Netscape NETSCAPE CONSOLE 6.0 - MANAGING SERVERS, Manual

Page 1: ...Managing Servers with Netscape Console Netscape Console Version6 0 December 2001 ...

Page 2: ...CLUDING WITHOUT LIMITATION ANY LOSS OR INTERRUPTION OF BUSINESS PROFITS USE OR DATA The Software and documentation are copyright 2001 Sun Microsystems Inc Portions copyright 1999 2001 Netscape Communications Corporation All rights reserved Contains the Taligent International Classes from Taligent Inc and IBM Corp Netscape and the Netscape N logo are registered trademarks of Netscape Communications...

Page 3: ...tscape Console 19 Chapter 1 Introducing Netscape Console and Administration Server 21 Chapter 2 Installing Netscape Servers and Console 25 The Setup Program 26 Installing a New Server 26 Directory Server Must Be Installed First 26 Administration Server Is Required in Each Server Root 26 Installation Modes 27 Express 27 Typical 27 Custom 27 Installing Netscape Console as a Stand Alone Application 2...

Page 4: ...e Basics 41 Chapter 3 Using Netscape Console 43 Starting Netscape Console and Logging In 43 Starting Netscape Console 43 To Start Netscape Console on UNIX 43 To Start Netscape Console on Windows NT 44 Logging in to Netscape Console With a User Name and Password 45 To Log in to Netscape Console With a User Name and Password 45 Logging in to Netscape Console Using Client Authentication 46 To Request...

Page 5: ... 64 To Delete a Custom View 64 Administration Express 65 Accessing Administration Express 65 To Open Administration Express 65 Using Administration Express 67 To Start or Stop a Server Instance from Administration Express 67 To View Basic Server Information from Administration Express 67 To View Access and Error Logs from Administration Express 67 Setting the Refresh Rate for Administration Expres...

Page 6: ...tory 88 Choosing a Different Directory to Search 89 To Change the Directory to Search 89 Creating New Directory Entries 89 Users 90 To Create a New User Entry in the Directory 90 The User s Preferred Language 93 Administrators 93 To Create an Administrator 94 Specifying Windows NT and UNIX Options 94 To Enable Windows NT and UNIX Panels for an Individual User 95 To Enable Windows NT and UNIX Panel...

Page 7: ...rver from the NT Control Panel 114 Logging Options 114 To View the Access Log 115 To View the Error Log 115 To Change Where Logs are Stored 116 The Netscape Administration Page 116 To Access the Administration Page 117 Chapter 7 Administration Server Configuration 119 Network Settings 119 To Configure Network Settings 120 Access Settings 121 To Set Administration Server Access Settings 122 Encrypt...

Page 8: ...46 Tasks and Options 146 Usage 151 JAR Information File 152 JAR Information File Syntax 154 Examples of Using modutil 159 Part 4 Advanced Server Management 165 Chapter 9 Access Control 167 Overview of Access Control 167 Examples of Access Control 168 Setting Access Permissions For Servers 170 To Set Access Permissions for a Server in the Navigation Tree 170 Working With Access Control Instructions...

Page 9: ...ate a Certificate Request 184 Sending a Server Certificate Request 186 To Send a Server Certificate Request as email 186 Installing the Certificate 187 To Back Up a Certificate 187 To Install a Server Certificate 187 To Install a CA Certificate or Server Certificate Chain 188 Backing Up and Restoring Your Certificate Database 189 To Back Up Your Certificate Database 189 To Restore Your Certificate...

Page 10: ...lient Authentication for Users 206 Chapter 11 Using SNMP to Monitor Servers 209 SNMP Basics 209 How SNMP Works 211 Netscape MIBs 211 The Administration Server MIB 212 Types of SNMP Messages 213 Network Management Station Initiated Communication 213 Server Initiated Communication 213 Setting Up SNMP on UNIX 214 Using a Proxy SNMP Agent on UNIX 215 Installing and Starting the Proxy SNMP Agent 216 To...

Page 11: ... SNMP on Windows NT 225 Part 5 Appendixes 227 Appendix A Fortezza 229 How It Works 229 How Fortezza Crypto Cards are Certified 230 Fortezza Keys Certificates and Encryption 230 CRLs and CKLs 231 Encryption Algorithms 231 SKIPJACK 231 SSL Protocol 231 RC4 Encryption 231 NULL Encryption 231 Enabling Fortezza 231 To Enable Fortezza on Administration Server 232 Appendix B Introduction to Public Key Cr...

Page 12: ...Trust 254 CA Hierarchies 255 Certificate Chains 256 Verifying a Certificate Chain 257 Managing Certificates 260 Issuing Certificates 260 Certificates and the LDAP Directory 261 Key Management 261 Renewing and Revoking Certificates 262 Registration Authorities 263 Appendix C Introduction to SSL 265 The SSL Protocol 265 Ciphers Used with SSL 267 Cipher Suites With RSA Key Exchange 268 Fortezza Ciphe...

Page 13: ...e Netscape servers It is divided into the following parts Part 1 Overview of Netscape Console Part 2 Netscape Console Basics Part 3 Using Netscape Administration Server Part 4 Advanced Server Management Part 5 Appendixes Conventions Used in This Guide The following typographical conventions are used in this guide Monospaced font This typeface is used for any text that appears on the computer scree...

Page 14: ...ole menu choose Security Manage Certificates means that you should open the Console menu select the Security item to open its submenu and then choose the Manage Certificates item from that submenu Start In Windows NT related sections of this guide Start typically refers to the Windows NT Start menu button For example click Start and then choose Programs Netscape Server Products Netscape Console Ve...

Page 15: ...Netscape Console or Administration Server 1 From the Help menu choose Contents or press the F1 key A browser window opens and displays an HTML version of the table of contents for this manual Click a link to go to a chapter or section To View This Manual From Another Product 1 From the server management window s Help menu choose Documentation Resources A browser window opens and displays a Documen...

Page 16: ...n Help Topics and Procedures This displays a list of all available help topics and procedures for the product you re working in Manual Contents This displays the table of contents of the manual for the product you re working in Manual Index This displays the index of the manual for the product you re working in Documentation Resources This displays the Documentation Resources page which contains l...

Page 17: ... Click the desired topic from the bottom frame These topics are links to sections of this guide Clicking one opens a browser displaying the appropriate section 4 To dismiss the Search Index dialog box click Close To Open the Product Homepage From the Help menu choose Documentation Resources A browser window opens containing a list of Netscape Console related links You can also access this page by ...

Page 18: ...Getting Additional Help 18 Managing Servers with Netscape Console December 2001 ...

Page 19: ...19 Part 1 Overview of Netscape Console Chapter 1 Introducing Netscape Console and Administration Server Chapter 2 Installing Netscape Servers and Console ...

Page 20: ...20 Managing Servers with Netscape Console December 2001 ...

Page 21: ... the enterprise Typically application and server configuration information is stored in one subtree of Netscape Directory Server while user and group entries are stored in another subtree If you have a large enterprise however you can store your configuration and user information in separate instances of Directory Server which can be on the same host machine or on two different host machines When ...

Page 22: ...tance of Administration Server that is already there If a product includes a newer version of Administration Server and Console than the versions in the root folder the installer updates the folder with the latest versions Administration Server and Console are backward compatible all existing Netscape servers will continue to work normally The system for managing Netscape products works as follows...

Page 23: ...s it sends Lightweight Directory Access Protocol LDAP messages directly to Directory Server The information in these messages is then stored in the user directory Figure 1 2 illustrates the system Figure 1 2 A Simple System With Netscape Console Figure 1 2 shows an example of a relatively simple system As your enterprise grows and your needs change you have the flexibility to add additional hosts ...

Page 24: ... Netscape Console The rest of this guide shows you how to install and use Netscape Console and Administration Server to manage servers applications and users If you would like to learn more about how Netscape Console works before installing the product see A Tour of Netscape Console on page 49 ...

Page 25: ...w of the Netscape Server Products Setup program and how it is used in various situations This chapter contains the following sections The Setup Program Upgrading to Version Version 6 0 Silent Installation Uninstallation Each Netscape server has its own detailed installation instructions ...

Page 26: ...e Setup program checks this user ID and password against the installed directory If the values do not match authentication fails and you can t complete the installation For detailed information on installing the Directory Server see the server s documentation When you install a Directory Server for the first time Netscape Administration Server and Console are automatically installed for you Admini...

Page 27: ...l letting them modify settings such as directory location port numbers user names and passwords Custom Use this mode only if you ve run the installer before and are familiar with server configuration settings and how to modify them This mode is most useful to the administrator who routinely installs and upgrades servers and whose company has already identified special enterprise needs When using c...

Page 28: ...u want to install Netscape Console If the specified folder does not exist the Setup program will create it for you 5 Press Enter The Setup program installs Netscape Console in the folder you specified Once installation completes you can run Netscape Console by navigating to the folder you specified as the installation location and then typing startconsole To Install Netscape Console as a Stand Alo...

Page 29: ...m installs Netscape Console in the specified folder 7 When the installer completes click Finish Once installation completes you can run Netscape Console by clicking Start and then choosing Programs Netscape Server Products Netscape Console Version 6 0 Upgrading to Version Version 6 0 If you already have versions of Netscape Console and Administration Server installed on your system you can upgrade...

Page 30: ... to install Enter 1 for Netscape Servers Choose an installation type Enter 2 for Typical Installation location Enter the location where Administration Server is currently installed If Administration Server was installed with another Netscape server enter the path to that product s server root For example if you installed Netscape Directory Server 4 1 in the usr netscape server4 folder then you wou...

Page 31: ...er specified by the Configuration Admin ID or DN 5 Press Enter The installer replaces your existing Administration Server and Console with the new versions of the software Once installation completes you can run Netscape Console by navigating to the folder you specified as the Install location and then typing startconsole To Upgrade on Windows NT 1 Download the compressed product binaries for Nets...

Page 32: ...ou installed Netscape Directory Server 4 1 in the C Netscape Server4 folder you would enter C Netscape Server4 as your installation location Select the products you want to install Both boxes are checked by default User ID or Distinguished Name Enter the user ID or distinguished name of the administrator who is currently authorized to access the configuration directory Password Enter the password ...

Page 33: ...ion screen appears 4 Proceed through the installation process Here are the prompts you encounter with instructions about what to do Would you like to continue with installation Press Enter for Yes Do you agree to the license terms Enter Yes Select the component you want to install Enter 2 for Netscape Console Installation location Enter the location where Netscape Console is currently installed 5 ...

Page 34: ...tallation startup screen appears 3 Click Next 4 Proceed through the installation process Here are the prompts you encounter with instructions about what to do Do you accept all of the terms of the preceding license agreement Click Yes Choose the type of Setup you prefer Select Netscape Console Installation directory The installer will automatically supply the location where Console is currently in...

Page 35: ...nswers and then run the Netscape Server Products Setup program in silent mode The easiest way to create a set of installation answers is to perform an installation and save your installation cache to a file Once you ve done this you can modify the cache file and then use it when performing additional installations You can use Silent Installation to upgrade multiple instances of Administration Serv...

Page 36: ...swer file specified by filename On UNIX Silent Installation outputs some status messages and alerts Complete status information is written to the setup setup log file which is contained in the destination directory that you indicate during installation On Windows NT Silent Installation does not produce any status messages or alerts All status information is written to the setup setup log file whic...

