1. Manuals
  2. Brands
  3. Netscape Manuals
  4. Server
  5. NETSCAPE CONSOLE 6.0 - MANAGING SERVERS
  6. Manual

Netscape CONSOLE 6.0 - MANAGING SERVERS Manual

Managing servers with netscape console
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Managing Servers with

Netscape Console

Netscape Console
Version 6.0
December 2001

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the NETSCAPE CONSOLE 6.0 - MANAGING SERVERS and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Netscape NETSCAPE CONSOLE 6.0 - MANAGING SERVERS

Summary of Contents for Netscape NETSCAPE CONSOLE 6.0 - MANAGING SERVERS

  • Page 1: Netscape Console

    Managing Servers with Netscape Console Netscape Console Version 6.0 December 2001...
  • Page 2 Netscape Communications Corporation ("Netscape") and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation is governed by the license agreement for the Software and applicable copyright law. Your right to copy this documentation is limited by copyright law.

  • Page 3: Table Of Contents

    Contents About This Guide ............. . 13 What’s in This Guide .
  • Page 4 Upgrading Administration Server and Console ......... . 30 To Upgrade on UNIX .
  • Page 5 Storing Display Settings ............. . 55 To Change Where Display Settings are Stored .
  • Page 6 Modifying Host, Server Group, and Instance Information ....... . . 75 To Modify Host, Server Group, and Instance Information .
  • Page 7 To Change the Administration Server Administrator’s User Name or Password ..108 To Remove a User, Group, or Organizational Unit from the Directory ....108 Part 3 Using Netscape Administration Server .
  • Page 8 To Change the User Directory Settings for a Domain ........129 To Change User Directory Settings for a Server Group .
  • Page 9 To Edit an Existing ACI with the ACI Editor ......... 177 To Remove an ACI .
  • Page 10 How Client Authentication Works ........... . 197 Preparing to Use Client Authentication .
  • Page 11 To Configure the Master SNMP Agent Manually ........221 Editing the Master Agent Config File .
  • Page 12 How Certificates Are Used ............246 Types of Certificates .

  • Page 13: About This Guide

    About This Guide Managing Servers with Netscape Console provides background information that system architects and administrators need to successfully install and manage Netscape servers in their enterprise. Read about Netscape server basics here before you begin installing and configuring servers in your enterprise. What’s in This Guide This book provides information you need to use Netscape servers.
  • Page 14 Conventions Used in This Guide Italic Italic type is used for emphasis, book titles, glossary terms, and variables. Tips are useful information that can help you save time. NOTE Notes mark important information. Make sure you read the information before continuing with a task. CAUTION Cautions alert you to potentially problematic situations, and tell you how to avoid them.

  • Page 15: Viewing This Guide Online

    Viewing This Guide Online UNIX Marks text that applies only to UNIX users. Marks text that applies only to Windows NT users. Viewing This Guide Online For your convenience, this book is also available online. When using any Netscape server software, you can view the online version of Managing Servers with Netscape Console.

  • Page 16: Getting Additional Help

    Getting Additional Help Getting Additional Help The following types of help are available from within Netscape Console: • Context-sensitive help • A searchable version of this guide’s index • A Documentation Resources page with product-related links. This section shows you how to access these resources. To Get Context-Sensitive Help Click a Help button.

  • Page 17: To Open The Product Homepage

    Getting Additional Help Enter a search term in the top field of the search interface. If the index contains your search term, you will see it highlighted in the alphabetical list. If your search term is not found, the closest match is highlighted.
  • Page 18 Getting Additional Help Managing Servers with Netscape Console • December 2001...

  • Page 19: Part 1 Overview Of Netscape Console

    Part 1 Overview of Netscape Console Chapter 1, “Introducing Netscape Console and Administration Server” Chapter 2, “Installing Netscape Servers and Console”...
  • Page 20 Managing Servers with Netscape Console • December 2001...

  • Page 21: Chapter 1 Introducing Netscape Console And Administration Server

    Chapter 1 Introducing Netscape Console and Administration Server Netscape Console and Administration Server Version 6.0 are two parts of a system that lets you manage Netscape software and users in your enterprise. This chapter presents a high-level overview of what this system is and how you can use it to work with resources across your network.
  • Page 22 Figure 1-1 The Netscape Console Interface When you log in to Netscape Console, it connects to an instance of Administration Server using the Hypertext Transfer Protocol (HTTP). Administration Server manages requests for all Netscape products installed in a single root folder. When you install a Netscape product in a new folder, Administration Server is installed for you.
  • Page 23 Administration Server executes programs that perform the requested tasks. For example, Administration Server can execute programs to modify the server and application settings that are stored in the configuration directory or to change the port number that a server listens to. When you use Netscape Console to add or edit user entries, it sends Lightweight Directory Access Protocol (LDAP) messages directly to Directory Server.
  • Page 24 Figure 1-3 A More Complex System With Netscape Console The rest of this guide shows you how to install and use Netscape Console and Administration Server to manage servers, applications, and users. If you would like to learn more about how Netscape Console works before installing the product, see “A Tour of Netscape Console”...

  • Page 25: Chapter 2 Installing Netscape Servers And Console

    Chapter 2 Installing Netscape Servers and Console This chapter provides an overview of the Netscape Server Products Setup program and how it is used in various situations. This chapter contains the following sections: • The Setup Program • Upgrading to Version Version 6.0 •...

  • Page 26: The Setup Program

    The Setup Program The Setup Program The Netscape Server Products Setup program is for installing Netscape servers all at once or one at a time. Use the Setup program each time you need to do any of the following: • Install a new server or server component •...

  • Page 27: Installation Modes

    The Setup Program Installation Modes The Setup program offers three installation modes: Express, Typical, and Custom. Express Use this mode to get the system running quickly, using default settings as much as possible. This mode was designed for administrators who want to test a server’s basic operation on a particular system before deploying.

  • Page 28: To Install Netscape Console As A Stand-Alone Application On Windows Nt

    The Setup Program Proceed through the installation process. Here are the prompts you encounter with instructions about what to do: Would you like to continue with installation? Enter Do you agree to the license terms? Enter Select the component you want to install. Enter for Netscape Console Installation location.

  • Page 29: Upgrading To Version Version 6.0

    Upgrading to Version Version 6.0 Click Next. Proceed through the installation process. Here are the prompts you encounter with instructions about what to do: Do you accept all of the terms of the preceding license agreement? Click Choose the type of Setup you prefer. Select Netscape Console Installation directory.

  • Page 30: Upgrading Administration Server And Console

    Upgrading to Version Version 6.0 Upgrading Administration Server and Console To upgrade Netscape Administration Server and Console to Netscape Administration Server and Console Version 6.0, follow the directions for your operating system. To Upgrade on UNIX Download the compressed product binaries for Netscape Administration Server and Console.

  • Page 31: To Upgrade On Windows Nt

    Upgrading to Version Version 6.0 System Group Enter the UNIX group to which the System User belongs. Configuration Admin ID or DN Enter the user ID or distinguished name of the administrator who is currently authorized to access the configuration directory.
  • Page 32 Upgrading to Version Version 6.0 Click Next. Proceed through the installation process. Here are the prompts you encounter with instructions about what to do: Do you accept all of the terms of the preceding license agreement? Click Yes Choose the type of Setup you prefer Select Netscape Servers (Type of Installation) Choose the type of Setup you prefer Select Typical Installation directory Enter the location where Netscape Administration Server is currently installed.

