Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION Administration Manual page 374

Chapter 11. Managing SSL
10. To verify the authenticity of requests, select the Check hostname against name in certificate for
outbound SSL connections option. The server does this verification by matching the hostname
against the value assigned to the common name (cn) attribute of the subject name in the being
presented for authentication.
By default, this feature is disabled. If it's enabled and if the hostname does not match the cn
attribute of the certificate, appropriate error and audit messages are logged. For example, in a
replicated environment, messages similar to these are logged in the supplier server's log files if it
finds that the peer server's hostname doesn't match the name specified in its certificate:
[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime error
-12276 -
Unable to communicate securely with peer: requested domain name does not match the
server's
certificate.)
[DATE] NSMMReplicationPlugin - agmt="cn=to ultra60 client auth" (ultra60:1924):
Replication
bind with SSL client authentication failed: LDAP error 81 (Can't contact DAP server)
Red Hat recommends enabling this option to protect Directory Server's outbound TLS/SSL
connections against a man-in-the-middle (MITM) attack.
11. Check the Use SSL in the Console box. Hit Save.
12. In the Administration Server Console, select the Configuration tab. Select the Encryption tab,
check the Enable SSL checkbox, and fill in the appropriate certificate information.
13. In the Configuration DS tab, change the port number to the new Directory Server secure port
Section 1.5, "Changing Directory Server Port Numbers"
information. See
this even if the default port of 636 is used. Check the Secure Connection checkbox.
14. In the User DS tab, select the Set User Directory radio button, and fill in the Directory Server
secure port information, the LDAP URL, and the user database information. Check the Secure
Connection checkbox.
15. Save the new TLS/SSL settings and Configuration DS and User DS information in the
Administration Server Console.
16. Restart the Directory Server. The server must be restarted from the command line.
service dirsrv restart instance
When the server restarts, it prompts for the PIN or password to unlock the key database. This is
the same password used when the server certificate and key were imported into the database.
To restart the Directory Server without the password prompt, create a PIN file or use a hardware
crypto device. See
information on how to create a PIN file.
NOTE
When next logging into the Directory Server Console, be certain that the address reads
https; otherwise, the operation will time out, unable to find the server since it is running
on a secure connection. After successfully connecting, a dialog box appears to accept
356
Section 11.4.3, "Creating a Password File for the Directory Server"
for more information. Do
2
for