Page 37: ...ntly authorized to access the configuration directory Password Enter the password for the user specified by the Configuration Admin ID or DN 3 Press Enter The uninstaller removes the selected software If the uninstaller cannot remove all files in the server root it prints a message to the screen To remove any remaining files go to the server root and delete the files manually To Uninstall a Netsca...

Page 38: ...nts a message to the screen To remove any remaining files go to the server root and delete the files manually Silent Uninstallation The Silent Uninstallation feature allows you to automatically uninstall a product without providing answers to uninstallation questions To Perform a Silent Uninstallation on UNIX From the system prompt run the uninstallation program in silent mode by typing uninstall ...

Page 39: ...ninstall uninstallation will fail In this case no product files or configuration information will be removed If you want the uninstallation program to remove the local product files regardless of whether it can contact the instance of Directory Server containing configuration information run the uninstallation program by typing uninstall s force The uninstallation program does not produce any stat...

Page 40: ...Uninstallation 40 Managing Servers with Netscape Console December 2001 ...

Page 41: ...41 Part 2 Netscape Console Basics Chapter 3 Using Netscape Console Chapter 4 Servers in Netscape Console Chapter 5 User and Group Administration ...

Page 42: ...42 Managing Servers with Netscape Console December 2001 ...

Page 43: ...ration Server on your network Typically you log in to Netscape Console using your own user name and password If the instance of Administration Server that you re logging in to requires client authentication you will be prompted to present a client certificate This certificate is used to create a secure channel of communication between Netscape Console and the instance of Administration Server Star...

Page 44: ... want to log in to For example to log in to http eastcoast example com 987 you would enter the following startconsole a http eastcoast example com 987 f fileName Captures errors and system messages to fileName For example to capture all errors and messages to a file called system out you would enter the following startconsole f system out h Prints out the help message for startconsole l languageCo...

Page 45: ...4 w password Specifies the password for the user entered with the u argument For example to start Netscape Console and log in with the user ID bjensen and password super15243 you would enter the following startconsole u bjensen w super15243 x extraOptions Specifies that you want to use extra options Possible values for extraOptions are nowinpos and nologo If you specify the nologo option the Netsc...

Page 46: ...rs and server operations you can access through Netscape Console See Overview of Access Control on page 167 for more information Logging in to Netscape Console Using Client Authentication When logging in to an instance of Administration Server that has been configured to require client authentication you enter your user name and password and then present a client certificate This certificate is us...

Page 47: ...see Chapter 10 Using SSL and TLS with Netscape Servers which begins on page 179 To Request and Install a New Client Certificate 1 Go to the web site for a certificate authority CA that is trusted by the instance of Administration Server that you want to establish a secure connection with 2 Follow the CA s instructions to request and install a client certificate To Make Your Client Certificate Avai...

Page 48: ...te database files that Netscape Console uses during client authentication These files are only used by Netscape Console Administration Server creates and uses its own certificate database files To Establish a Secure Connection With an Instance of Administration Server 1 Start Netscape Console For more information see To Start Netscape Console on UNIX on page 43 and To Start Netscape Console on Win...

Page 49: ...cept certificates from your CA your user name and password will be authenticated and you will see the main Netscape Console interface Otherwise you will be prompted to select a different certificate A Tour of Netscape Console After you log in to an Administration Server you see the main Netscape Console interface This section introduces the graphical elements of this interface and explains the bas...

Page 50: ...tion see the documentation for each product Figure 3 1 The Servers and Applications Tab of the Main Netscape Console Window Object Perform tasks related to resources such as administration domains server groups and servers Help Obtain online assistance while using Netscape Console Table 3 2 Netscape Console s Menus and What You Can Do With Them Continued Menu What It Lets You Do ...

Page 51: ...erver group consists of all servers that are managed by a common instance of Administration Server and that share a server root folder The individual servers in a server group are instances of server software that provide specific services such as directory database services messaging and publishing Figure 3 1 shows a sample navigation tree In this example the example com administration domain inc...

Page 52: ...tration Domain dialog box enter domain information Domain Name Enter a name that helps you identify this domain This can be a fully qualified domain name such as example com or a descriptive title such as East Coast Sales User Directory Host Specify the host machine on which the user directory for this domain is located Use the fully qualified domain name For example east example com User Director...

Page 53: ...ne user directory location separated by spaces This is useful when you use multiple directories to allow users to log in if a primary Directory Server is inaccessible Example east example com 389 west example com 393 See User Authentication and Directory Failover Support on page 128 for more information All host computers specified in the User Directory Host and Port field must have the same setti...

Page 54: ...lick OK Customizing Netscape Console This section tells you how to specify where to store display settings as well as how to change Netscape Console s appearance to meet your specific needs It explains the following How to specify where Netscape Console should store your display preferences How to specify which fonts Netscape Console should use for onscreen elements How to create custom views of t...

Page 55: ... to use your settings no matter where you are when you log in to Netscape Console This option is useful if you frequently roam between a number of similar workstations at your business site No matter what workstation you re using when you log in to Netscape Console you can use your preset display preferences On your computer s hard disk Select this option if you want to be able to use different di...

Page 56: ...een Element column click a screen element that you want to change the font for The Font column contains samples of the fonts that are currently associated with the listed screen elements 5 Click Change Font The Select Font dialog box appears 6 In the Select Font dialog box make your font selections Font Choose the font face you want to use for this element Size Choose a size for the selected font ...

Page 57: ...e To Rename a Font Profile 1 In the main Netscape Console window from the Edit menu choose Preferences 2 Click the Fonts tab 3 Select the font profile to rename From the Font Profile drop down list choose a profile If the list is grayed out no profiles are available 4 Click Save As enter the new name for this profile and then click OK A new profile with the name you specified appears in the Font P...

Page 58: ... From the Font Profile drop down list choose a profile If the list is grayed out no profiles are available 4 Click OK To Remove a Font Profile 1 In the main Netscape Console window from the Edit menu choose Preferences 2 Click the Fonts tab 3 Select the font profile to remove From the Font Profile drop down list choose a profile If the list is grayed out no profiles are available 4 Click Remove an...

Page 59: ... of the main Netscape Console window you want to see To Customize the Main Window Select or deselect items in the View menu Selecting a menu item displays it and deselecting an item hides it You can show or hide the following screen elements Banner Bar Status Bar Tree Figure 3 2 The Banner Bar Navigation Tree and Status Bar ...

Page 60: ...tting display fonts use tables You can change the position and adjust the width of columns in these tables To Change Column Position in a Table Drag each column head into the desired position See Figure 3 3 for an example When you release the mouse button the column will snap into its new position Figure 3 3 Changing the Position of a Column ...

Page 61: ... Navigation Tree You can create custom views of the navigation tree Custom views are useful when you want to see the resources that you access routinely and hide resources that you access infrequently When creating a custom view you can specify whether the view is public or private A public view is visible to any user who logs in to Netscape Console A private view is visible only to the person who...

Page 62: ... text field and enter a descriptive name for this Custom View 4 Select a resource from the Default View navigation tree on the left Click Copy to include it in your Custom View navigation tree on the right If you need to remove a resource from the new tree select it and click Remove You can select a range of resources by clicking the first item and then pressing Shift while clicking the last item ...

Page 63: ...When you install Netscape Console a Custom View called Server View is configured for you This view displays server instances grouped by type it does not include administration domains hosts or server groups To Switch to a Custom View Choose the desired custom view from the drop down list on the Servers and Applications tab To return to the default view choose Default View from the drop down list F...

Page 64: ... list and click Access 3 Specify the ACI you want to use or create a new ACI If you want to use an existing Access Control Instruction ACI select it and click OK If you want to create a new ACI click New and then follow the directions for creating a new ACI under Using the ACI Manager and ACI Editor beginning on page 172 4 Click OK when you have finished setting access permissions For more informa...

Page 65: ...dministration Server to version 4 2 or later If you try to use Administration Express with a server using a pre 4 2 version of Administration Server you ll get the message Status Unknown If you turn off the instance of Administration Server that you used to log in to Administration Express you will no longer be able to use that Administration Express page If this happens log in again using a diffe...

Page 66: ...ce is configured to require client authentication you may be prompted to present a client certificate Typically accepting server certificates involves clicking through several dialog boxes while presenting a client certificate involves making a selection from a drop down list If you need more information on accepting server certificates and presenting client certificates see your browser documenta...

Page 67: ...pped instance of Administration Server or an instance that s using SSL encryption UNIX To start a stopped instance of Administration Server or an instance that s running SSL you must always run start admin from the command line For more information on starting the Administration Server see Restarting Administration Server on page 111 Windows NT To start a stopped instance of Administration Server ...

Page 68: ...s and applications at regular intervals To Set the Refresh Rate for Administration Express 1 In a text editor open the serverRoot admin serv config adm conf file 2 Add the following line to adm conf ExpressRefreshRate refreshRate where refreshRate is an integer value representing the number of seconds Administration Express should wait before refreshing its display For example entering ExpressRefr...

Page 69: ...Tree If you already have pre 4 0 versions of Netscape servers installed in your enterprise you can access them through the Netscape Console navigation tree This capability is useful when you want to continue using a pre 4 0 server while preparing to deploy a newer version and you want all servers accessible in one tree Pre 4 0 servers that are added to the navigation tree are not integrated comple...

Page 70: ...ade the server to version 4 0 or later and then migrate your original configuration data to the new version See Migrating from a Pre 4 0 Server to a Newer Server on page 71 for more information Figure 4 1 shows an example of a pre 4 0 server listed in the Netscape Console navigation tree and managed from a browser Figure 4 1 A Pre 4 0 Server Listed in the Navigation Tree and Managed From a Browser...

Page 71: ...tion Domain From the drop down list select the administration domain that you want to add the pre 4 0 server to 3 Click OK The Server List window appears This window lists all server instances that use the instance of Administration Server entered in step 2 4 In the Server List window deselect servers that you do not want to add to the navigation tree By default all servers in the server root are ...

Page 72: ...p s instance of Administration Server is turned on and that you have the access privileges you need to configure a new server 5 From the Object menu choose Migrate Server Config 6 In the Migrate Server Configuration window enter the absolute path to the pre 4 0 server root folder and then click OK 7 In the Select Server for Migration window check the pre 4 0 server that you want to migrate to a ne...

Page 73: ...iguration settings You can access these by opening a server management window To Open a Netscape Server Management Window 1 In Netscape Console click the Servers and Applications tab to see the navigation tree on the left and server information on the right 2 In the navigation tree click a server to select it 3 In the information panel on the right hand side of the window click Open You can also o...

Page 74: ...r testing and for when one host is used for multiple purposes For example a company s Human Resources and Finance departments each need a web server Because each department has limited publishing requirements one host can serve both departments needs The administrator installs the web server software once creating one instance of the server and then creates a second instance One instance is for th...

Page 75: ...useful when you want to add detailed descriptions of the different installations in your organization To Modify Host Server Group and Instance Information 1 In the Netscape Console navigation tree select the host server group or instance for which you want to modify information 2 In the information panel click Edit 3 Edit information for the following fields Host Group Server Name Enter a descript...

Page 76: ...ct a reference server the server that has the settings you want to replicate on other servers of the same type 2 From the Object menu choose Clone Server 3 In the Select Target Servers for Cloning window select the servers that you want to copy the reference server s settings to 4 Click OK Removing a Server Instance You can remove an instance of any server other than Administration Server from the...