  • Page 33: Upgrading A Stand-Alone Version Of Netscape Console

    Upgrading to Version Version 6.0 Upgrading a Stand-Alone Version of Netscape Console If you have installed a stand-alone version of Netscape Console, you can upgrade it to version Version 6.0. To Upgrade a Stand-Alone Version of Netscape Console on UNIX Download the compressed product binaries for Netscape Console.

  • Page 34: To Upgrade A Stand-Alone Version Of Netscape Console On Windows Nt

    Upgrading to Version Version 6.0 To Upgrade a Stand-Alone Version of Netscape Console on Windows NT Download the compressed product binaries for Netscape Console. Extract the binaries into a new folder and run the program. setup.exe The installation startup screen appears. Click Next.

  • Page 35: Silent Installation

    Silent Installation Click Install. The Setup program replaces your existing version of Netscape Console with the new version of the software. When the installer completes, click Finish. Once installation completes, you can run Netscape Console by clicking Start, and then choosing Programs > Netscape Server Products > Netscape Console Version 6.0.

  • Page 36: To Perform A Silent Installation

    Uninstallation If you plan to perform multiple silent installations using different sets of installation answers, rename to a more descriptive name and install.inf then repeat this procedure. For more details on installation, see “The Setup Program,” which begins on page To Perform a Silent Installation Make any necessary changes to the file(s) containing your installation answers.

  • Page 37: To Uninstall A Netscape Server On Unix

    Uninstallation To Uninstall a Netscape Server on UNIX In the server root, type uninstall The first uninstallation screen appears. Proceed through the uninstallation process. Here are the prompts you encounter with instructions about what to do. Depending on the selections you make, you may see additional prompts: Select the components you wish to uninstall Select the components to uninstall or press Enter (for All) to remove all listed software.

  • Page 38: Silent Uninstallation

    Uninstallation If you want to specify which subcomponents of your Netscape software to remove, highlight the installed product or component name and then click the Subcomponents button. The Select Sub-components dialog appears. Select the subcomponents that you want to remove, then click Continue. Select the components you wish to uninstall Select the components to uninstall or press Enter (for All) to remove all listed software.

  • Page 39: To Perform A Silent Uninstallation On Windows Nt

    Uninstallation To Perform a Silent Uninstallation on Windows NT • From the system prompt, run the uninstallation program in silent mode by typing uninst -s If the uninstallation program cannot contact the instance of Directory Server containing the configuration information for the product you are trying to uninstall, uninstallation will fail.
  • Page 40 Uninstallation Managing Servers with Netscape Console • December 2001...

  • Page 41: Part 2 Netscape Console Basics

    Part 2 Netscape Console Basics Chapter 3, “Using Netscape Console” Chapter 4, “Servers in Netscape Console” Chapter 5, “User and Group Administration”...
  • Page 42 Managing Servers with Netscape Console • December 2001...

  • Page 43: Chapter 3 Using Netscape Console

    Chapter 3 Using Netscape Console This chapter shows you how to log in to, customize, and use Netscape Console. It contains the following sections: • Starting Netscape Console and Logging In • A Tour of Netscape Console • Customizing Netscape Console •...

  • Page 44: To Start Netscape Console On Windows Nt

    Starting Netscape Console and Logging In To Start Netscape Console on Windows NT • Click Start, and then choose Programs > Netscape Server Program Group > Netscape Console Version 6.0. You can also start Netscape Console in two additional ways: Double-click the startconsole icon in your server root.

  • Page 45: Logging In To Netscape Console With A User Name And Password

    Starting Netscape Console and Logging In Table 3-1 Arguments for startconsole Argument What it Does Specifies the password for the user entered with the -u argument. -w password For example, to start Netscape Console and log in with the user ID bjensen and password super15243, you would enter the following: startconsole -u bjensen -w super15243...

  • Page 46: Logging In To Netscape Console Using Client Authentication

    Starting Netscape Console and Logging In In the Netscape Console Login dialog box, enter your user name, password, and the URL for the instance of Administration Server you want to access. When specifying an Administration Server URL, you can use a hostname (such ) or IP address (such as eastcoast.example.com:8943 199.99.9.1:4434...

  • Page 47: To Request And Install A New Client Certificate

    Starting Netscape Console and Logging In The client certificates that Netscape Console presents to an instance of Administration Server are stored in a copy of your Netscape Communicator certificate database. Depending on which types of certificates the instance of Administration Server is configured to accept, you may be able to use an existing certificate from Communicator or you may need to request a new one.

  • Page 48: To Make Your Client Certificate Available To Netscape Console On Windows Nt

    Starting Netscape Console and Logging In To Make Your Client Certificate Available to Netscape Console on Windows NT Open the folder containing Netscape Communicator. For example, C:\Program Files\Netscape Open the folder and then open your specific user folder. For example, Users BJensen C:\Program Files\Netscape\Users\BJensen...

  • Page 49: A Tour Of Netscape Console

    A Tour of Netscape Console Click OK. The user name and password you use to log in determine which servers and server operations you can access through Netscape Console. See “Overview of Access Control” on page 167 for more information. In the Password Entry dialog box, enter the password for Netscape Console’s certificate database (this is the same as the password for your Netscape Communicator certificate database), and then click OK.
  • Page 50 A Tour of Netscape Console Table 3-2 Netscape Console’s Menus and What You Can Do With Them (Continued) Menu What It Lets You Do Object Perform tasks related to resources such as administration domains, server groups, and servers. Help Obtain online assistance while using Netscape Console. Other Netscape products may have additional menus or use these menus differently.

  • Page 51: Netscape Console Tabs

    A Tour of Netscape Console Netscape Console Tabs The main Netscape Console window (shown in Figure 3-1) has two tabs: “Servers and Applications” and “Users and Groups.” The “Servers and Applications” tab contains a navigation tree and an information panel. The “Users and Groups” tab has an interface that you can use to manage entries in the user directory.

  • Page 52: The Administration Domain

    A Tour of Netscape Console The Administration Domain An administration domain is a group of Netscape servers that share a user directory for data management and authentication. A company might want to create separate administration domains for each of its business sites. Each of these domains could include the host computers used only by that business site.

  • Page 53: To Modify An Administration Domain

    A Tour of Netscape Console Click OK. If you’ve made a change to the User Directory option or the Secure Connection option, you must restart the server for the change to take effect. To Modify an Administration Domain In the Netscape Console navigation tree, select the domain you want to modify, then click the Edit button in the server information section of Netscape Console.

  • Page 54: To Remove An Administration Domain

    Customizing Netscape Console Click OK. To Remove an Administration Domain Open Netscape Console. Remove all server instances from the administration domain that you want to remove. For more information on removing server instances, see “Removing a Server Instance” on page 76. Select the administration domain that you want to remove.

  • Page 55: Storing Display Settings

    Customizing Netscape Console Storing Display Settings When you exit Netscape Console, any display changes you’ve made during the session are saved. This includes changes to window size or position; banner bar, status bar, or navigation tree visibility; and fonts. You can store these display settings on the network or on your local disk to suit your needs.

  • Page 56: Setting Display Fonts

    Customizing Netscape Console Setting Display Fonts You can specify which fonts Netscape Console should use for different screen elements. If you use more than one computer system to administer servers, you can save different sets of font preferences, or profiles, for use on each system. To Create a Font Profile In the main Netscape Console window, from the Edit menu, choose Preferences.

