> </a>
<b>Allow client authentication.</b> Select this option if you want client applications to be able to connect to the server using either simple authentication or client authentication.
</p>
<p class="text">
<a name="25241"> </a>
If you are using certificate-based authentication with replication, then you must select either "Allow client authentication" or "Require client authentication" on the consumer server.
</p>
<p class="text">
<a name="25242"> </a>
<b>Require client authentication. </b>Select this option if you want client applications to connect to the server using client authentication only. If you select this option, simple authentication is not allowed.
</p>
<p class="text">
<a name="14859"> </a>
<b>Use SSL in Netscape Console.</b> Select this checkbox if you want the communication between the Netscape Console and the directory to be secured using SSL.
</p>
<p class="text">
<a name="14866"> </a>
If you use this option with client authentication, communication between the Netscape Console and the server will take place over a secure channel, but without client authentication.
</p>
<p class="text">
<a name="28333"> </a>
<b>Check hostname against name in certificate for outbound SSL connections. </b>Select this check box if you want an SSL-enabled Directory Server (with certificate based client authentication turned on) to verify authenticity of a request by matching the hostname against the value assigned to the Common Name (CN) attribute of the subject name in the certificate being presented. 
</p>
<p class="text">
<a name="28412"> </a>
By default, this feature is disabled. If you enable it and if the hostname does not match the CN attribute of the certificate, appropriate error and audit messages are logged. For example, in a replicated environment, messages similar to these are logged in the supplier server's log files if it finds that the peer server's hostname doesn't match the name specified in its certificate:
</p>
<p class="text">
<a name="28356"> </a>
<code>[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime error -12276 - Unable to communicate securely with peer: requested domain name does not match the server's certificate.)</code>
</p>
<p class="text">
<a name="28357"> </a>
<code>[DATE] NSMMReplicationPlugin - agmt="cn=to ultra60 client auth" (ultra60:1924): Replication bind with SSL client authentication failed: LDAP error 81 (Can't contact LDAP server)</code>
</p>
<p class="text">
<a name="28361"> </a>
It is recommended that you turn this attribute on to protect Directory Server's outbound SSL connections against a Man In The Middle (MITN) attack.
</p>
<p class="h2">
<a name="20476"> </a>
<a name="See also"> </a>
See also
</p>


<p class="text">
<a name="20477"> </a>
<a href="../en/slapd/ag/ssl.htm">Managing SSL</a>
</p>

</blockquote>
<!--end bookcontent-->
<!--footercontent defines the bottom navigation and the copyright. It also includes
the revision date-->
<!--start footercontent-->


<br />
<br />








<span class="navigation">
<a style="text-decoration: none; color:#006666" href="/manual/en/slapd/index.htm">
DocHome
</a>
</span>
&nbsp;&nbsp;&nbsp;&nbsp;



        
<hr noshade="noshade" size="1" />
<p class="copy">&copy; 2001 Sun Microsystems, Inc. Portions copyright 1999, 2002-2003 Netscape Communications Corporation. All rights reserved.</p>
<br />
<p class="update">Last Updated <b>April 29, 2003</b></p>
    

<!--end footercontent-->
<!--end maincontent-->
</body>
</html>