- Setting Up the Directory Server and the Certificate Server
- Generating an SSL Server Certificate
- Generating an SSL Client Certificate
- Setting Up the Appropriate Trust Relations
- Enabling SSL for the Sun ONE Directory Server Software
- Setting Up LDAP/SSL Server Authentication
- Setting Up LDAP/SSL Client Authentication
- Successful and Secure Installation
Successful and Secure Installation
This article detailed how to set up an SSL-enabled LDAP-server; explaining how to perform client and server authentication. User access to the Sun ONE Directory Server software cannot only be granted on the base of passwords but also on the base of SSL certificates.
The success and the security of an SSL-enabled LDAP deployment, however, depends on additional factors, which are beyond the scope of this article. These factors are:
PasswordsIn this article, passwords like manager, dirmanager, and manager1 were used. Make sure that your LDAP-deployment follows a proper password policy.
Certificates/Private-Public KeypairsThe confidentiality of the private key is crucial to the overall security.
Make sure that your company has a proper framework for using cryptography, explaining which cryptographic algorithms and key-lengths should be used, where to store, and how to protect items like a public key, the policy for certificate revocation, legislative issues, and roles and responsibilities.
Architectural issuesDeciding which Sun ONE software server should reside on which physical machine and how to achieve high-availability. What other security mechanisms (network security, host-based security, auditing, etc.) can help to protect the critical data stored in the LDAP repository.
Workstation/Client securityDeciding what measurements can be taken to prevent the client (which might store a public-key on its disk drive) from getting compromised by a malicious code like a virus. Also raising the security awareness of the user.
The secure installation and operation of an LDAP-server does not only depend on the security mechanisms, but also on the policies backing these mechanisms.