  • Page 57: To Edit An Existing Font Profile

    Customizing Netscape Console To Edit an Existing Font Profile In the main Netscape Console window, from the Edit menu, choose Preferences. Click the Fonts tab. Select the font profile to edit. From the Font Profile drop-down list, choose a profile. If the list is grayed out, no profiles are available.

  • Page 58: To Use A Font Profile

    Customizing Netscape Console To Use a Font Profile In the main Netscape Console window, from the Edit menu, choose Preferences. Click the Fonts tab. Select the font profile to use. From the Font Profile drop-down list, choose a profile. If the list is grayed out, no profiles are available.

  • Page 59: Customizing The Main Window

    Customizing Netscape Console Customizing the Main Window You can specify which elements of the main Netscape Console window you want to see. To Customize the Main Window • Select or deselect items in the View menu. Selecting a menu item displays it and deselecting an item hides it. You can show or hide the following screen elements: Banner Bar Status Bar...

  • Page 60: Customizing Tables

    Customizing Netscape Console Customizing Tables Some Netscape Console tasks, such as setting display fonts, use tables. You can change the position and adjust the width of columns in these tables. To Change Column Position in a Table • Drag each column head into the desired position. See Figure 3-3 for an example.

  • Page 61: To Change The Width Of Columns In A Table

    Customizing Netscape Console To Change the Width of Columns in a Table Position the pointer over a boundary of a column head. It turns into a double arrow, as shown in Figure 3-4. Drag the boundary to change the width of the column. Resizing a Column Figure 3-4 Creating Custom Views of the Navigation Tree...
  • Page 62 Customizing Netscape Console Choose whether the new view will be public or private, then click OK. By default, a public view is visible to all users of Netscape Console, but you can restrict access to it using access control instructions (ACIs). For more information, see “To Set Access Permissions for a Public View.”...

  • Page 63: Working With Custom Views

    Customizing Netscape Console Working with Custom Views You can use multiple views to suit your needs. The administrator who created the view shown in the preceding example might also have views called Directory Servers and Enterprise Servers. The administrator can switch to the Custom View needed for a specific task or choose Default View to see all the servers in the navigation tree.

  • Page 64: To Rename A Custom View

    Customizing Netscape Console To Rename a Custom View From the View menu, choose Custom View Configuration. Choose a Custom View from the list and click Edit. In the Edit View window, position the cursor in the text field, then type the new name for your Custom View.

  • Page 65: Administration Express

    Administration Express Administration Express The Administration Express page is an HTML-based version of Netscape Console that provides quick access to servers running Administration Server 4.2 or later. In the Administration Express page, you can perform four administration tasks: • Starting servers (except stopped instances of Administration Server, which must be started from the command line) •...
  • Page 66 Administration Express If prompted, enter your user name and password in the dialog box, then click If the instance of Administration Server that you are logging in to uses SSL, you may be prompted to confirm the acceptability of the instance’s certificate. Additionally, if the server instance is configured to require client authentication, you may be prompted to present a client certificate.

  • Page 67: Using Administration Express

    Administration Express Using Administration Express From the main Administration Express screen, you can start and stop server instances, view basic server information, and view access and error logs. To Start or Stop a Server Instance from Administration Express In the row containing the server instance that you want to start or stop, click On to start the server instance or Off to stop it.

  • Page 68: Setting The Refresh Rate For Administration Express

    Administration Express Setting the Refresh Rate for Administration Express You can configure Administration Express to automatically refresh its display of hosts and server instances. This is useful if you want to monitor the status of your Netscape servers and applications at regular intervals. To Set the Refresh Rate for Administration Express In a text editor, open the file.

  • Page 69: Chapter 4 Servers In Netscape Console

    Chapter 4 Servers in Netscape Console This chapter explains how to perform basic server management using Netscape Console. It contains the following sections: • Working With Earlier Netscape Servers • Working with Netscape Servers Working With Earlier Netscape Servers You can use Netscape Console to access pre-4.0 versions of Netscape servers. This section tells you how to add a pre-4.0 server to your navigation tree and how to migrate your pre-4.0 data to a newer Netscape server.
  • Page 70 Working With Earlier Netscape Servers If you want to fully integrate the information from a pre-4.0 server into Netscape Console, you must upgrade the server to version 4.0 or later and then migrate your original configuration data to the new version. See “Migrating from a Pre-4.0 Server to a Newer Server”...

  • Page 71: To Add A Pre-4.0 Server To The Navigation Tree

    Working With Earlier Netscape Servers To Add a Pre-4.0 Server to the Navigation Tree Open Netscape Console and choose Add Pre-4.0 Server from the Console menu. In the Add Pre-4.0 Server window, enter information for the server you want to add to the navigation tree. Administration Server URL.

  • Page 72: To Migrate From A Pre-4.0 Server To A Newer Version

    Working With Earlier Netscape Servers For example, if you’re already using Netscape Messaging Server version 3.0, you can install Messaging Server 4.0 in a different server root. You can then migrate the 3.0 server settings to the 4.0 server. Once you’re certain that the configuration settings work in the new server environment, you can safely uninstall your pre-4.0 server.

  • Page 73: Working With Netscape Servers

    Working with Netscape Servers Working with Netscape Servers You can perform a number of basic server tasks with Netscape Console. This section contains the following procedures: • Opening a server management window • Creating a new server instance • Cloning a Netscape server •...

  • Page 74: Creating A New Server Instance

    Working with Netscape Servers Figure 4-2 is an example of a server management window. Figure 4-2 A Netscape Server Management Window Creating a New Server Instance Once you have one instance of a server installed in a server root, you can create additional instances in the same server root.

  • Page 75: To Create A New Server Instance

    Working with Netscape Servers NOTE You cannot create two instances of Administration Server in one server root. To Create a New Server Instance In Netscape Console, select the server group that will contain the new server instance. From the Object menu, select Create Instance Of. In the Select Server window, select the server that you want to create a new instance of.

  • Page 76: Cloning A Server

    Working with Netscape Servers The server group containing the East Coast Sales team’s instances of Messaging Server and Certificate Management System The West Coast Messaging Server for users with last names beginning with P through Z. Location. (Host only) Enter a description of this host’s location. Example: Building 17, 3rd floor, Lab 1749 Click OK.

  • Page 77: Uninstalling A Netscape Server

    Working with Netscape Servers Uninstalling a Netscape Server If you no longer want to create or use any instances of a particular server, you can uninstall the server. This is different from removing a server instance since all program files will be deleted. For more information on uninstallation, see “Uninstallation”...
  • Page 78 Working with Netscape Servers Figure 4-3 Two Configuration Directories and the Servers They Have Settings For, Before Using the Merge Configuration Directory Utility Figure 4-4 shows what the same two configuration directories would contain after you merged them. Figure 4-4 Two Configuration Directories and the Servers They Have Settings For, After Using the Merge Configuration Directory Utility Managing Servers with Netscape Console •...

  • Page 79: To Merge Configuration Data From Two Directory Servers

    Working with Netscape Servers When you have finished using the Merge Configuration Directory utility, you can safely remove your source configuration directory. CAUTION Do not remove your source configuration directory until you have merged all data to the destination. Once you remove the source directory, all its data will be lost.
  • Page 80 Working with Netscape Servers Managing Servers with Netscape Console • December 2001...