Page 77: ...Directory utility is useful if you ve installed and deployed a number of Netscape servers and now find it necessary to merge new data into an existing configuration directory For example you may wish to test out a new product before deployment Rather than make major changes to an existing configuration directory you can try the product with a pilot instance of Directory Server using just the new d...

Page 78: ...s and the Servers They Have Settings For Before Using the Merge Configuration Directory Utility Figure 4 4 shows what the same two configuration directories would contain after you merged them Figure 4 4 Two Configuration Directories and the Servers They Have Settings For After Using the Merge Configuration Directory Utility ...

Page 79: ...nfiguration directory Example 389 Secure Connection Check this box if the configuration directory uses the Secure Sockets Layer SSL protocol on the port specified above Make sure that SSL is enabled on the destination configuration directory before selecting this option Destination LDAP Bind DN Enter the distinguished name for a user who has access to the destination configuration directory Exampl...

Page 80: ...Working with Netscape Servers 80 Managing Servers with Netscape Console December 2001 ...

Page 81: ...r 9 Access Control shows you how to work with user and group information when setting access privileges and other security information Interacting with Directory Server When you use Netscape Console to create or modify users and groups you make changes in the user directory a subtree of Directory Server These changes affect all applications that use Directory Server For information on how Netscape...

Page 82: ...stinguished names directory attributes and syntax information For a more detailed discussion of these concepts see the Netscape Directory Server Administrator s Guide Distinguished Names A distinguished name DN is the string representation of an entry s name and location in an LDAP directory A DN describes a path to a directory entry Each DN is made up of a number of components called relative dis...

Page 83: ...anizational units ou and for the same company or organization o Klondike Corp The third user works in a different state st from the first two users LDAP allows organizations and organizational units to contain other organizations and organizational units allowing for the representation of complex enterprises For example the DN for a group within a large corporation might look like this cn Technica...

Page 84: ...llowing DN cn Barbara Jones ou Engineering dc sexample dc com l locality Locality in which the user or group resides This can be the name of a city country township or other geographic regions Examples l Tucson l Pacific Northwest l Anoka County o organization Organization to which the user or group belongs Examples o Netscape E Commerce Solutions o Public Power Gas ou organizational unit Unit wit...

Page 85: ...For more detailed information see the Netscape Directory Server Administrator s Guide Table 5 2 Common User and Group Directory Attributes Attribute Keyword Attribute Name Description givenName given name User s first name mail email address User s or group s email address streetAddress street Street number and address of user or group defined by the entry Example street 494 Rice Creek Terrace tel...

Page 86: ...tes regardless of an entry s object classes For more information on required attributes and schema checking see the Netscape Directory Server Administrator s Guide and the Netscape Directory Server Schema Reference Guide Specify RDNs in the same sequence or path It is important to remember that a DN represents a path through a directory tree If RDN keywords are not specified in the appropriate ord...

Page 87: ...roups Search function to locate directory entries Initially the function is set to search within the default user directory If you do not want to use the default user directory you can manually change to another one See Choosing a Different Directory to Search on page 89 for more information Figure 5 1 The Users and Groups Tab of Netscape Console ...

Page 88: ... while entering John returns all entries with DNs contains the word John To see all the entries currently stored in your directory leave the Search field blank or enter an asterisk Keep in mind that retrieving all entries in a large database can take a long time To specify more focused search criteria click the Advanced button In the Search users and groups dialog box enter the following informati...

Page 89: ...sed to connect to the user directory Secure Connection Check this box if the port number entered above is for use with the Secure Sockets Layer SSL protocol Make sure that the port is configured to support SSL before selecting this option User Directory Subtree Enter the DN of the user directory subtree to search in For example to search all user entries in your organization you might enter o exam...

Page 90: ...n individual person or resource in the directory For example you can create user entries for John Smith Printer 3B or Conference Room 25 To Create a New User Entry in the Directory 1 In Netscape Console click the Users and Groups tab 2 Click the Create button and then choose User You can also open the User menu and choose Create User ...

Page 91: ...unit ou to which the user will belong and then click OK 4 In the Create User window enter user information First Name Enter the user s first name Last Name Enter the user s last name surname Common Name This is the user s full name It is automatically generated based on the First Name and Last Name entered above You can edit this name as necessary ...

Page 92: ...separate them with commas For example 555 2211 555 1221 5 If you want to specify language related information click the Languages tab From the drop down list in the Languages panel select the user s preferred language and then enter language related information First Name Enter the user s first name in the selected language Last Name Enter the user s last name surname in the selected language Comm...

Page 93: ...er the following DN uid userID ou Administrators ou TopologyManagement o NetscapeRoot During installation the Configuration Administrator s user name and password are used to automatically create the Administration Server Administrator This user can perform a limited number of tasks such as starting stopping and restarting servers in a local server group The Administration Server Administrator is ...

Page 94: ...age 90 Specifying Windows NT and UNIX Options You can enable additional user configuration panels to store Windows NT and UNIX user information in the directory If you are using Directory Server Synchronization Services you can use these panels to specify the options and attributes to synchronize with your operating system There are two panels you can enable NT User and Posix User By default you m...

Page 95: ...ement window 2 Click the Directory tab and click NetscapeRoot in the navigation tree 3 Click to open your administration domain and then click the pluses to expand GlobalPreferences Admin 4 0 4 Click the defaultObjectClassesContainer folder and then click user in the right hand panel 5 From the Object menu choose Open 6 Select nsdefaultobjectclass then from the Edit menu choose Add Value A blank f...

Page 96: ...moved from the NT user database Comment Optional Enter a descriptive comment about this user User Profile Path Optional Enter the path to this user s profile Use the NT network path format For example aphrodite profiles john Logon Script Optional Enter the path to the user s logon script This path is relative to the system s logon script path For example if the system path is aphrodite logon you m...

Page 97: ...tions explain this A static group consists only of users that have been added to it It is called static because it doesn t change unless you add a user to it or delete a user from it For example if you create a static group called Marketing none of the users who have the attribute department marketing in their entry are members of the Marketing group until you explicitly add each one to the group ...

Page 98: ...n create a certificate group called California Western Sales whose members share these attributes ou Sales ou West st CA When an individual user logs on to a server if all of these attributes are found in his certificate the user is automatically recognized as belonging to the group If the user s certificate does not contain these attributes he is not recognized as a member of the California Weste...

Page 99: ...p before creating it If you want to create only the group now and add group members later click OK and skip the rest of this procedure If you want to immediately add members to the group click Members and then continue to the next step 6 In the Members panel click Add or Edit as appropriate and then use the Search dialog box to locate a user you want to add to the Members User ID list Repeat this ...

Page 100: ...s group User Directory Host Enter the fully qualified host name where the user directory is installed User Directory Port Enter the port number you want to use to connect to the user directory User Directory Subtree Enter o NetscapeRoot to indicate where to find the Configuration Administrators group Bind DN Enter the DN of a user authorized to change entries in the user directory Bind Password En...

Page 101: ...embers list and then click OK To Create a Dynamic Group 1 In Netscape Console click the Users and Groups tab 2 Click the Create button and then choose Group You can also open the User menu and choose Create Group 3 In the Select Organizational Unit dialog box select the organizational unit ou to which the group will belong and then click OK 4 In the Create Group dialog box enter general group info...

Page 102: ...specify the criteria for including users in the dynamic group If you know the exact LDAP URL you want to use to include users in the group enter it and skip to Step 10 The LDAP URL will take this form ldap o base_suffix sub RDN_or_attribute value For example ldap o example com sub department marketing If you want to interactively build an LDAP URL for including users in the group click Construct ...

Page 103: ...attribute and then a search operator Choices are described in the table below In the last input field enter a search string and then click Search More If you want to specify more attributes to search for click this button 9 Click OK 10 If you want to see a list of users and groups included in the dynamic group click Test in the Construct and Test LDAP URL dialog box 11 Click OK to confirm your acc...

Page 104: ... Click Certificate Group and then click Add 7 In the Certificate Group dialog box fill in one or more of the following fields Common Name Enter the full name of the group Example Database Administrators Organization Enter the name of the organization the group belongs to Example Operations Group Mail Enter the street address for the group Country Enter the country code for the group Locality Enter...

Page 105: ...2 Click the Create button and then choose Organizational Unit You can also open the User menu and choose Create Organizational Unit 3 In the Select Organizational Unit dialog box select the directory subtree in which to store the new organizational unit 4 In the Create Organizational Unit dialog box enter organizational unit information Name Enter a name for the organizational unit Description Opt...

Page 106: ... it or remove it If you are working with a user entry you can also change its password To Edit a User or Group Entry in the Directory 1 In the Users and Groups tab of Netscape Console use the Search function to locate the user or group 2 Once the user or group name appears in the search results list select it and then click Edit 3 Modify user or group information as necessary and then click OK To ...

Page 107: ...drop down lists and enter the user name of the Configuration Administrator in the field 3 Click Search The results appear in the Users and Groups tab 4 Click Close 5 Select the Configuration Administrator from the list of search results and then click Edit 6 Enter the administrator s new user name and password First Name Enter the administrator s first name Last Name Enter the administrator s last...

Page 108: ...on Server 3 Click the Configuration tab 4 In the Configuration tab click the Access tab 5 In the Access tab enter information for the following fields Username Enter the user name for the Administration Server Administrator Password Enter the password for the Administration Server Administrator Confirm Password Enter the password again to confirm it If you make an error while entering this informa...

Page 109: ...109 Part 3 Using Netscape Administration Server Chapter 6 Administration Server Basics Chapter 7 Administration Server Configuration Chapter 8 Administration Server Command Line Tools ...

Page 110: ...110 Managing Servers with Netscape Console December 2001 ...

Page 111: ...ration Server This chapter tells you how to perform basic Administration Server operations It contains the following sections Restarting Administration Server Stopping Administration Server Logging Options The Netscape Administration Page Restarting Administration Server Netscape Administration Server automatically starts once it s installed When you need to restart Administration Server you can d...

Page 112: ...lect the instance of Administration Server that you want to restart 2 Click Open to open the management window for the instance of Administration Server 3 Click the Tasks tab and then choose Restart Server To Restart the Server from the Command Line UNIX In the server root enter start admin Windows NT Click Start choose Run and then enter the following serverRoot start admin cmd ...

Page 113: ...stance of Administration Server from within Netscape Console or from the command line On Windows NT you can also stop the server from the Services control panel To Stop the Server from Netscape Console 1 From the Netscape Console navigation tree select the instance of Administration Server that you want to stop 2 Click Open to open the management window for the instance of Administration Server 3 ...

Page 114: ...the server and the responses from the server By default the file is located at admin serv logs access Error log Displays errors the server has encountered since the log file was created It also contains informational messages about the server such as when the server was started and who tried unsuccessfully to log on to the server By default the file is located at admin serv logs error You can view...

Page 115: ...open the management window for the instance of Administration Server 3 Click the Configuration tab 4 In the configuration tree click to expand the Logs directory and then click the Accesses icon To View the Error Log 1 From the Netscape Console navigation tree select the instance of Administration Server that you want to view the error log for 2 Click Open to open the management window for the ins...

