Enabling Secure LDAP Connections

A trusted root provides the basis of trust in a public key infrastructure. A trusted root is a certificate that you implicitly trust and that you install into your browser (or other client software). In the context of SSL security, your browser automatically validates any server certificate that was signed by one of the trusted roots that has been installed and activated in your browser. In eDirectory, the CA and Key Material objects are installed by default when you accept the certificate server. Netscape and Microsoft Internet Explorer browsers are preconfigured with various trusted root certificates.

Understanding the Secure Sockets Layer Protocol

LDAP Services for eDirectory supports the SSL protocol to ensure that the connection that data is transmitted over is secure and private.

SSL establishes and maintains secure communication between SSL-enabled servers and clients across the Internet. To ensure message integrity, SSL uses a hashing algorithm. To ensure message privacy, SSL provides for the creation and use of encrypted communications channels. To prevent message forgery, SSL allows the server and, optionally, the client to authenticate each other during the establishment of the secure connection.

Key Material Object

To implement the authentication and encryption processes, SSL uses a cryptographic mechanism called public keys. To establish a secure connection, the server and the client exchange their public keys to establish a session key. The session key encrypts the data for the life of the connection. A subsequent LDAP connection over SSL will result in the generation of a new session key that is different from the previous one.

Each LDAP server requires a digital certificate to implement SSL. Digital certificates are issued by a certification authority (CA). Certificates are stored in the Key Material object. You can use the ConsoleOne Novell Certificate Server snap-in to request, manage, and store certificates in eDirectory. Refer to the Novell Certificate Server^TM help for more information on setting up a certificate on a server. (Click Help on any Key Material object page.)

In order for the LDAP server to use a specific certificate for LDAP SSL connectivity once it is stored in eDirectory, you must indicate the Key Material object containing the certificate on the LDAP Server SSL Configuration Page in ConsoleOne.

1. Right-click the LDAP Server object.

2. Click the SSL Configuration tab.

3. Enter the name of the Key Material object in the SSL Certificate field.

   Multiple Key Material objects can hold various SSL certificates within eDirectory, but the LDAP server uses only the one defined by this parameter for SSL connections. You can enter the partial name of the Key Material object or browse through a list of available objects.

Configuring SSL

SSL can be configured on both the client and server to ensure the identity of both parties, but clients do not require digital certificates to communicate securely. As the LDAP server listens for SSL connections on a special port, the client can initiate the connection over that port automatically when accepting the certificate server or manually by performing the following:

1. In ConsoleOne, right-click the LDAP Server object.

2. Click the SSL Configuration tab.

3. Enter the SSL port number for the LDAP services on an eDirectory server.

   You can also click Disable SSL Port so that encrypted messages cannot be exchanged through the network.

When you make changes to your LDAP Services for eDirectory configuration using ConsoleOne, some of the changes take effect dynamically without restarting the LDAP server.

Enabling Mutual Authentication

To prevent message forgery, SSL lets the server and optionally the client authenticate to each other during the establishment of the secure connection.

1. In ConsoleOne, right-click the LDAP Server object.

2. Click the SSL Configuration tab.

3. Select Enable Mutual Authentication.

Exporting the Trusted Root

You can export the trusted root automatically when accepting the certificate server or manually by performing the following:

1. Export the self-assigned CA from eDirectory.

   1. Right-click the Key Material Object > click Properties.

   2. Click the Certificates tab > Public Key Certificates.

   3. Click Export.
      Change file extension to .x509 if the file is going to be imported into a Netscape browser.

2. Install the self-assigned CA in all browsers that establish secure LDAP connections to eDirectory.

Internet Explorer 5 exports root certificates automatically with a registry update. The traditional .x509 extension used by Microsoft is required. See Step 2.

Importing the Trusted Root into the Browser

Importing the Trusted Root into Netscape Navigator

1. Click File > Open Page.

2. Click Choose File > open the trusted root file that was previously exported.

   This launches the New Certificate Authority Wizard.

   The New Certificate Authority Wizard does not launch if you do not have the correct file extension registered on your workstation. This is usually the case if you have installed Internet Explorer 5 or Windows NT Service Pack 4 or later.

   To fix this problem:

   • Exit Navigator.
   • Run the file X509.REG (located in install_directory\NDS, where install_directory is the directory name you selected when you installed eDirectory).
   • Rename the trusted root certificate file you exported to the .X509 extension.
   • Import the certificate into Navigator.

3. Follow the online prompts.

4. Check Accept This Certificate Authority for Certifying Network Sites.

Importing the Trusted Root into Internet Explorer

1. Select File > Open.

2. Locate and select the trusted root file that was previously exported.

   This launches the New Site Certificate Wizard.

3. Follow the online prompts.

   Internet Explorer 5 imports root certificates automatically.