  • Page 81: Chapter 5 User And Group Administration

    Chapter 5 User and Group Administration Netscape Console allows you to create, locate, and manage user and group information from any system in your enterprise. This chapter contains the following sections: • Interacting with Directory Server • Creating New Directory Entries •...

  • Page 82: Using Distinguished Names

    Interacting with Directory Server Using Distinguished Names A distinguished name (DN) is a text string that identifies a specific directory branch or entry. Each user and group in your enterprise is represented in the Directory Server by a DN. Whenever you make changes to user and group information in the Directory, you use distinguished names (DNs).
  • Page 83 Interacting with Directory Server The exact composition of a DN depends on the structure of the directory. Most directories are organized by more categories than just country designations and organization names. As a result, the DNs used to identify entries are longer and contain more specific RDNs.
  • Page 84 Interacting with Directory Server Table 5-1 Common RDN Keywords Used in DNs (Continued) RDN Keyword Meaning in a DN Description domain component Part of a DNS domain. This keyword is typically used at the top levels of a directory tree. For example, a user in the ldap.example.com domain might have the following DN:...

  • Page 85: Attributes

    Interacting with Directory Server Attributes Directory attributes hold descriptive information about an entry. For example, a user entry might have attributes for a user ID, email address, given name, and password. Table 5-2 contains a list of common user and group directory attributes. Table 5-2 Common User and Group Directory Attributes Attribute Keyword...

  • Page 86: Dn And Attribute Guidelines And Syntax

    Interacting with Directory Server DN and Attribute Guidelines and Syntax As you create, select, and use directory entries, follow these guidelines: Separate RDNs with a comma. If an RDN value contains a comma, enclose the part of the name that uses the comma in double-quotation marks. For example, to include the string Ace Industry, Corp in a DN, use the form o=”Ace Industry, Corp”, c=US When schema checking is turned on, attributes must match directory schema.

  • Page 87: Locating A User Or Group In The Directory

    Interacting with Directory Server Locating a User or Group in the Directory You can use the “Users and Groups” Search function to locate directory entries. Initially, the function is set to search within the default user directory. If you do not want to use the default user directory, you can manually change to another one.

  • Page 88: To Locate Users Or Groups In The Directory

    Interacting with Directory Server To Locate Users or Groups in the Directory In Netscape Console, click the “Users and Groups” tab. Specify your search criteria in one of these ways: To find specific entries, enter all or part of a user, group, or organizational unit name in the text entry box.

  • Page 89: Choosing A Different Directory To Search

    Creating New Directory Entries Choosing a Different Directory to Search When you use the Users and Groups Search function, the URL for the default user directory appears above the text entry box (see Figure 5-1). Initially, all searches are performed in this user directory. If you need to search a different user directory, you can choose one other than the default.

  • Page 90: Users

    Creating New Directory Entries Users A user entry contains information about an individual person or resource in the directory. For example, you can create user entries for , or John Smith Printer 3B Conference Room 25 To Create a New User Entry in the Directory In Netscape Console, click the “Users and Groups”...
  • Page 91 Creating New Directory Entries In the Select Organizational Unit dialog box, select the organizational unit ( to which the user will belong, and then click OK. In the Create User window, enter user information: First Name. Enter the user’s first name. Last Name.
  • Page 92 Creating New Directory Entries User ID. When you enter a first and last name, the user ID is automatically generated. You can replace this user ID with one of your choosing. The user ID must be unique from all other user IDs in the directory. Password.

  • Page 93: The User's Preferred Language

    Creating New Directory Entries The User’s Preferred Language Sometimes a user’s name can be more accurately represented using a character set other than that of the default language. For example, Noriko’s name is Japanese, and she has indicated on her hiring forms that she prefers when Japanese characters represent her name.

  • Page 94: To Create An Administrator

    Creating New Directory Entries To Create an Administrator In Netscape Console, click the “Users and Groups” tab. Click the Create button and then choose Administrator. You can also open the User menu and choose Create > Administrator. In the Create Administrator window, enter the appropriate user information. The requested information is exactly the same as in the Create User dialog box, except that Password is a required field.

  • Page 95: To Enable Windows Nt And Unix Panels For An Individual User

    Creating New Directory Entries To Enable Windows NT and UNIX Panels for an Individual User In the Create User window, click the NT User or Posix User tab. The appropriate panel appears. Enable the fields in the panel. To enable the NT User fields, select “Enable Windows NT user attributes.” To enable the Posix User fields, select “Enable Posix user attributes.”...

  • Page 96: To Set Windows Nt And Unix Options And Attributes For A New User

    Creating New Directory Entries To Set Windows NT and UNIX Options and Attributes for a New User Follow steps 1-5 of “To Create a New User Entry in the Directory” beginning on page 90. If you want to store Windows NT-specific user information in the directory, click the NT User tab, enable the fields by selecting “Enable Windows NT user attributes,”...

  • Page 97: Groups

    Creating New Directory Entries If you want to store UNIX-specific user information in the directory, click the Posix User tab, enable the fields by selecting “Enable Posix user attributes,” and then enter the following information: UID Number. Enter the user’s UNIX ID number. GID Number.

  • Page 98: To Create A Static Group In The Directory

    Creating New Directory Entries A dynamic group automatically includes users based on one or more attributes in their entry. For example, you can create a dynamic group called California Sales that automatically includes any entry containing the attributes st=California . These attributes are specified as part of an LDAP URL. department=sales Whenever you search for members of the California Sales group, the results contain all entries located by the URL.
  • Page 99 Creating New Directory Entries In the Create Group dialog box, enter group information: Group Name. Enter a name for the group. Description. (Optional) Enter a description to help you identify this group. Create the group, or specify members for the group before creating it. If you want to create only the group now, and add group members later, click OK and skip the rest of this procedure.

  • Page 100: To Add Users To The Configuration Administrators Group

    Creating New Directory Entries To Add Users to the Configuration Administrators Group In Netscape Console, click the “Users and Groups” tab, and then choose Change Directory from the User menu. In the Change Directory window, indicate the location of the user directory that contains the Configuration Administrators group: User Directory Host.

  • Page 101: To Create A Dynamic Group

    Creating New Directory Entries In the Edit Group window, click Members. Click Add. In the Search Users and Groups window, locate and select the user you want to add, and then click OK. Repeat this step until all the users you want to add to the group are displayed in the Members list, and then click OK.
  • Page 102 Creating New Directory Entries Click Members. Click Dynamic Group, and then click Add. Use the “Construct and Test LDAP URL” dialog box to specify the criteria for including users in the dynamic group. If you know the exact LDAP URL you want to use to include users in the group, enter it and skip to Step 10.

  • Page 103: To Create A Certificate Group

    Creating New Directory Entries In the Construct LDAP URL dialog box, provide search criteria: LDAP Server Host. Displays the fully qualified host name of the Directory Server in which you are searching. Port. Displays the port number for the listed LDAP Server Host. Base DN.
  • Page 104 Creating New Directory Entries In the Select Organizational Unit dialog box, select the organizational unit ( to which the group will belong, and then click OK. In the Create Group dialog box, enter group information: Group Name. Enter a name for the group. Description.

  • Page 105: Organizational Units

    Creating New Directory Entries Organizational Units An organizational unit can include a number of groups and usually represents a division, department, or other discrete business group. When you create a new organizational unit, you add a branch to the directory. This is reflected through the use of an RDN.