Page 116: ... want Administration Server to store the access log file You can enter an absolute path or a path relative to your server root directory Error Log Log File Enter the path to the directory where you want Administration Server to store the error log file You can enter an absolute path or a path relative to your server root directory 5 Click OK The Netscape Administration Page The Netscape Administra...

Page 117: ...cs 117 To Access the Administration Page 1 Open a browser 2 Enter the fully qualified host name and port number for the instance of Administration Server you want to access Example http eastcoast example com 26751 3 Press Enter Figure 6 1 The Netscape Administration Page ...

Page 118: ...The Netscape Administration Page 118 Managing Servers with Netscape Console December 2001 ...

Page 119: ...anges You can change the following settings Port Number Connection Restrictions The port number specifies where an instance of Administration Server listens for messages It can be any number between 1 and 65535 but to avoid conflicts with other resources it is typically a number greater than 1024 For security reasons consider changing the port number regularly Connection restrictions allow you to ...

Page 120: ... IP address restrictions you must include all three separating dots If you do not you will receive an error message To Configure Network Settings 1 From the Netscape Console navigation tree select the instance of Administration Server that you want to configure 2 Click Open to open the management window for the instance of Administration Server 3 Click the Configuration tab and then click the Netw...

Page 121: ...ddress or DNS name on the list of computers allowed to connect to this instance Administration Server Remove Click if you want to remove a selected entry from the list of allowed hosts 5 Click OK Access Settings You can use the Access Settings tab to specify a user name and password for the Administration Server Administrator and to enable or disable Directory Server Gateway access The Administrat...

Page 122: ... the instance of Administration Server 3 Click the Configuration tab and then click the Access tab 4 Enter access information User name Enter the user ID for the Administration Server Administrator For more information Password Enter the Administration Server Administrator s password Confirm Password Enter the password again to confirm it Enable Directory Server Gateway Access By default this opti...

Page 123: ... activating SSL on an instance of Administration Server To Request and Install a Certificate for Administration Server 1 In the Netscape Console navigation tree select the instance of Administration Server that you want to install a certificate on 2 Click Open to open the management window for the instance of Administration Server 3 In the Administration Server management window open the Console m...

Page 124: ...the management window for the instance of Administration Server 3 Click the Configuration tab 4 Click the Encryption tab 5 Select Enable SSL for this server The following are available only when you turn on SSL encryption 6 Select Use this cipher family RSA 7 Choose the security device where your key is stored If the key is stored in the local key database select Internal Software based If the key...

Page 125: ... TLS 11 Click Save Directory Settings Directory settings tell the Administration Server where to find the configuration directory and the user directory The Configuration Directory When you install a Netscape server you are prompted for the location of an instance of Directory Server in which to store configuration data Depending on the way your organization uses directories you specify either an ...

Page 126: ... Console navigation tree select the instance of Administration Server that you want to change configuration Directory Server settings for 2 Click Open to open the management window for the instance of Administration Server 3 Click the Configuration tab 4 Click the Configuration DS tab CAUTION Changing the Directory Server host name or port number impacts the rest of the servers in the server group...

Page 127: ...ave The User Directory The user directory is stored in a Directory Server subtree that you create The user directory is used for authentication user management and access control It stores all user and group data account data group lists and access control instructions ACIs You can have more than one user directory in your enterprise For example to increase directory performance one company might ...

Page 128: ...t be authenticated in a user directory the user cannot successfully log in to Netscape Console You can employ more than one user directory for authenticating user IDs This is useful when the instance of Directory Server containing your primary user directory is not accessible If the user directory has been replicated on other hosts Netscape Console continues to check the user ID against each user ...

Page 129: ...ormation as appropriate Domain name Enter a domain name Example eastcoast example com Description Enter a name that helps you identify this domain User directory host and port Specify the location of the new user directory using the host computer s fully qualified domain name and port number For authentication purposes you can enter more than one user directory location separated by spaces Example...

Page 130: ... example com This subtree must contain the user directory in all the locations specified in the User directory host and port field Bind DN Optional Enter the distinguished name for a user who can access the new user directory Example uid john ou people o example com Bind password Optional Enter the password of the user specified by the Bind DN 4 Click Save To Change User Directory Settings for a S...

Page 131: ... with the domain LDAP Host and Port Specify the location of the user directory using the host computer s fully qualified domain name and port number For authentication purposes you can enter more than one user directory location separated by spaces Example eastcoast example com 389 westcoast example com 4332 See User Authentication and Directory Failover Support on page 128 for more information If...

Page 132: ...ry host and port already has SSL activated on it User Directory Subtree Enter the location of the new user directory Example o example com This subtree must contain the user directory in all the locations specified in the LDAP Host and Port field Bind DN Optional Enter the distinguished name for a user who can access the new user directory Example uid john ou people o example com Bind Password Opt...

Page 133: ...admconfig The admconfig utility allows you to configure an instance of Administration Server using the command line instead of using the Netscape Console graphical interface Use admconfig to modify network access encryption or directory settings The utility is stored at serverRoot bin admin Syntax admconfig options task args task2 args task3 args The options that you can use with admconfig are des...

Page 134: ...ons What the Command Does con tinueOnError Finishes any remaining tasks that have been specified on the command line when an error occurs Default behavior when any task fails is to quit without running the remaining tasks enc ryption Uses encrypted HTTP HTTPS to connect to the server The default protocol is HTTP h elp task Displays general usage information Include a task name for usage informatio...

Page 135: ...n that file first The admconfig utility executes tasks in the order that they are specified in the input file and then in the order specified on the command line u ser uid pwd Connects to the server using the specified username and password If a user name is not specified you will be prompted for the current user s password The password appears onscreen when it is typed so if security is a concern...

Page 136: ...he command line As a result only start will be assigned as a parameter for viewAcessLogEntries causing the operation to fail countE rrorLogEntries Counts the number of entries in the error log file Run this task prior to viewErrorLogEntries to determine the number of entries in the error log viewE rrorLogEntries Lets you view the specified entries in the error log file Syntax admconfig options vie...

Page 137: ...ifies the IP addresses from which connections are allowed Syntax admconfig options setAddresses addresses Required Argument addresses New IP addresses and host names separated by spaces from which connections are allowed getAdminUI D Retrieves the Administration Server Administrator s user name setAdminUI D Specifies the Administration Server Administrator s user name Syntax admconfig options setA...

Page 138: ...l assname Retrieves the Java classname for this instance of Administration Server setCl assname Specifies the Java classname for this instance of Administration Server getDe faultAcceptLanguage Displays the default language for this instance of Administration Server setDe faultAcceptLanguage Specifies the default language for this instance of Administration Server Syntax admconfig options setDefau...

Page 139: ...ockets Layer SSL protocol to communicate with this instance of Administration Server On UNIX systems the backslash character is required before the quotes surrounding the these arguments If the backslash is not provided the shell will evaluate the quotes and pass the arguments without the quotes to the command line As a result only host will be assigned as a parameter for setDSConfig causing the o...

Page 140: ...f Directory Server ssl Specify true or false depending on whether the instance of Directory Server is already using the Secure Sockets Layer SSL protocol to communicate with this instance of Administration Server uid The DN used to bind to the instance of Directory Server pwd The password used to bind to the instance of Directory Server On UNIX systems the backslash character is required before th...

Page 141: ...r error log file Syntax admconfig options setErrorLog filename Required Argument filename Full path of the new server access log file getH osts Lets you view the host names from which connections are allowed set Hosts Specifies the host names from which connections are allowed Syntax admconfig options setHosts hosts Required Argument hosts host names from which connections are allowed getO neACLDi...

Page 142: ...ration Server should use Syntax admconfig options setServerAddress address Required Argument address IP address that this server should use getSy stemUser Retrieves the user name that this instance of Administration Server runs as setSy stemUser Specifies the user name that this instance of Administration Server should run as Syntax admconfig options setSuiteSpotUser user Required Argument user Us...

Page 143: ...his example displays the help information for restarting an instance of Administration Server admconfig h r admin_ip pl When your computer system s IP address changes you must update the local Administration Server configuration file and the configuration directory If you do not enter the new IP address in these locations you will not be able to start the Administration Server A Perl script is pro...

Page 144: ...e and deactivate SSL for an instance of Administration Server The sec activate program is stored in the serverRoot bin admin admin bin folder Syntax sec activate serverRoot SSLEnabled Enter information for the following variables serverRoot The server root of the instance of Administration Server on which you want to activate or deactivate SSL SSLEnabled Either on or off Example sec activate usr n...

Page 145: ...e tool to perform the following operations Adding and deleting PKCS 11 modules Changing passwords Setting defaults Listing module contents Enabling or disabling slots Enabling or disabling FIPS 140 1 compliance Assigning default providers for cryptographic operations Creating key3 db cert7 db and secmod db security database files Security module database management is part of a process that typica...

Page 146: ...ach Table 8 4 defines what the options do Table 8 3 Task Commands and Options for modutil Commands for Tasks What the Command Does and Options for It add moduleName Adds the named PKCS 11 module to the database You can use the following options with this command libfile libraryFile to specify a DLL or library containing the implementation of the module ciphers cipherList to enable specific ciphers...

Page 147: ...PKCS 11 module disable moduleName Disables all slots on the named module To disable a specific slot use the following option slot slotName enable moduleName Enables all slots on the named module To enable a specific slot use the following option slot slotName fips true_or_false Enables or disables FIPS 140 1 compliance for the Netscape internal module To enable compliance enter fips true To disabl...

Page 148: ...AR files You can use the following options with this command installdir installationFolder to specify the root installation folder for the files contained in the JAR file tempdir temporaryFolder to specify the folder in which to store temporary files created by the jar task command list moduleName Displays basic information about the contents of the secmod db file To display detailed information a...

Page 149: ... a folder in which to access or create security module database files On UNIX the Security Module Database Tool defaults to the user s Netscape folder Windows NT has no default folder so you must use dbdir to specify a folder installdir installationFolder Specifies the root installation folder for the files supplied via the jar JAR file command The InstallationDir folder should be one in which it ...

Page 150: ...C5 DES DH FORTEZZA SHA1 MD2 MD5 RANDOM for random number generation FRIENDLY for certificates that are publicly readable newpwfile newPasswordFile Specifies a text file containing a token s new password This allows automatic updating of the password when using the changepw command nocertdb Instructs modutil to not open the certificate or key databases This has several effects When used with the ch...

Page 151: ...Name libfile libraryFile ciphers cipherList mechanisms mechanismList Adding a PKCS 11 module from a JAR file jar JARfile installdir installationFolder tempdir temporaryFolder Deleting a specific PKCS 11 module from a security module database delete moduleName Initializing or changing a token s password changepw token pwfile passwordFile newpwfile newPasswordFile pwfile passwordFile Specifies a tex...

Page 152: ... that aggregates many files into one JAR files are used by the modutil tool to install PKCS 11 modules When modutil uses a JAR file a special JAR information file must be included This information file contains special scripting instructions and must be specified in the JAR file s MANIFEST file Although the information file can have any name you specify it by using the Pkcs11_install_script METAIN...

Page 153: ... RelativePath temp setup hlp win32 setup cab RelativePath temp setup cab WIN95 x86 EquivalentPlatform WINNT x86 SUNOS 5 5 1 sparc ModuleName Fortezza UNIX Module ModuleFile unix fort so DefaultMechanismFlags 0x00000001 CipherEnableFlags 0x00000001 Files unix fort so RelativePath root lib fort so AbsolutePath usr local netscape lib fort so FilePermissions 555 xplat instr html RelativePath root docs...

