11.1. Introduction to TLS/SSL in the Directory Server
The Directory Server supports TLS/SSL to secure communications between LDAP clients and the Directory Server, between Directory Servers that are bound by a replication agreement, or between a database link and a remote database. Directory Server can use TLS/SSL with simple authentication (bind DN and password) or with certificate-based authentication.
Directory Server's cryptographic services are provided by Mozilla Network Security Services (NSS), a library of TLS/SSL and base cryptographic functions. NSS includes a software-based cryptographic token which is FIPS 140-2 certified.
Using TLS/SSL with simple authentication ensures confidentiality and data integrity. There are two major benefits to using a certificate — smart card, token, or software-based — to authenticate to the Directory Server instead of a bind DN and password:
Improved efficiency. When using applications that prompt once for the certificate database password and then use that certificate for all subsequent bind or authentication operations, it is more efficient than continuously providing a bind DN and password.
Improved security. The use of certificate-based authentication is more secure than non-certificate bind operations because certificate-based authentication uses public-key cryptography. Bind credentials cannot be intercepted across the network. If the certificate or device is lost, it is useless without the PIN, so it is immune from third-party interference like phishing attacks.
The Directory Server is capable of simultaneous TLS/SSL and non-SSL communications. This means that you do not have to choose between TLS/SSL or non-SSL communications for the Directory Server; both can be used at the same time. Directory Server can also utilize the Start TLS extended operation to allow TLS/SSL secure communication over a regular (insecure) LDAP port.
To configure the Directory Server to use LDAPS, follow these steps:
Obtain and install a certificate for the Directory Server, and configure the Directory Server to trust the certification authority's (CA's) certificate.
For information, see Section 11.2, “Obtaining and Installing Server Certificates”.
Turn on TLS/SSL in the directory.
For information, refer to Section 11.4, “Starting the Server with TLS/SSL Enabled”.
Configure the Administration Server connect to an SSL-enabled Directory Server.
Optionally, ensure that each user of the Directory Server obtains and installs a personal certificate for all clients that will authenticate with TLS/SSL.
For information, refer to Section 11.7, “Configuring LDAP Clients to Use SSL”.
LDAP operations such as ldapmodify, ldapsearch, and ldapdelete can use TLS/SSL when communicating with an SSL-enabled server or to use certificate authentication. Command-line options also specify or enforce Start TLS, which which allows a secure connection to be enabled on a clear text port after a session has been initiated.
These options to use Start TLS applies only for the Mozilla LDAP tools provided with Red Hat Directory Server.
In the following example, a network administrator enforces Start TLS for a search for Mike Connor's identification number:
ldapsearch -p 389 -ZZZ -P certificateDB -s base
-b "uid=mconnors,ou=people,dc=example,dc=com" "(attribute=govIdNumber)"
-ZZZ enforces Start TLS, and certificateDB gives the filename and path to the certificate database.
The -ZZZ option enforces the use of Start TLS, and the server must respond that a Start TLS command was successful. If the -ZZZ command is used and the server does not support Start TLS, the operation is aborted immediately.
For information on the command-line options available, see the Directory Server Configuration, Command, and File Reference.
With the -ZZ option, the following errors could occur:
If there is no certificate database, the operation fails. See Section 11.2, “Obtaining and Installing Server Certificates” for information on using certificates.
If the server does not support Start TLS, the connection proceeds in clear text. To enforce the use of Start TLS, use the -ZZZ command option.
If the certificate database does not have the certificate authority (CA) certificate, the connection proceeds in clear text. See Section 11.2, “Obtaining and Installing Server Certificates” for information on using certificates.
With the -ZZZ option, the following errors could occur, causing the Start TLS operation to fail:
If there is no certificate database. See Section 11.2, “Obtaining and Installing Server Certificates” for information on using certificates.
If the certificate database does not have the certificate authority (CA) certificate. See Section 11.2, “Obtaining and Installing Server Certificates” for information on using certificates.
The server does not support Start TLS as an extended operation.
For SDK libraries used in client programs, if a session is already in TLS mode and Start TLS is requested, then the connection continues to be in secure mode but prints the error "DSA is unwilling to perform".