  • Page 106: Modifying Existing Directory Entries

    Modifying Existing Directory Entries Modifying Existing Directory Entries From the Netscape Console “Users and Groups” tab, you can change existing directory entries. Therefore, you can easily update user and group information whenever you need to. Updating User and Group Entries Before you can modify user or group data, you must first locate a user or group entry in the directory.

  • Page 107: To Change The Configuration Administrator's User Name Or Password

    Modifying Existing Directory Entries To Change the Configuration Administrator’s User Name or Password In the “Users and Groups” tab of Netscape Console, click Advanced. In the “Search users and groups” dialog box, enter search information. If you have never changed the Configuration Administrator’s user name, enter the following information: Search.

  • Page 108: To Change The Administration Server Administrator's User Name Or Password

    Modifying Existing Directory Entries If you bind to the directory as the Configuration Administrator when searching for users, you must update your user directory information. To do this, click the “Users and Groups” tab of Netscape Console, and choose Change Directory from the User menu. In the Change Directory Window, update the Bind DN and Bind Password with the new information for the Configuration Administrator, and then click To Change the Administration Server Administrator’s User Name or...

  • Page 109: Part 3 Using Netscape Administration Server

    Part 3 Using Netscape Administration Server Chapter 6, “Administration Server Basics” Chapter 7, “Administration Server Configuration” Chapter 8, “Administration Server Command-Line Tools”...
  • Page 110 Managing Servers with Netscape Console • December 2001...

  • Page 111: Chapter 6 Administration Server Basics

    Chapter 6 Administration Server Basics Netscape Administration Server processes requests for servers that are installed in a server group (a single root folder), and then invokes the programs required to fulfill them. For a brief overview of Netscape Console architecture, see Chapter 1, “Introducing Netscape Console and Administration Server.”...

  • Page 112: To Restart The Server From Netscape Console

    Restarting Administration Server To Restart the Server from Netscape Console From the Netscape Console navigation tree, select the instance of Administration Server that you want to restart. Click Open to open the management window for the instance of Administration Server. Click the Tasks tab, and then choose Restart Server.

  • Page 113: To Restart The Server From The Nt Control Panel

    Stopping Administration Server To Restart the Server from the NT Control Panel Click Start, and then choose Settings > Control Panel. Open the Services control panel. Select Netscape Administration Server Version 6.0 from the list of services and then click the Start button. Click Close to exit the Services control panel.

  • Page 114: To Stop The Server From The Nt Control Panel

    Logging Options To Stop the Server from the NT Control Panel Click Start, and then choose Settings > Control Panel. Open the Services control panel. Select Netscape Administration Server Version 6.0 from the list of services and then click Stop. Click Close to exit the Services control panel.

  • Page 115: To View The Access Log

    Logging Options To View the Access Log From the Netscape Console navigation tree, select the instance of Administration Server that you want to view the access log for. Click Open to open the management window for the instance of Administration Server. Click the Configuration tab.

  • Page 116: To Change Where Logs Are Stored

    The Netscape Administration Page Click the Configuration tab. In the configuration tree, click to expand the Logs directory, then click the Errors icon. If you want to resize the column widths to show more detail, move your mouse to position the pointer over a column head boundary so that it changes to a double-arrow.

  • Page 117: To Access The Administration Page

    The Netscape Administration Page To Access the Administration Page Open a browser. Enter the fully qualified host name and port number for the instance of Administration Server you want to access. Example: http://eastcoast.example.com:26751 Press Enter. Figure 6-1 The Netscape Administration Page Chapter 6 Administration Server Basics...
  • Page 118 The Netscape Administration Page Managing Servers with Netscape Console • December 2001...

  • Page 119: Chapter 7 Administration Server Configuration

    Chapter 7 Administration Server Configuration This chapter describes the configuration options you can use with Netscape Administration Server. It contains the following sections: • Network Settings • Access Settings • Encryption Settings • Directory Settings Network Settings Network settings affect the way an instance of Netscape Administration Server runs.

  • Page 120: To Configure Network Settings

    Network Settings to access the instance. Entering allows all hosts whose IP addresses 205.12.*. begin with to access the instance. When specifying IP address restrictions, 205.12 you must include all three separating dots. If you do not, you will receive an error message.

  • Page 121: Access Settings

    Access Settings Enter network settings: Port. Enter the port number you want this instance of Administration Server to use. The port number can be any number between 1 and 65535 but, to avoid conflicts with other resources, it is typically a number greater than 1024. Connection Restrictions.

  • Page 122: To Set Administration Server Access Settings

    Access Settings To Set Administration Server Access Settings From the Netscape Console navigation tree, select the instance of Administration Server that you want to set Access Settings for. Click Open to open the management window for the instance of Administration Server. Click the Configuration tab, and then click the Access tab.

  • Page 123: Encryption Settings

    Encryption Settings Encryption Settings All Netscape 4.0 and above servers support the Secure Sockets Layer (SSL) protocol and PKCS #11 APIs for encryption communication. Encryption protects communication between Administration Server and other servers from eavesdropping and tampering. You need to configure the Administration Server for SSL if it will communicate with SSL-enabled servers.

  • Page 124: To Activate Ssl On Administration Server

    Encryption Settings To Activate SSL on Administration Server In the Netscape Console navigation tree, select the instance of Administration Server that you want to activate SSL encryption on. Click Open to open the management window for the instance of Administration Server. Click the Configuration tab.

  • Page 125: Directory Settings

    Directory Settings Choose the certificate you want to use with SSL. Certificate information is stored in the certificate database. If you’re not sure which certificate to use, view the Certificate Management dialog for more information. To view the Certificate Management dialog, from the File menu, choose Certificate Management.

  • Page 126: Changing The Host Or Port Number

    Directory Settings Changing the Host or Port Number You can designate a different host or port number for the instance of Directory Server containing the configuration directory subtree. CAUTION Changing the Directory Server host name or port number impacts the rest of the servers in the server group. If you change a setting here, you must make the same change in every server in the server group.

  • Page 127: The User Directory

    Directory Settings Modify settings as appropriate: LDAP Host. Enter the host name of the configuration Directory Server this instance of Administration Server uses. LDAP Port. Enter the port number for the configuration Directory Server this instance of Administration Server uses. Secure Connection.

  • Page 128: User Directory Settings

    Directory Settings User Directory Settings When you’re installing a Netscape server, you are prompted to specify a user directory that is associated with the administration domain in which the server will be located. By default, this association is inherited at all levels beneath the administration domain.

  • Page 129: To Change The User Directory Settings For A Domain

    Directory Settings To Change the User Directory Settings for a Domain In the Netscape Console navigation tree, select the administration domain that you want to change user directory settings for. In the right-hand panel of the main Netscape Console window, click Edit. Modify domain information as appropriate.

  • Page 130: To Change User Directory Settings For A Server Group

    Directory Settings If you specified more than one location in the “User directory host and port” field, the settings for the remaining fields will apply to them all. Secure connection. Check this box if you want to connect securely with the user Directory Server.
  • Page 131 Directory Settings Modify settings as appropriate. Use Default User Directory. Select this option if you want to use the default user directory associated with the domain. Set User Directory. Select this option if you want to use a user directory other than the default associated with the domain.
  • Page 132 Directory Settings Secure Connection. Check this box if you want to connect securely with the user Directory Server. Before choosing this option, make sure the user Directory Server running on the specified user directory host and port already has SSL activated on it. User Directory Subtree.