Page 154: ...with later versions of the same architectures and Operating Systems If the platform that modutil is installing the module on is not specified by the Platforms key then the ForwardCompatible list is checked for any platforms that have the same OS and architecture in an earlier version If one is found its attributes are used for the current platform The ForwardCompatible key uses the following forma...

Page 155: ...pe The following system names and platforms are currently recognized by the low level Netscape code AIX rs6000 BSDI x86 FREEBSD x86 HPUX hppa1 1 IRIX mips LINUX ppc alpha x86 MacOS PowerPC NCR x86 NEC mips OS2 x86 OSF alpha ReliantUNIX mips SCO x86 SOLARIS sparc SONY mips SUNOS sparc UNIXWare x86 WIN16 x86 WIN95 x86 WINNT x86 Here are some examples of valid platform strings IRIX 6 2 mips SUNOS 5 5...

Page 156: ...tive to the JAR file location DefaultMechanismFlags is an optional key that specifies mechanisms for which this module will be a default provider This key value pair is a bitstring specified in hexadecimal 0x format It is constructed as a bitwise OR of the string constants listed in Table 8 5 If you omit the DefaultMechanismFlags entry the value defaults to 0x0 Table 8 5 Mechanisms That You Can Sp...

Page 157: ...File Keys These keys have meaning only within an entry in a Files list At a minimum RelativePath or AbsolutePath must be specified If both are specified the relative path is tried first and the absolute path is used only if a relative root folder is not provided by modutil The RelativePath key specifies the destination path of the file relative to a folder indicated at installation You can assign ...

Page 158: ...der in which they are listed in the script file Use the Executable key before a RelativePath or AbsolutePath key to indicate The FilePermissions key specifies the access permissions to apply to a file The modutil program interprets the key as a string of octal digits following the standard UNIX format This key is a bitwise OR of the string constants listed in Table 8 6 For example to specify Read ...

Page 159: ...ptographic Module from a JAR File Changing the Password on a Token Creating Database Files You could enter something like the following example to create a set of security management database files in a directory modutil create dbdir C databases Before running this program the modutil tool displays a warning WARNING Performing this operation while a Netscape product is running could cause corrupti...

Page 160: ...cator Internal Cryptographic Services Version 4 0 Manufacturer Netscape Communications Corp Type Software Setting a Default Provider You could enter something like the following example to make a specific module the default provider for the RSA DSA and RC2 security mechanisms modutil default Cryptographic Module dbdir C databases mechanisms RSA DSA RC2 Before running this program the modutil tool ...

Page 161: ...nabling FIPS Compliance You could enter something like the following example to enable FIPS 140 1 compliance in Netscape Administration Server s internal module modutil fips true Before running this program the modutil tool displays a warning WARNING Performing this operation while a Netscape product is running could cause corruption of your security databases If a Netscape product is currently ru...

Page 162: ...e C modutil Installing a Cryptographic Module from a JAR File You could enter something like the following example to install a cryptographic module from an installation script The example uses this script To install from the script use the following command The root directory should be the Windows root directory for example C Windows or C Winnt C modutil modutil dbdir C databases jar install jar ...

Page 163: ...PS Incorp by Ref LIAB LTD c 9 6 OU www verisign com CPS Incorp by Ref LIABILITY LTD c 97 VeriSign OU VeriSign Object Signing CA Class 3 Organization OU VeriSign Inc O VeriSign Trust Network ISSUER NAME OU www verisign com CPS Incorp by Ref LIABILITY LTD c 97 VeriSign OU VeriSign Object Signing CA Class 3 Organization OU VeriSign Inc O VeriSign Trust Network Do you wish to continue this installatio...

Page 164: ... cause corruption of your security databases If a Netscape product is currently running you should exit the product before continuing this operation Type q enter to abort or enter to continue After you press Enter the tool changes the password and displays the following Using database directory C databases Enter old password After you enter the old password the tool displays the following Enter ne...

Page 165: ...165 Part 4 Advanced Server Management Chapter 9 Access Control Chapter 10 Using SSL and TLS with Netscape Servers Chapter 11 Using SNMP to Monitor Servers ...

Page 166: ...166 Managing Servers with Netscape Console December 2001 ...

Page 167: ...s that permit or restrict access to a server onscreen element task or directory entry In a single ACI you can specify access based on user name IP address time of day and a number of other criteria You can also chain multiple ACIs together in an Access Control List ACL to perform complex authorization procedures For users access control is transparent During login Netscape Administration Server au...

Page 168: ...inistrators Jane is an administrator who troubleshoots network problems She needs to be able to access any server in the enterprise and frequently modifies user account information As a result the Configuration Administrator has placed very few restrictions on what she can access When Jane logs into Netscape Console she has a complete view of servers tabs and tasks Figure 9 1 Jane s Unrestricted V...

Page 169: ... instances of Directory Server in the enterprise As a result the Configuration Administrator has used ACIs to restrict the onscreen elements and tasks that he can access When John logs into Netscape Console he sees only the servers and tasks required to do his job Figure 9 2 John s Restricted View of Resources and Tasks ...

Page 170: ...r to the list of people who can administer the server click the Add User button and then search for the user or group that you want to grant administrative rights to For more information on locating users and groups in the directory see Locating a User or Group in the Directory on page 87 To remove a user from the list select the user and then click the Delete User button Note that granting a user...

Page 171: ...k with an object s ACIs you must use the ACI Manager If you want to create an ACI for an object you must also use the ACI Editor Each Netscape server may have its own uses for the ACI Editor and may have unique ACI extensions For detailed information about a particular server s ACI options see the documentation for that server What s in an ACI Any directory entry can include one or more ACIs Since...

Page 172: ...m to 3 00 a m 0100 to 0300 on Sunday Tuesday and Friday The more restrictive ACI takes control during the times specified by it Thus the end result is that members of the Directory Administrator s group can access the user directory at any time except between 1 00 a m and 3 00 a m on Sunday Tuesday and Friday Using the ACI Manager and ACI Editor When you apply ACIs to tasks user interface elements...

Page 173: ...dividual server management window Select a directory entry in the Directory tab of the Netscape Directory Server management window To select a user interface UI element choose Preferences from the Edit menu and then click the UI Permissions tab On the tab select an onscreen element from the list 2 Open the ACI Manager To open the ACI Manager from a server management window right click and choose S...

Page 174: ... to grant access to Search From this drop down list select a set of entries in which you want to search You can choose Administrators Users Groups or Users and Groups For In this field enter the name of the user group or administrator that you want to add If you do not know the full name you can enter any part of it To find all entries search for Search Click this button to perform your search The...

Page 175: ...ghts you select here apply to the users groups and administrators that you selected in step 4 as well as the targets hosts and times that you specify in steps 7 10 7 On the Targets tab specify the directory entry to which this ACI should apply Target Directory Entry In this field enter the DN for the entry to which you want this ACI to apply By default the target directory entry is the currently s...

Page 176: ...grant access to then click OK You can use the wildcard when specifying hosts 10 On the Times tab select the times during which you want to grant access to the desired users groups and hosts Click a square to select or deselect it If a square is blue access is allowed at that time If a square is white access is not allowed at that time 11 Click OK to save this ACI If you selected a task or director...

Page 177: ...anager select the ACI that you want to modify Click Edit The ACI Editor appears 2 Make the desired changes Use the visual ACI Editor or the manual ACI Editor just as you did to add an ACI For more information see the procedures for adding an ACI above 3 When you are finished click OK If the ACI was for a task or directory entry the ACI is automatically applied to the task or entry If the ACI was f...

Page 178: ...I 1 In the ACI Manager select the ACI that you want to remove 2 Click Remove 3 Click OK to remove the ACI If the ACI was for a task or directory entry the ACI is automatically removed from the task or entry If the ACI was for a user interface element you must restart Netscape Console for the removal to take effect ...

Page 179: ...ections The SSL and TLS Protocols Preparing to Use SSL and TLS Encryption Obtaining and Installing a Server Certificate Activating SSL Managing Server Certificates Using Client Authentication The SSL and TLS Protocols The Secure Sockets Layer SSL and Transport Layer Security TLS protocols are sets of rules governing server authentication client authentication and encrypted communication between se...

Page 180: ... company policies regarding acceptable encryption strength Among their other functions the SSL and TLS protocols determine how servers and clients negotiate which cipher suites they use to communicate Each new version of SSL and TLS maintains backward compatibility with earlier versions As a result the SSL 2 0 SSL 3 0 and TLS protocols have several cipher suites in common This allows a newer clien...

Page 181: ...ines the interface used for communication between SSL and PKCS 11 modules A PKCS 11 module is a device implemented in hardware or software that provides cryptographic services such as encryption decryption and in some cases storage of keys and certificates All Netscape servers include a built in software PKCS 11 module Other kinds of PKCS 11 modules include the FORTEZZA module used by the United S...

Page 182: ... on the device s capabilities you may be able to share it across multiple servers on the host For more information see the documentation that came with your hardware 2 In the Netscape Console navigation tree select the server instance that you want to use the PKCS 11 module with and then click Open 3 From the server s Console menu choose Security Configure Security Modules and then click Install 4...

Page 183: ... generate a request and send it to the CA Then install the certificate For information on installing a server certificate see Generating a Server Certificate Request on page 184 and Installing the Certificate on page 187 A server certificate chain is a collection of certificates automatically generated for you by your company s internal certificate server or a known CA The certificates in a chain ...

Page 184: ...er Then run the Certificate Request Wizard specifying the external security device when prompted For more information see To Install an External Security Device and Obtaining and Installing a Server Certificate Setting Up SSL with Internal and External Security Devices Some servers and clients in your enterprise may use only internal security devices while others may use both internal and external...

Page 185: ...e province Optional Enter the state or province in which your organizational unit is located Country region Optional Select the state or province in which your organizational unit is located from the drop down menu You can toggle between two views of the request form using the following buttons Show DN Click to show the requestor information in distinguished name DN format This button is visible o...

Page 186: ... as email 1 Use your email program to create a new email message 2 Paste your certificate request into the message If you saved your certificate request to a file open it in a text editor Copy and paste the request into the body of the message If you copied the certificate request to the clipboard paste it into the body of the message 3 Enter a subject and recipient for your request The type of su...

Page 187: ... Certificates task button You can also open the Console menu and then choose Security Manage Certificates 4 Click the Server Certs tab 5 Specify where to store this certificate If you want to store this certificate on the internal security device select internal software from the Security Device drop down list and then click Install If you want to store this certificate on an external hardware dev...

Page 188: ...tree select the server instance on which you want to install the CA certificate 3 Click Open to open the management window for the server instance 4 On the Tasks tab click the Manage Certificates task button You can also open the Console menu and then choose Security Manage Certificates 5 Select the CA Certs tab and then click Install 6 Enter the certificate s location or enter its text In this lo...

Page 189: ...ase ever becomes corrupted you can restore your certificate information from this backup To Back Up Your Certificate Database 1 Open your server root folder 2 Copy all files in the alias folder to another location preferably on a different disk This folder includes your certificates as well as the private key for your trust database To Restore Your Certificate Database From a Backup Copy your back...

