If an IBM® Domino® server
uses a remote LDAP directory to look up credentials during Internet
client authentication, or to look up the members of groups during
database authorization, specify that the server use SSL to connect
to the LDAP directory server. Specify SSL so there are secure communications
between the Domino server
and the LDAP server, and so that the Domino server
can use an X.509 certificate to verify the remote LDAP directory server's
identity.
About this task
To use SSL, select SSL in the Channel encryption field
on the LDAP tab of the Directory Assistance document for the remote
LDAP directory. When you select SSL, you must also make selections
for three associated fields:
- Accept expired SSL certificates
- SSL protocol version
- Verify server name with remote server's certificate
Procedure
- In the Accept expired SSL certificates field
choose one:
- Yes - (the default) to accept a certificate
from the LDAP directory server, even if the certificate has expired.
- No - to reject an expired certificate,
to provide tighter security.
- In the SSL protocol version field,
select the version number of the SSL protocol to use:
Table 1. SSL protocol version numbers and descriptions SSL protocol version
|
Description
|
V2.0 only
|
Allows only SSL 2.0 connections.
|
V3.0 handshake
|
Attempts an SSL 3.0 connection. If the connection
fails and the requestor detects SSL 2.0, attempts to use SSL 2.0 to
connect.
|
V3.0 only
|
Allows only SSL 3.0 connections.
|
V3.0 with V2.0 handshake
|
Attempts an SSL 3.0 connection, but starts
with an SSL 2.0 handshake, which displays relevant error messages.
Makes an SSL 3.0 connection if possible. Choose V3.0 and
V2.0 handshake to receive V2.0 error messages that may
occur during a connection attempt. These error messages can provide
information about compatibility problems found during the connection.
|
Negotiated
|
Allows SSL to determine the protocol version
and handshake.
|
- In the Verify server name with remote server's
certificate field, choose either one:
- Enabled (the default)
- Disabled
Choose Enabled to require that the
subject line of the remote server's certificate include the LDAP directory
server host name. For this option to work properly, the subject line
in the remote server's certificate must include its DNS host name.
Keep the option enabled if you are sure that the X.509 certificate
of the remote LDAP directory server contains the remote server's host
name in the appropriate format.
The Domino CA and some other CAs provide a dialog
box into which users enter the subject line when requesting a certificate.
For example, the Domino CA
prompts each user to enter the remote server's information -- such
as, the common name, organizational unit name, organization name,
state (or province), and country name. The Domino CA places this information in the subject
line and adds the appropriate prefix (cn=, ou=, o=, and so on) to
each field. If you used a Domino CA
to create the remote server's certificate, enter the remote server's
host name in the common name field when using the Verify
server name with remote server's certificate option. For
example, the Domino CA allows
users to enter the following valid subject lines (mailserver.renovations.com
is the server's DNS host name):
cn=mailserver.renovations.com,
ou=sales, ou=marketing, o=renovations, st=mass, c=us
cn=mailserver,
ou=sales - mailserver.renovations.com o=renovations, st=mass, c=us
To
ensure that users enter the DNS host name properly, recommend that
they enter it as the common name (cn=) when they request a certificate
from the Domino CA. Other
CAs may have different dialog boxes for entering the subject line;
users must follow these dialog boxes to enter the remote server's
DNS host name.