  • Page 133: Chapter 8 Administration Server Command-Line Tools

    Chapter 8 Administration Server Command-Line Tools The following command-line tools (utilities) come with Netscape Administration Server. You can use these utilities to configure an instance of Administration Server without launching Netscape Console: • admconfig • admin_ip.pl • ldapsearch, ldapmodify, and ldapdelete •...

  • Page 134: Options

    admconfig Options An option is a general setting that affects how runs. You can specify an admconfig option using a complete command such as or an abbreviated command such -user . When specifying a command, make sure to use enough characters to differentiate it from other commands.

  • Page 135: Tasks And Their Arguments

    admconfig Table 8-1 Options You Can Use With admconfig Commands for Options What the Command Does Connects to the server using the specified username and -u[ser] [uid]:[pwd] password. If a user name is not specified, you will be prompted for the current user’s password. The password appears onscreen when it is typed, so if security is a concern, use the -inputFile option and list the username and password in a file with suitable...
  • Page 136 admconfig Table 8-2 Tasks You Can Perform With admconfig Commands for Tasks What the Command Does Counts the number of entries in the access log file. Run this task -countA[ccessLogEntries] before -viewAccesslogEntries to determine the number of entries in the access log. Lets you view the specified entries in the error log file.
  • Page 137 admconfig Table 8-2 Tasks You Can Perform With admconfig (Continued) Commands for Tasks What the Command Does Disables access to this instance of Administration Server from the -disableD[SGWAccess] Directory Server gateway. Retrieves the path for the access log file for this instance of -getAc[cessLog] Administration Server.
  • Page 138 admconfig Table 8-2 Tasks You Can Perform With admconfig (Continued) Commands for Tasks What the Command Does Retrieves the path of the adminusers file. -getAdminUs[ers] Specifies the path of the adminusers file. -setAdminUs[ers] Syntax admconfig [options] -setAdminUsers adminusers Required Argument adminusers New path for the adminusers file.
  • Page 139 admconfig Table 8-2 Tasks You Can Perform With admconfig (Continued) Commands for Tasks What the Command Does Specifies the LDAP server host, port, and base DN, and specifies -setDS[Config] whether the LDAP server is running SSL. Syntax admconfig [options] -setDSConfig \”host port baseDN ssl\”...
  • Page 140 admconfig Table 8-2 Tasks You Can Perform With admconfig (Continued) Commands for Tasks What the Command Does Specifies the host, port, base DN, authentication DN, and -setU[GDSConfig] authentication password for the instance of Directory Server containing the user and group directory. You can invoke -setUGDSConfig either with or without arguments.
  • Page 141 admconfig Table 8-2 Tasks You Can Perform With admconfig (Continued) Commands for Tasks What the Command Does -setU[GDSConfig] (continued) Note that the space character is used to parse these six arguments. Therefore, none of the arguments may have spaces in them. To indicate spaces within an argument, use the + character.
  • Page 142 admconfig Table 8-2 Tasks You Can Perform With admconfig (Continued) Commands for Tasks What the Command Does Specifies the port number that this instance of Administration -setPo[rt] Server should use. Syntax admconfig [options] -setPort port Required Argument port Port number that this instance of Administration Server should use.

  • Page 143: Examples

    admin_ip.pl Examples The following examples demonstrate different uses of admconfig • This example changes the port number for an instance of Administration Server to 33333, and then restarts the instance. The verbose level option, which controls how much status information is printed to the screen, is set to 5. admconfig -server eastcoast.example.com:22222 -user john:password -verbose 5 -setPort 33333 -restart •...

  • Page 144: Ldapsearch, Ldapmodify, And Ldapdelete

    ldapsearch, ldapmodify, and ldapdelete On Windows NT From the command line go to folder and enter serverRoot/shared/bin ../../install/perl admin_ip.pl Directory_Manager_DN Directory_Manager_password old_IP new_IP [port #] The old IP address is saved in a file called local.conf.old ldapsearch, ldapmodify, and ldapdelete These tools allow you to search and modify the user directory.

  • Page 145: Syntax

    modutil Syntax sec-migrate src alias dist sie passwd Enter information for the following variables: src. Pre-4.0 server root. alias. Alias of the old key database. dist. Target server root. sie. Server instance entry: Name of the server instance to migrate key and certificate information to.

  • Page 146: Syntax

    modutil Syntax To run the tool, enter the following command modutil modutil task [option] where is a combination of a task and an option from Table 8-3 task [option] and Table 8-4. Each invocation of can take one task and one option. Each modutil option may take zero or more arguments.
  • Page 147 modutil Table 8-3 Task Commands and Options for modutil (Continued) Creates new secmod.db, key3.db, and cert7.db files. -create You can use the following option with this command: -dbdir dbFolder If any of these security databases already exist in a specified directory, the modutil tool displays an error message.
  • Page 148 modutil Table 8-3 Task Commands and Options for modutil (Continued) Adds a new PKCS #11 module to the database. The module must be -jar JARfile contained in the named JAR file. The JAR file identifies all files to install, the module name, mechanism flags, and cipher flags.
  • Page 149 modutil Options The following table describes what the options for modutil Options for modutil Table 8-4 Option What the Option Does Enables specific ciphers in a module that you are adding to the -ciphers cipherList database. CipherList is a colon-delimited list of cipher names. Enclose this list in quotation marks if it contains spaces.
  • Page 150 modutil Table 8-4 Options for modutil (Continued) Option What the Option Does Specifies the security mechanisms for which a particular module will -mechanisms mechanismList be the default provider. The MECHANISM_LIST is a colon-separated list of mechanism names. Enclose this list in quotation marks if it contains spaces. The module becomes a default provider for the listed mechanisms when those mechanisms are enabled.

  • Page 151: Usage

    modutil Table 8-4 Options for modutil (Continued) Option What the Option Does Specifies a text file containing a token’s current password. This allows -pwfile passwordFile automatic entry of the password when using the -changepw command. Specifies a particular slot to enable or disable when using the -slot slotName -enable or -disable commands.

  • Page 152: Jar Information File

    modutil • Setting the default provider status of various security mechanisms in an existing PKCS #11 module: moduleName mechanismList -default -mechanisms • Clearing the default provider status of various security mechanisms in an existing PKCS #11 module: moduleName mechanismList -undefault -mechanisms •...
  • Page 153 modutil ForwardCompatible { IRIX:6.2:mips SUNOS:5.5.1:sparc } Platforms { WINNT::x86 { ModuleName { "Fortezza Module" } ModuleFile { win32/fort32.dll } DefaultMechanismFlags{0x00000001} CipherEnableFlags{0x00000001} Files { win32/setup.exe { Executable RelativePath { %temp%/setup.exe } win32/setup.hlp { RelativePath { %temp%/setup.hlp } win32/setup.cab { RelativePath { %temp%/setup.cab } WIN95::x86 { EquivalentPlatform {WINNT::x86} SUNOS:5.5.1:sparc {...