Page 190: ...ther Netscape servers is done the same way although in some cases the interface is slightly different For more information on how to activate SSL on another server product see that server s documentation To Activate SSL on a Netscape Server or a Netscape 4 x Server 1 In the Netscape Console navigation tree select the server instance with which you want to use SSL encryption 2 Click Open to open th...

Page 191: ...e Choose a server certificate to use with this server Settings Click this button to modify cipher encryption algorithm settings for the certificate you selected above Disable Client Authentication Select this option if you do not want this server instance to perform client authentication Require Client Authentication Select this option if you want this server instance to require client authenticat...

Page 192: ...elect the server instance that is using the certificate whose expiration date you want to check 2 Click Open to open the management window for the server instance 3 On the Tasks tab click the Manage Certificates task button You can also open the Console menu and then choose Security Manage Certificates 4 Depending on which type of certificate you are checking click the Server Certs or CA Certs tab...

Page 193: ...hich your organizational unit is located You can toggle between two views of the request form using the following buttons Show DN Click to show the requestor information in distinguished name DN format This button is visible only when you are entering information in fields Show Fields Click to show the requestor information in fields This button is visible only when you are entering information in...

Page 194: ...navigation tree select the server instance on which you want to change a CA trust option 2 Click Open to open the management window for the server instance 3 On the Tasks tab click the Manage Certificates task button You can also open the Console menu and then choose Security Manage Certificates 4 Click the CA Certs tab and then from the list of available CA certificates select the CA certificate ...

Page 195: ...currently used with this device New Password Enter a new password New Password again Enter the password again to confirm it 7 Click OK Managing Certificate Lists Certificate revocation lists CRLs and compromised key lists CKLs allow CAs to specify certificates and keys that client or server users should no longer trust If data in a certificate changes a CA can revoke the certificate and list it in...

Page 196: ...e only using the internal software security device it is automatically chosen for you If you are using an external hardware module choose it from the drop down list 5 Select the Revoked Certs tab Every CRL and CKL for the chosen device is listed along with the date it was generated and the date it will next be updated 6 View add or delete a CRL or CKL To view the contents of a CRL or CKL select it...

Page 197: ... Netscape server can optionally determine which user is identified by the client certificate and then look up that user s entry in the directory The server authenticates the user by comparing the information in the certificate with the data in the user s directory entry In order to locate user entries in the directory a server must know how to interpret certificates from different CAs You provide ...

Page 198: ...r Netscape server For more information see Using Client Authentication Between Servers Preparing to Use Client Authentication In order to accept certificates for client authentication you must fulfill the following requirements The server must have SSL turned on For more information see Activating SSL on page 190 The instance of Administration Server must trust the CA who issued the certificate to...

Page 199: ...can name a mapping whatever you want but the issuerDN must exactly match the issuer DN of the CA that issued the client certificate For example the following two issuerDN lines differ only in the number of spaces they contain but the server would treat these two entries as different certmap moz ou Netscape CA o Netscape c US certmap moz ou Netscape CA o Netscape c US The second and subsequent line...

Page 200: ...ng entries in the LDAP directory If the server finds one or more entries in the directory that match the user s information gathered from the certificate the search is successful and the server performs a verification if verifycert is set to on For example if FilterComps is set to use the e and uid attribute keywords FilterComps e uid the server searches the directory for an entry whose values for...

Page 201: ...Server Administrator s Guide Using CmapLdapAttr to match a certificate to a directory entry is useful when it s difficult to match entries using DNComps and FilterComps Library Library is the pathname to a shared library or DLL You need to use this property only if you want to extend or replace the standard functions that map information in certmap conf to entries in the directory This property is...

Page 202: ...the following certmap example CA ou example CA o example c US 4 Add property settings for a specific CA s mapping If you are using the library and InitFn properties you must specify them before adding any additional properties When adding a property use this form mappingName propertyName value For example you could add a DNComps value of o c for Example CA by entering the following line example CA...

Page 203: ... and uid user ID from the certificate to search for a match in the directory before authenticating the user When it finds a matching entry the server verifies the certificate by comparing the certificate the client sent to the certificate stored in the directory Example of an Additional Mapping Here are the contents of a sample certmap conf file that defines a default mapping as well as a mapping ...

Page 204: ...id Henry Jones Junior o example Inc c US then the server searches for entries that have certSubjectDN uid Henry Jones Junior o example Inc c US If one or more matching entries are found the server proceeds to verify the entries If no matching entries are found the server uses DNComps and FilterComps to search for matching entries For the client certificate described above the server would search f...

Page 205: ...te in use by the instance of Administration Server For more information see To Install a CA Certificate or Server Certificate Chain on page 188 3 On the Netscape server instance that will perform the authentication enable SSL and Client Authentication and then restart the server Typically this is done by changing the encryption settings on the server s Configuration tab For more information see yo...

Page 206: ... page 187 2 If necessary install CA certificates and specify that they should be trusted The instance of Administration Server needs to trust the CA that issued the certificate in use by the client The client needs to trust the CA that issued the certificate in use by the Administration Server For more information see To Install a CA Certificate or Server Certificate Chain on page 188 3 On the Adm...

Page 207: ...erver as root HOME is your user home directory if you are running Administration Server as a user for example u useranme or home username In Windows NT the mcc directory is located in C WINNT Profiles username In Unix the mcc directory is located in your home directory For example if the Administration Server is running as root then mcc directory is located in the root directory mcc If Administrat...

Page 208: ...Using Client Authentication 208 Managing Servers with Netscape Console December 2001 ...

Page 209: ...ive Agent on UNIX Starting the Master Agent on UNIX Enabling the Subagent on UNIX Using the Windows NT SNMP Service SNMP Basics SNMP is a protocol used to exchange data about network activity It defines a standard method of communication used to manage products from different vendors This standard allows administrators to remotely manage hardware and software located across their network Each piec...

Page 210: ... subagents and SNMP master agents An SNMP subagent gathers information and sends it to an SNMP master agent The SNMP master agent transfers the data to the network management station Every Netscape server has an SNMP subagent except for Netscape Administration Server which either has a master agent on UNIX or no agent on Windows NT A single machine can host multiple subagents but a machine can onl...

Page 211: ... in a tree like hierarchy known as a management information base MIB Each Netscape server provides a management information base MIB for use in SNMP communication This MIB contains managed objects pertaining to the server s operation Each managed object has a unique object identifier A server can report significant events to the network management station by sending trap messages often called just...

Page 212: ...dentifier is netscape OJBECT IDENTIFIER enterprises 1450 The netscape main mib file may look like this Netscape Main Mib for SNMP support NETSCAPE MIB DEFINITIONS BEGIN IMPORTS OBJECT TYPE FROM SNMPv2 SMI MODULE IDENTITY FROM SNMPv2 SMI enterprises FROM ObjectIds OBJECT IDENTITY Counter64 FROM SNMPv2 SMI netscape OBJECT IDENTIFIER enterprises 1450 All netscape sub agents must branch off of the net...

Page 213: ...ver master agent The GET message is a request for the number of Directory Server errors encountered since the server was last started 2 The master agent forwards the message to the Directory Server s SNMP subagent 3 The subagent retrieves the data 4 The subagent sends the data to the master agent The master agent sends a trap message containing the data to the network management station 5 The netw...

Page 214: ...n various situations The actual procedures are described in detail later in this chapter Before you begin examine your system Is your system already running an SNMP agent that s native to your operating system If so does your native SNMP agent support SMUX communication If your native agent supports SMUX you don t need to install a master agent However you do need to change the native agent s conf...

Page 215: ...a Native SNMP Agent The native agent is running SMUX is not supported and the system needs to continue using native agent 1 Install and start a proxy SNMP agent 2 Restart the native agent using a port number that is different from the master agent s port number 3 Start the master agent 4 Enable the subagent for each server installed on the system The native agent is running and SMUX is supported 1...

Page 216: ...r detailed instructions To Install the SNMP Proxy Agent Edit the CONFIG file located in the server root plugins snmp sagt directory so that it includes the port that the SNMP proxy agent will listen to It also needs to include the MIB trees and traps that the SNMP proxy agent will forward Here is a sample CONFIG file To Start the SNMP Proxy Agent At the command prompt enter sagt c CONFIG After the...

Page 217: ...several configuration files to screen its communications One of them etc snmp conf snmpd conf needs to be changed so that the native agent accepts incoming messages from SMUX subagents To change the file add a line defining each subagent by its object identifier For example you might add this line to snmpd conf smux 1 3 6 1 4 1 1 1450 1 IPAddress netMask where IPAddress is the IP address of the ho...

Page 218: ...ork management station is authorized to obtain information the SNMP master agent compares the community string sent by the station to its list of accepted community strings If the community string is listed the network management station is authenticated Trap Destinations An SNMP trap is a message the SNMP agent sends to a network management station For example an SNMP agent might send a trap when...

Page 219: ...Master Agent button and then click Communities 5 Click the appropriate button for the task you are performing If you want to add a community string click Add If you want to edit a community string select it and then click Edit If you want to remove a community string select it and then click Remove 6 Enter community string information as necessary Community Enter a community string you want to add...

Page 220: ...hoose this option if you want to allow this community string only for setting variable values 7 Click OK To Add Edit or Remove a Trap Destination 1 In the Netscape Console navigation tree select the instance of Administration Server on which the master agent is running 2 Click Open to open the management window for the server instance 3 Click the Tasks tab 4 Click the Configure SNMP Master Agent b...

Page 221: ...he network management station uses to listen for traps The default is 162 With Community Enter the community string you want to use in the trap 7 Click OK Manually Configuring the Master Agent Although you can easily set SNMP master agent parameters through Netscape Console you may want to manually add or modify some settings You can do this by editing the master agent s configuration file This fi...

Page 222: ...can edit the CONFIG file to include initial values for the sysContact and sysLocation variables these variables are defined as part of MIB II the MIB section of the second version of SNMP The value for sysContact specifies the person in charge of the host system on which the master agent runs The value for sysLocation specifies a physical address where the host machine can be found The following e...

Page 223: ... Log in as root 2 Check to see if there is a native agent snmpd running on port 161 If a native agent is running make sure you know which MIB trees it supports and how to restart it then stop it 3 In the Netscape Console navigation tree select the instance of Administration Server on which the master agent is running 4 Click Open to open the management window for the server instance 5 Click the Ta...

Page 224: ...dy exist starting the master agent for the first time will create it An invalid manager name in the CONFIG file will cause the master agent to fail during startup To Start the Agent on a Non Standard Port Using the Config File 1 In the CONFIG file specify a transport mapping for each interface over which the master agent listens for SNMP requests from network management stations Transport mappings...

Page 225: ...Windows NT SNMP Service Windows NT implements SNMP as a service Any Netscape servers that use SNMP communicate directly with this service Netscape Administration Server does not perform any SNMP related tasks on Windows NT All SNMP related tasks are handled by the operating system To Set Up SNMP on Windows NT 1 Install the SNMP service on your server Refer to your Windows NT documentation for inst...

Page 226: ...Using the Windows NT SNMP Service 226 Managing Servers with Netscape Console December 2001 ...

Page 227: ...227 Part 5 Appendixes Appendix A Fortezza Appendix B Introduction to Public Key Cryptography Appendix C Introduction to SSL ...

Page 228: ...228 Managing Servers with Netscape Console December 2001 ...

