Skip Headers

Oracle Internet Directory Administrator's Guide
Release 9.0.2

Part Number A95192-01
Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Go to previous page Go to next page

12
Secure Sockets Layer (SSL) and the Directory

This chapter explains how to configure Secure Sockets Layer (SSL) for use with Oracle Internet Directory. If you use Secure Sockets Layer (SSL), you may also configure strong authentication, data integrity, and data privacy.

This chapter contains these topics:

Supported Cipher Suites

A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, the two nodes negotiate to see which cipher suite they will use when transmitting messages back and forth.

The Oracle Internet Directory supports the following SSL cipher suites:

Table 12-1 SSL Cipher Suites Supported in Oracle Internet Directory
Cipher Suite Authentication Encryption Data Integrity

SSL_RSA_WITH_3DES_EDE_CBC_SHA

RSA

DES40

SHA

SSL_RSA_WITH_RC4_128_SHA

RSA

RC4_40

SHA

SSL_RSA_WITH_RC4_128_MD5

RSA

None

MD5

SSL_RSA_WITH_DES_CBC_SHA

RSA

None

SHA

SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

3DES_EDE_CBC

SHA

SSL_DH_anon_WITH_RC4_128_MD5

RC4_40

MD5

SSL_DH_anon_WITH_DES_CBC_SHA

DES_CBC

SHA

SSL_RSA_EXPORT_WITH_RC4_40_MD5

RC4_40

MD5

SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

DES40

SHA

SSL_DH_anon_EXPORT_WITH_RC4_40_MD5

RC4_40

MD5

SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA

DES40

SHA

SSL Client Scenarios

Oracle Internet Directory clients can use SSL 2.0 or SSL 3.0. A client over SSL can connect to a server anonymously or by using either simple or strong authentication.

When both a client and server authenticate themselves to each other, SSL derives the identity information it requires from the X509v3 digital certificates.

Configuring SSL Parameters

During start-up of a directory server instance, the directory reads a set of configuration parameters, including the parameters for the SSL profile. If you are going to run the directory with SSL enabled, you need to examine--and possibly reconfigure--the SSL parameters in the configuration set entry.

To run a server instance in secure mode, set the SSL Enable parameter in the configuration settings to 1: the default secure port is 636. To allow the same instance to run non-secure connections concurrently, set SSL Enable to 2: the default non-secure port is 839.

You can create and modify multiple sets of configuration parameters with differing values, using a different configuration set entry for each instance of Oracle Internet Directory. This is a useful way to accommodate clients with different security needs.

Oracle Corporation recommends that you create separate configuration sets and modify their SSL values, rather than modify SSL values in the default configuration set. The default set may be required by Oracle Support Services in the diagnosis of certain technical issues.

See Also:

Configuring SSL Parameters by Using Oracle Directory Manager

You can examine and modify the values for the SSL configuration parameters in each configuration set entry that you have created and in each server instance that is currently running.


Note:

You cannot directly change the parameters for an active instance. If you want to change the parameters for an active instance, change the parameters in a configuration set entry and save it. After it is saved, you can stop current instances and refer to the newly modified configuration set in the start server message.


To view and modify SSL configuration parameters:

  1. In Oracle Directory Manager's navigator pane, expand Oracle Internet Directory Servers > directory server > Server Management.

  2. Expand either Directory Server or Replication Server, as appropriate. The numbered configuration sets are listed beneath your selection.

  3. Select the configuration set that you want to examine. The group of tab pages for that configuration set entry appear in the right pane.

  4. Select the SSL Settings tab page.

    You can change the parameters in this tab page and save them. The fields in this tab page are described in the following table:

    Field Description

    SSL/non-SSL Enable

    Set 0 for only non-secure operation; default port is 839, changeable below.
    Set 1 for only SSL authentication; default port is 636, changeable below.
    Set 2 for both non-secure operation and SSL authentication.

    SSL Authentication

    Choose one of the following:

    • No SSL Authentication--Neither the client nor the server authenticates itself to the other. No certificates are sent or exchanged. In this case, SSL encryption/decryption only is used.

    • SSL Client and Server Authentication--Both client and server authenticate themselves to each other and send certificates to each other.

    • SSL Server Authentication--Only the directory server authenticates itself to the client. The directory server sends the client a certificate verifying that the server is authentic.

    SSL Wallet URL

    Type the location of the server-side SSL wallet. If you elect to change the location of the wallet, you must change this parameter. You must set the wallet location on both the client and the server. For example, on Solaris, you could set this parameter as follows:

    file:/home/my_dir/my_wallet

    On Windows NT, you could set this parameter as follows:

    file:C:\my_dir\my_wallet
    

    SSL Wallet Password

    Type the password for the server-side wallet. This password was set during creation of the wallet. If you change the password, you must change this parameter.

    SSL Port

    The default SSL port is 636. You can change the SSL port.

    Non-SSL Port

    The default non-SSL port is 839. You can change the non-SSL port.

    See Also:

    "Managing Server Configuration Set Entries by Using Oracle Directory Manager" for information about changing parameters in a configuration set entry

Configuring SSL Parameters by Using Command-Line Tools

See Also:

"Managing Server Configuration Set Entries by Using Command-Line Tools"

Issues Specific to This Release of Oracle Internet Directory

If you intend to support both SSL and non-SSL clients on the same host, you need to configure two distinct server instances.

In Oracle Internet Directory Release 9.0.2, the Oracle directory replication server cannot communicate directly with SSL-enabled Oracle directory server instances.

See Also:

Chapter 5, "Oracle Directory Server Administration" for instructions on how to configure server instances


Go to previous page Go to next page
Oracle
Copyright © 1999, 2002 Oracle Corporation.

All Rights Reserved.
Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index