  • Page 154: Jar Information File Syntax

    modutil JAR Information File Syntax Creating a JAR information file involves writing a script that specifies which tasks to perform when installing a module. In order to specify different module installation procedures for different platforms, you use keys, predefined commands and options that interprets.
  • Page 155 modutil program obtains the , and modutil system name OS release architecture values from the system on which the tool is running using low-level code modutil written by Netscape. The following system names and platforms are currently recognized by the low-level Netscape code: •...
  • Page 156 modutil Per-Platform Keys These keys have meaning only within an entry in the list. Platforms is a required key that specifies the common name for the module. This ModuleName name acts as a reference to the module for Netscape Communicator, the modutil tool, servers, or any other program that uses the Netscape security module database.
  • Page 157 modutil is an optional key that specifies ciphers that are provided by CipherEnableFlags this module but not by Netscape products. Using this key allows you to enable these ciphers for Netscape products. The key is a bitstring specified in hexadecimal (0x) format.
  • Page 158 modutil key specifies that a file is to be executed during the course of the Executable installation. Typically this key is used to identify a setup program provided by a module vendor. The setup program itself is specified by the RelativePath key.

  • Page 159: Examples Of Using Modutil

    modutil Some platforms may not understand these permissions. The permissions are applied only if they make sense for the current platform. If this key is omitted, a default value of (Read, Write and Execute for all users) is assumed. Examples of Using modutil This section includes examples of using to perform the following tasks: modutil...
  • Page 160 modutil Displaying Module Information This example uses to retrieve detailed information about a specific modutil module: modutil -list "Netscape Internal PKCS #11 Module" -dbdir C:\databases tool displays information similar to this: modutil Using database directory C:\databases... -------------------------------------------------------- Name: Netscape Internal PKCS #11 ModuleLibrary file: **Internal ONLY module** Manufacturer: Netscape Communications Corp.
  • Page 161 modutil Enabling a Slot You could enter something like the following example to enable a particular slot in a module: modutil -enable "Cryptographic Module" -slot "Cryptographic Reader" -dbdir C:\databases Before running this program, the tool displays a warning: modutil WARNING: Performing this operation while a Netscape product is running could cause corruption of your security databases.
  • Page 162 modutil WARNING: Performing this operation while a Netscape product is running could cause corruption of your security databases. If a Netscape product is currently running, you should exit the product before continuing this operation. Type ’q <enter>’ to abort, or <enter>...
  • Page 163 modutil Before running this program, the tool displays a warning: modutil WARNING: Performing this operation while a Netscape product is running could cause corruption of your security databases. If a Netscape product is currently running, you should exit the product before continuing this operation.
  • Page 164 modutil Changing the Password on a Token You could enter something like the following example to change the password for a security device in use by a module. C:\modutil> modutil -dbdir "C:\databases" -changepw "Administration Server Certificate DB" Before running this program, the tool displays a warning: modutil WARNING: Performing this operation while a Netscape product is...

  • Page 165: Part 4 Advanced Server Management

    Part 4 Advanced Server Management Chapter 9, “Access Control” Chapter 10, “Using SSL and TLS with Netscape Servers” Chapter 11, “Using SNMP to Monitor Servers”...
  • Page 166 Managing Servers with Netscape Console • December 2001...

  • Page 167: Chapter 9 Access Control

    Chapter 9 Access Control This chapter describes how you can use access control instructions to define who can manage and use Netscape servers. It contains the following sections: • Overview of Access Control • Working With Access Control Instructions Overview of Access Control If a number of administrators in your enterprise use Netscape Console, you may want to restrict what each of them can see and do.

  • Page 168: Examples Of Access Control

    Overview of Access Control Examples of Access Control The following examples illustrate how an organization might use ACIs to grant and restrict access to different administrators. Jane is an administrator who troubleshoots network problems. She needs to be able to access any server in the enterprise and frequently modifies user account information.
  • Page 169 Overview of Access Control John is also an administrator, but his job is focused on managing instances of Directory Server in the enterprise. As a result, the Configuration Administrator has used ACIs to restrict the onscreen elements and tasks that he can access. When John logs into Netscape Console, he sees only the servers and tasks required to do his job.

  • Page 170: Setting Access Permissions For Servers

    Setting Access Permissions For Servers Setting Access Permissions For Servers You can specify which users have administrative access to servers in the Netscape Console navigation tree by using the Set Permissions dialog box. To Set Access Permissions for a Server in the Navigation Tree Select a server in the Netscape Console navigation tree.

  • Page 171: Working With Access Control Instructions

    Working With Access Control Instructions Working With Access Control Instructions When you create Access Control Instructions (ACIs) you specify which users can manage a resource as well as when and how access is granted. Netscape Console uses two tools to simplify the process of creating and assigning ACIs: ACI Manager and ACI Editor.

  • Page 172: Bind Rules

    Working With Access Control Instructions Bind Rules Bind rules specify the circumstances under which access is allowed or denied. Bind rules may include any of the following: • The user or group granted or denied access permission • Host computers from which users are allowed or denied access •...

  • Page 173: To Specify What You Want An Aci To Apply To

    Working With Access Control Instructions While each Netscape server has a unique set of items that you can apply ACIs to, the ACI Manager and Editor are shared by all Netscape Console-based products. For information on a specific server’s implementation of ACIs, see that server’s documentation.

  • Page 174: To Create A New Aci With The Visual Aci Editor

    Working With Access Control Instructions To Create a New ACI with the Visual ACI Editor In the ACI Manager click New. The ACI Editor appears. Enter a name for this ACI in the ACI Name field. On the Users/Groups tab, click Add. Identify the users, groups, or administrators to which you want to grant access.
  • Page 175 Working With Access Control Instructions Then, grant access: Click a user, group, or administrator in the results list to select it. You can select multiple entries by pressing Control and clicking the desired users and groups. Add. Click this button to add a selected user from the results list to the access list.

  • Page 176: To Create A New Aci With The Manual Aci Editor

    Working With Access Control Instructions For all entries, these attributes are affected. In this list, select the attributes to which you want this ACI to apply. Users listed in this ACI can only access selected attributes. Check All. Click this button to select all listed attributes. Check None.

  • Page 177: To Edit An Existing Aci With The Aci Editor

    Working With Access Control Instructions Enter your ACI. For more information on creating ACIs, see the Directory Server Administrator’s Guide. (Optional) Click Check Syntax to verify that your ACI is in the correct format. NOTE If you decide you’d prefer to edit your ACI using the visual ACI Editor, you can do so by clicking Edit Visually.

  • Page 178: To Remove An Aci

    Working With Access Control Instructions To Remove an ACI In the ACI Manager, select the ACI that you want to remove. Click Remove. Click OK to remove the ACI. If the ACI was for a task or directory entry, the ACI is automatically removed from the task or entry.

  • Page 179: Chapter 10 Using Ssl And Tls With Netscape Servers

    Chapter 10 Using SSL and TLS with Netscape Servers This chapter describes how to set up support for the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols in Netscape servers. Before reading this chapter, you should be familiar with the concepts described in Appendix B, “Introduction to Public-Key Cryptography.”...

  • Page 180: Ssl And Tls Ciphers

    The SSL and TLS Protocols At a minimum, SSL and TLS require a server certificate. As part of the initial “handshake” process, the server authenticates its identity by presenting this server certificate to the client. Using public-key encryption and digital signatures, the client confirms that the server is, in fact, the server it claims to be.

  • Page 181: Preparing To Use Ssl And Tls Encryption

    Preparing to Use SSL and TLS Encryption Since 40-bit ciphers can be broken relatively quickly, administrators whose user communities can use stronger ciphers should disable all 40-bit ciphers if they are concerned about access to data by eavesdroppers. For detailed information on determining which cipher suites to use when setting up SSL, see Appendix C, “Introduction to SSL,”...