Page 229: ... department or agency access to a certificate authority workstation The workstation itself may or may not be located at your worksite A certificate authority CA representing your department or agency operates the certificate authority workstation The CA may be a security office or other designee who establishes authenticates and programs Fortezza crypto cards A Fortezza crypto card is a PCMCIA car...

Page 230: ...thority delegates its authority to policy creation authorities PCAs These are groups that may represent a branch of the government or a large corporation Policy creation authorities in turn delegate authority to certificate authorities CAs Certificate authorities are the individuals who actually verify users key information CAs program activate and issue cards to government employees and to indivi...

Page 231: ...hms typically used with the SSL protocol SSL Protocol Symmetric encryption nested within public key encryption and authenticated through the use of certificates RC4 Encryption A kind of 128 bit software encryption Servers use this kind of encryption to optimize performance NULL Encryption Typically used when providing only access control or when using pre encrypted fields Enabling Fortezza Enablin...

Page 232: ...nistration Server 1 Install your Fortezza card reader See To Install an External Security Device on page 182 for more information 2 Activate SSL When prompted to choose ciphers select the Fortezza ciphers See To Activate SSL on a Netscape Server or a Netscape 4 x Server on page 190 for more information ...

Page 233: ...ption Digital Signatures Certificates and Authentication Managing Certificates For more information on these topics and other aspects of cryptography see Security Resources at the following URL http developer netscape com docs manuals security secrs index htm For an overview of SSL see Appendix C Introduction to SSL Internet Security Issues All communication over the Internet uses the Transmission...

Page 234: ...ation is known as spoofing Misrepresentation A person or organization can misrepresent itself For example suppose the site www netscape com pretends to be a furniture store when it is really just a site that takes credit card payments but never sends any goods Normally users of the many cooperating computers that make up the Internet or other networks don t monitor or interfere with the network tr...

Page 235: ...t it is intelligible again A cryptographic algorithm also called a cipher is a mathematical function used for encryption or decryption In most cases two related functions are employed one for encryption and the other for decryption With most modern cryptography the ability to keep encrypted information secret is based not on the cryptographic algorithm which is widely known but on a number called ...

Page 236: ...metric key Thus as long as the symmetric key is kept secret by the two parties using it to encrypt communications each party can be sure that it is communicating with the other as long as the decrypted messages continue to make sense Symmetric key encryption is effective only if the symmetric key is kept secret by the two parties involved If anyone else discovers the key it affects both confidenti...

Page 237: ...ely distribute a public key and only you will be able to read data encrypted using this key In general to send encrypted data to someone you encrypt the data with that person s public key and the person receiving the encrypted data decrypts it with the corresponding private key Compared with symmetric key encryption public key encryption requires more computation and is therefore not always approp...

Page 238: ...ers used with SSL see Appendix C Introduction to SSL Different ciphers may require different key lengths to achieve the same level of encryption strength The RSA cipher used for public key encryption for example can use only a subset of all possible values for a key of a given length due to the nature of the mathematical problem on which it is based Other ciphers such as those used for symmetric k...

Page 239: ...tics The value of the hash is unique for the hashed data Any change in the data even deleting or altering a single character results in a different value The content of the hashed data cannot for all practical purposes be deduced from the hash which is why it is called one way As mentioned in Public Key Encryption which begins on page 237 it s possible to use your private key for encryption and yo...

Page 240: ...public key presented by the signer If the two hashes match the recipient can be certain that the public key used to decrypt the digital signature corresponds to the private key used to create the digital signature Confirming the identity of the signer however also requires some way of confirming that the public key really belongs to a particular person or other entity For a discussion of the way t...

Page 241: ...g their own certificate issuing server software such as Netscape Certificate Management System The methods used to validate an identity vary depending on the policies of a given CA just as the methods to validate other forms of identification vary depending on who is issuing the ID and the purpose for which it will be used In general before issuing a certificate the CA must use its published verif...

Page 242: ...dentified by that certificate did indeed send that message Similarly a digital signature on an HTML form combined with a certificate that identifies the signer can provide evidence after the fact that the person identified by that certificate did agree to the contents of the form In addition to authentication the digital signature in both cases ensures a degree of nonrepudiation that is a digital ...

Page 243: ...ponse to an authentication request from the server the client displays a dialog box requesting the user s name and password for that server The user must supply a name and password separately for each new server the user wishes to use during a work session 2 The client sends the name and password across the network either in the clear or over an encrypted SSL connection 3 The server looks up the n...

Page 244: ...ated with some data can be thought of as evidence provided by the client to the server The server authenticates the user s identity on the strength of this evidence Like Figure B 4 Figure B 5 assumes that the user has already decided to trust the server and has requested a resource and that the server has requested client authentication in the process of evaluating whether to grant access to the r...

Page 245: ...ose on the basis of input from both the client and the server This data and the digital signature constitute evidence of the private key s validity The digital signature can be created only with that private key and can be validated with the corresponding public key against the signed data which is unique to the SSL session 3 The client sends both the user s certificate and the evidence the random...

Page 246: ...sms based on the authenticated user identity are not affected How Certificates Are Used Types of Certificates SSL Protocol Signed and Encrypted Email Form Signing Single Sign On Object Signing Types of Certificates Five kinds of certificates are commonly used with Netscape products Client SSL certificates Used to identify clients to servers via SSL client authentication Typically the identity of t...

Page 247: ... company deploys combined S MIME and SSL certificates solely for the purpose of authenticating employee identities thus permitting signed email and client SSL authentication but not encrypted email Another company issues S MIME certificates solely for the purpose of both signing and encrypting email that deals with sensitive financial or legal matters Object signing certificates Used to identify s...

Page 248: ...e to the server to authenticate the client s identity before the encrypted SSL session can be established For an overview of client authentication over SSL and how it differs from password based authentication see Authentication Confirms an Identity which begins on page 242 For more detailed information about SSL see Appendix C Introduction to SSL Signed and Encrypted Email Some email programs inc...

Page 249: ... the need for persistent authentication of financial transactions Form signing allows a user to associate a digital signature with web based data generated as the result of a transaction such as a purchase order or other financial document The private key associated with either a client SSL certificate or an S MIME certificate may be used for this purpose When a user clicks the Submit button on a ...

Page 250: ... over the network This approach simplifies access for users because they don t need to enter passwords for each new server It also simplifies network management since administrators can control access by controlling lists of certificate authorities CAs rather than much longer lists of users and passwords In addition to using certificates a complete single sign on solution must address the need to ...

Page 251: ...upported by Netscape and many other software companies are organized according to the X 509 v3 certificate specification which has been recommended by the International Telecommunications Union ITU an international standards body since 1988 Users don t usually need to be concerned about the exact contents of a certificate However system administrators working with certificates may need some famili...

Page 252: ...er s public key including the algorithm used and a representation of the key itself The DN of the CA that issued the certificate The period during which the certificate is valid for example between 1 00 p m on November 15 1999 and 1 00 p m November 15 2000 The DN of the certificate subject for example in a client SSL certificate this would be the user s DN also called the subject name Optional cer...

Page 253: ...98 ce 7f 47 50 2c 93 36 7c 01 6e cb 89 06 41 72 b5 e9 73 49 38 76 ef b6 8f ac 49 bb 63 0f 9b ff 16 2a e3 0e 9d 3b af ce 9a 3e 48 65 de 96 61 d5 0a 11 2a a2 80 b0 7d d8 99 cb 0c 99 34 c9 ab 25 06 a8 31 ad 8c 4b aa 54 91 f4 15 Public Exponent 65537 0x10001 Extensions Identifier Certificate Type Critical no Certified Usage SSL Client Identifier Authority Key Identifier Critical no Key Identifier f2 f...

Page 254: ...or which it has a certificate It s also possible for a trusted CA certificate to be part of a chain of CA certificates each issued by the CA above it in a certificate hierarchy The sections that follow explains how certificate hierarchies and certificate chains determine what certificates software can trust CA Hierarchies Certificate Chains Verifying a Certificate Chain BEGIN CERTIFICATE MIICKzCCA...

Page 255: ...ponsibilities to subordinate CAs The X 509 standard includes a model for setting up a hierarchy of CAs like that shown in Figure B 6 Figure B 6 Example of a Hierarchy of Certificate Authorities In this model the root CA is at the top of the hierarchy The root CA s certificate is a self signed certificate that is the certificate is digitally signed by the same entity the root CA that the certificat...

Page 256: ... through two subordinate CA certificates to the CA certificate for the root CA based on the CA hierarchy shown in Figure B 6 Figure B 7 Example of a Certificate Chain A certificate chain traces a path of certificates from a branch in the hierarchy to the root of the hierarchy In a certificate chain the following occur Each certificate is followed by the certificate of its issuer Each certificate c...

Page 257: ...tscape software uses the following procedure for forming and verifying a certificate chain starting with the certificate being presented for authentication 1 The certificate validity period is checked against the current time provided by the verifier s system clock 2 The issuer s certificate is located The source can be either the verifier s local certificate database on that client or server or t...

Page 258: ...CA Figure B 8 shows what happens when only Root CA is included in the verifier s local database If a certificate for one of the intermediate CAs shown in Figure B 8 such as Engineering CA is found in the verifier s local database verification stops with that certificate as shown in Figure B 9 Figure B 9 Verifying a Certificate Chain to an Intermediate CA ...

Page 259: ...hows how verification fails if neither the Root CA certificate nor any of the intermediate CA certificates are included in the verifier s local database Figure B 10 A Certificate Chain That Can t Be Verified For general information about the way digital signatures work see Digital Signatures which begins on page 239 For a more detailed description of the signature verification process in the conte...

Page 260: ... identity such as a utility bill with your address on it and a student identity card If you want to get a regular driving license you also need to take a test a driving test when you first get the license and a written test when you renew it If you want to get a commercial license for an eighteen wheeler the requirements are much more stringent If you live in some other state or country the requir...

Page 261: ...and renewing and revoking certificates can be partially or fully automated with the aid of the directory Information stored in the directory can also be used with certificates to control access to various network resources by different users or groups Issuing certificates and other certificate management tasks can thus be an integral part of user and group management In general high performance di...

Page 262: ...or authentication before or after its validity period will fail Therefore mechanisms for managing certificate renewal are essential for any certificate management strategy For example an administrator may wish to be notified automatically when a certificate is about to expire so that an appropriate renewal process can be completed in plenty of time without causing the certificate s subject any inc...

Page 263: ...entities of end entities before responding to the requests In addition some requests need to be approved by authorized administrators or managers before being services As previously discussed the means used by different CAs to verify an identity before issuing a certificate can vary widely depending on the organization and the purpose for which the certificate will be used To provide maximum opera...

Page 264: ...Managing Certificates 264 Managing Servers with Netscape Console December 2001 ...

Page 265: ... support the protocol in future versions This document is primarily intended for administrators of Netscape server products but the information it contains may also be useful for developers of applications that support SSL The document assumes that you are familiar with the basic concepts of public key cryptography as summarized in Appendix B Introduction to Public Key Cryptography The SSL Protoco...

Page 266: ...ortant if the user for example is sending a credit card number over the network and wants to check the receiving server s identity SSL client authentication allows a server to confirm a user s identity Using the same techniques as those used for server authentication SSL enabled server software can check that a client s certificate and public ID are valid and have been issued by a certificate auth...

Page 267: ...r use in operations such as authenticating the server and client to each other transmitting certificates and establishing session keys Clients and servers may support different cipher suites or sets of ciphers depending on factors such as the version of SSL they support company policies regarding acceptable encryption strength and government restrictions on export of SSL enabled software Among its...

Page 268: ...e the use of the strongest ciphers available And when an domestic client or server is dealing with an international server or client it will negotiate the use of those ciphers that are permitted under U S export regulations However since 40 bit ciphers can be broken relatively quickly administrators whose user communities can use stronger ciphers without violating export restrictions should disabl...

Page 269: ...iphers have 128 bit encryption they are the second strongest next to Triple DES Data Encryption Standard with 168 bit encryption RC4 and RC2 128 bit encryption permits approximately 3 4 1038 possible keys making them very difficult to crack RC4 ciphers are the fastest of the supported ciphers Both SSL 2 0 and SSL 3 0 support this cipher suite Netscape Console supports only the SSL 3 0 version of t...

Page 270: ...pported ciphers Both SSL 2 0 and SSL 3 0 support this cipher Netscape Console supports only the SSL 3 0 version of this cipher suite RC2 With 40 Bit Encryption and MD5 Message Authentication RC2 40 bit encryption permits approximately 1 1 1012 a trillion possible keys RC2 ciphers are slower than the RC4 ciphers Both SSL 2 0 and SSL 3 0 support this cipher Netscape Console supports only the SSL 3 0...

Page 271: ...ite is supported by SSL 3 0 but not by SSL 2 0 RC4 With SKIPJACK 80 Bit Encryption and SHA 1 Message Authentication The SKIPJACK cipher is a classified symmetric key cryptographic algorithm implemented in Fortezza compliant hardware Some SKIPJACK implementations support key escrow using the Law Enforcement Access Field LEAF The most recent implementations do not This cipher suite is supported by S...

Page 272: ... using SSL 2 The server sends the client the server s SSL version number cipher settings randomly generated data and other information the client needs to communicate with the server over SSL The server also sends its own certificate and if the client is requesting a server resource that requires client authentication requests the client s certificate 3 The client uses some of the information sent...

Page 273: ...o the client informing it that future messages from the server will be encrypted with the session key It then sends a separate encrypted message indicating that the server portion of the handshake is finished 10 The SSL handshake is now complete and the SSL session has begun The client and the server use the session keys to encrypt and decrypt the data they send to each other and to validate its i...

Page 274: ...s server authentication or cryptographic validation by a client of the server s identity As explained in Step 2 of The SSL Handshake which begins on page 272 the server sends the client a certificate to authenticate itself The client uses the certificate in Step 3 to authenticate the identity the certificate claims to represent To authenticate the binding between a public key and the server identi...

Page 275: ...of Figure C 3 This list determines which server certificates the client will accept If the distinguished name DN of the issuing CA matches the DN of a CA on the client s list of trusted CAs the answer to this question is yes and the client goes on to Step 3 If the issuing CA is not on the list the server will not be authenticated unless the client can verify a certificate chain ending in a CA that...

Page 276: ...ason the server identified by the certificate cannot be authenticated and the user will be warned of the problem and informed that an encrypted and authenticated connection cannot be established If the server requires client authentication the server performs the steps described in Client Authentication which begins on page 277 After the steps described here the server must successfully use its pr...

Page 277: ...server of the client s identity When a server configured this way requests client authentication see Step 6 of The SSL Handshake which begins on page 272 the client sends the server both a certificate and a separate piece of digitally signed data to authenticate itself The server uses the digitally signed data to validate the public key in the certificate and to authenticate the identity the certi...

Page 278: ...d to create the signature and that the data has not been tampered with since it was signed At this point however the binding between the public key and the DN specified in the certificate has not yet been established The certificate might have been created by someone attempting to impersonate the user To validate the binding between the public key and the DN the server must also complete Step 3 an...

Page 279: ...he server won t authenticate the user s identity If the CA s digital signature can be validated the server treats the user s certificate as a valid letter of introduction from that CA and proceeds At this point the SSL protocol allows the server to consider the client authenticated and proceed with the connection as described in Step 6 Netscape servers may optionally be configured to perform Step ...

Page 280: ...The SSL Handshake 280 Managing Servers with Netscape Console December 2001 ...

Page 281: ...le A single instance of Administration Server manages operation requests from all servers installed in a server group Administration Server Administrator The user who can log in to Netscape Console even when an instance of Administration Server is not connected to a Directory server The Administration Server Administrator is not in the user directory but is created and stored locally on the server...

Page 282: ...ertificates to subordinate CAs Subordinate CAs can also expand the hierarchy by delegating issuing status to other CAs See also certificate authority CA subordinate CA root CA certificate Digital data that specifies the name of an individual company or other entity and certifies that a public key which is also included in the certificate belongs to that entity A certificate is issued and digitally...

Page 283: ...hese attributes When a user presents the server with a certificate containing these attributes he is identified as part of the Anytown engineers certificate group and is then granted appropriate access rights For more information on certificate groups see Creating New Directory Entries on page 89 certificate revocation list CRL A list of revoked certificates generated and signed by a certificate a...

Page 284: ...to connect to an instance of Administration Server CRL See certificate revocation list CRL crypto card See Fortezza crypto card cryptographic algorithm See cipher decryption The unscrambling of data that has been encrypted See also encryption Directory Server gateway A collection of HTML forms that allows a browser to perform LDAP client functions such as querying and accessing an instance of Dire...

Page 285: ...pto card A PCMCIA card that contains a user s unique key as well as certificate management approaches and encryption algorithms used by Fortezza gateway See Directory Server gateway group A collection of users who share a common attribute hostname A name for a machine in the form machine domain dom which is translated into an IP address For example www netscape com is the machine www in the subdom...

Page 286: ...A compressed collection of Java class files JAR information file A text file containing special scripting instructions This file is used by modutil when handling JAR files key 1 A number used by a cryptographic algorithm to encrypt or decrypt data See also public key and private key 2 Predefined commands and options that modutil interprets key and certificate database A collection of keys and cert...

Page 287: ...sentation The presentation of an entity as a person or organization that it is not For example a web site might pretend to be a furniture store when it is really just a site that takes credit card payments but never sends any goods Misrepresentation is one form of impersonation See also spoofing modutil The Security Module Database Tool A command line utility for managing PKCS 11 module informatio...

Page 288: ...a the PKCS 11 interface A PKCS 11 module can be implemented in either hardware or software and always contains one or more slots Each of these slots which can be implemented physically in hardware or conceptually in software can contain a security device Netscape Console includes a built in software PKCS 11 module port number A way to identify a specific process to which a network message is to be...

Page 289: ...Definitions describing what types of information can be stored as entries in the directory When information that does not match the schema is stored in the directory clients attempting to access the directory may be unable to display the proper results schema checking Ensures that new or modified directory entries conform to the defined schema Schema checking is turned on by default users will rec...

Page 290: ... single installation of a product For example if an ISP handles mail for example com it can install Netscape Messaging server and create a single instance If the ISP begins handling mail for another domain it can create a second instance of Messaging server on the same computer without installing any additional software server root A folder that holds server programs and configuration maintenance ...

Page 291: ...ersonation See also misrepresentation impersonation SSL See Secure Sockets Layer SSL SSL handshake An exchange of messages that allows the server to authenticate itself to the client using public key techniques and then allows the client and the server to cooperate in the creation of symmetric keys SSL session The period of interaction between a server and a client that follows the SSL handshake s...

Page 292: ...le certificate that is automatically generated for you by your company s internal certificate server or a known CA A trusted CA certificate is used to authenticate clients URL Uniform Resource Locator The addressing system used by servers and clients when requesting documents A URL is often called a location The format of a URL is protocol machine port document The port number is necessary only on...

Page 293: ...til 146 admconfig options 134 overview and syntax 133 tasks 135 usage examples 143 Admin Server See Administration Server admin_ip pl overview and usage 143 administration domain changing user directory settings for 128 creating 52 creating and modifying 52 54 defined 51 modifying 53 removing 54 Administration Express accessing 65 overview and usage 65 67 setting the refresh rate for 68 starting o...

Page 294: ...icate 183 Certificate Authority Workstation defined 229 Certificate Authority See CA certificate database backing up 189 restoring from a backup 189 certificate group creating 103 defined 98 certificate request sending as email 186 Certificate Revocation List See CRL certificate based authentication defined 242 certificates authentication using 244 backing up 187 CA certificate 247 certificate dat...

Page 295: ... modutil 147 CRL defined 231 managing 195 crypto cards certification process 230 used by Fortezza 229 custom views creating 61 overview 54 using 63 64 customization See preferences D dbdir option for modutil 149 dc RDN keyword 84 default command for modutil 147 delete command for modutil 147 digital signatures defined 239 use of during SSL authentication 180 directory changing the search directory...

Page 296: ...ed 229 enabling 231 G GET type of SNMP message 213 getAc cessLog admconfig task 137 getAdd resses admconfig task 137 getAdminUI D admconfig task 137 getAdminUs ers admconfig task 138 getCa cheLifetime admconfig task 138 getCl assname admconfig task 138 getDe faultAcceptLanguage admconfig task 138 getDS Config admconfig task 138 getE rrorLog admconfig task 141 getH osts admconfig task 141 getO neAC...

Page 297: ...d recovery 261 L l RDN keyword 84 LDAP URL contructing 102 ldapdelete defined 144 ldapmodify defined 144 ldapsearch defined 144 libfile option for modutil 149 library certmap conf property 201 list command for modutil 148 Litronic cryptographic module 181 logging in to Console See Netscape Console logging in logs setting new paths for 116 viewing access 115 viewing error 115 M mail Directory Serve...

Page 298: ...250 organizational units creating 105 removing 108 ou RDN keyword 84 P password changing for a user or administrator 106 108 using for authentication 242 password based authentication defined 243 244 per file keys See JAR information file permission See ACI per platform keys See JAR information file PKCS 11 module defined 181 installing 182 removing 182 port number defined 119 pre 4 0 server addin...

Page 299: ...ing 76 See also server server management window See management window server pre 4 0 migrating from 71 SET type of SNMP message 213 Set Permissions dialog box described 171 setAc cessLog admconfig task 137 setAdd resses admconfig task 137 setAdminP wd admconfig task 137 setAdminUI D admconfig task 137 setAdminUs ers admconfig task 138 setCa cheLifetime admconfig task 138 setCl assname admconfig ta...

Page 300: ...RDN keyword 84 st op admconfig task 142 stand alone Console installation 27 29 static group creating 98 defined 97 streetAddress Directory Server attribute 85 subagent defined 210 See also SNMP synchronization options enabling 95 overview 94 setting 96 97 sysContact defining in master agent CONFIG file 222 sysLocation defining in master agent CONFIG file 222 T tables changing column position in 60...

Page 301: ...changing passwords for 106 creating 90 editing 106 locating 88 preferred language of 93 removing 108 userPassword Directory Server attribute 85 Users and Groups tab changing the search directory for 89 V verb ose option for admconfig 135 verifycert certmap conf property 200 vers ion option for admconfig 135 view See custom views viewA cessLogEntries admconfig task 136 viewE rrorLogEntries admconfi...

Page 302: ...302 Managing Servers with Netscape Console December 2001 ...