  • Page 182: To Install An External Security Device

    Preparing to Use SSL and TLS Encryption An internal security device is made up of a key-pair and a certificate database stored in a software file on a host computer. By default, Netscape Administration Server provides a means to create an internal security device with its PKCS #11 module. If you do not have an external device connected to your server or client, you can use only the Netscape internal security device for SSL authentication.

  • Page 183: Obtaining And Installing A Server Certificate

    Obtaining and Installing a Server Certificate Obtaining and Installing a Server Certificate When requesting and installing certificates, you use two wizards. You use the Certificate Request Wizard to request a new server certificate or to renew a certificate that you’re already using. You use the Certificate Installation Wizard to install a certificate that you’ve received from a Certificate Authority (CA).

  • Page 184: Preparing To Set Up Ssl And Tls

    Obtaining and Installing a Server Certificate Preparing to Set Up SSL and TLS You will need to set up SSL and TLS differently depending on whether you are using an internal security device, an external hardware device, or both. This section will tell you how to do this.
  • Page 185 Obtaining and Installing a Server Certificate From the Console menu, choose Security > Manage Certificates. You can also click the Manage Certificates task. Click Request to open the Certificate Request Wizard. Choose “Request Certificate Manually,” and then click Next. Enter the requested information: Server Name.

  • Page 186: Sending A Server Certificate Request

    Obtaining and Installing a Server Certificate Select one of the following: Copy to Clipboard. Click to copy your certificate request to the clipboard. Save to File. Click to save your request as a text file. You will be prompted to choose a name and location for the file.

  • Page 187: Installing The Certificate

    Obtaining and Installing a Server Certificate Installing the Certificate Depending on the CA, you may receive your certificate in an email message or you may have to retrieve it from the CA’s web site. Once you have the certificate, you can back it up and install it.

  • Page 188: To Install A Ca Certificate Or Server Certificate Chain

    Obtaining and Installing a Server Certificate Verify that the certificate information is correct, and then click Next. Enter a name for the certificate, and then click Next. Enter the password for the security device that will hold this certificate. If you are installing the certificate on the internal (software) security device, enter the password for the key and certificate database.

  • Page 189: Backing Up And Restoring Your Certificate Database

    Obtaining and Installing a Server Certificate Select the trust options for this certificate: Accepting Connections from Clients. Check this box if you want to trust client certificates issued by this CA. Making Connections to Other Servers. Check this box if you want to trust server certificates issued by this CA.

  • Page 190: Activating Ssl

    Activating SSL Activating SSL Once you’ve obtained and installed a server certificate, use Netscape Console to activate SSL on your Netscape server. The following procedure uses Netscape Administration Server as its example. Activating SSL on other Netscape servers is done the same way, although in some cases the interface is slightly different. For more information on how to activate SSL on another server product, see that server’s documentation.
  • Page 191 Activating SSL Enter information as appropriate: Enable SSL for this server. Select this option if you want to secure this server with Secure Sockets Layer (SSL) encryption. All other SSL encryption options listed here become available to you only when you enable SSL by checking this box.

  • Page 192: Managing Server Certificates

    Managing Server Certificates Managing Server Certificates Periodically, you may need to update information for your installed SSL certificates. From Netscape Console, you can renew a server certificate as well as view and edit settings for all certificates installed on a server. Renewing a Certificate Like credit cards or any other form of identification, all certificates have validity periods.
  • Page 193 Managing Server Certificates From the list of available certificates, select the one you want to renew, and then click the Renew button. Select “Request Certificate Manually,” and then click Next. Enter the requested information: Server Name. (Optional) Enter the fully qualified hostname of the machine for which you’re requesting a certificate.

  • Page 194: Changing The Ca Trust Options

    Managing Server Certificates Click Done to close the Certificate Request Wizard. You can now send your certificate renewal request to your CA. For more information, see “To Send a Server Certificate Request as email” on page 186. Changing the CA Trust Options At times, you may need to reject a generally trusted CA.

  • Page 195: To Change A Security Device Password

    Managing Server Certificates To Change a Security Device Password In the Netscape Console navigation tree, select the server instance that is using the security device for which you want to change the password. Click Open to open the management window for the server instance. On the Tasks tab, click the Manage Certificates task button.

  • Page 196: To View, Add, Or Delete A Crl Or Ckl

    Managing Server Certificates Once you’ve saved the CRL or CKL file to a local directory, you can add its contents to the certificate database. Once you do this, your server will no longer trust the certificates or keys that are specified in the CRL or CKL file. To View, Add, or Delete a CRL or CKL In the Netscape Console navigation tree, select the server instance that you want to work with.

  • Page 197: Using Client Authentication

    Using Client Authentication Using Client Authentication You can configure some Netscape servers to require that clients present certificates when logging in. This allows a server to verify a client’s authenticity and to determine if a user has access to the server. The process of presenting and verifying a client certificate is called client authentication.

  • Page 198: Preparing To Use Client Authentication

    Using Client Authentication If more than one directory entry contains the information in the user’s certificate, the server can examine all matching entries in order to determine which user is trying to authenticate. When examining a directory entry, the server compares the presented certificate with the one stored in the entry.

  • Page 199: Dncomps

    Using Client Authentication file is stored in the folder. The certmap.conf <server_root>/shared/config file contains a default mapping as well as mappings for specific CAs. The default mapping specifies what the server should do if a client certificate was issued by a CA that isn’t listed in .

  • Page 200: Filtercomps

    Using Client Authentication For example, if you set to use the RDN keywords, the server starts DNComps the search from the entry in the directory, where o=org, c=country are replaced with values from the DN in the certificate. country • If there isn’t a entry in the mapping, the server uses either the DNComps...

  • Page 201: Cmapldapattr

    Using Client Authentication CmapLdapAttr is the name of the attribute in the directory that contains subject CmapLdapAttr DNs from all certificates belonging to the user. Because this attribute isn’t a standard LDAP attribute, you have to extend the LDAP schema to include it (see the Directory Server Administrator’s Guide for details).

  • Page 202: To Edit The Certmap.conf File

    Using Client Authentication To Edit the certmap.conf File In a text editor, open Server_Root/shared/config/certmap.conf If necessary, make changes to the default mapping. For example, you may want to change the value for DNComps FilterComps If you want to comment out a line, insert a before it.

  • Page 203: Example Certmap.conf Mappings

    Using Client Authentication Example certmap.conf Mappings The following examples illustrate three different ways you can use the file. certmap.conf Example of a Default Mapping Here are the contents of a simple file that contains only the default certmap.conf mapping: certmap default default default:DNComps ou, o, c...

  • Page 204: Example Of A Mapping With An Attribute Search

    Using Client Authentication organizational unit specified in the subject DN and searches for email addresses ( that match the one specified in the certificate. If the certificate is from MyCA, the server verifies the certificate. If the certificate is from another CA, the server does not verify it.

  • Page 205: To Set Up Client Authentication Between Servers

    Using Client Authentication To Set Up Client Authentication Between Servers Install certificates on an instance of Administration Server and the Netscape server instance that will perform the authentication. For more information, see “To Install a Server Certificate” on page 187. If necessary, install CA certificates and specify that they should be trusted.

  • Page 206: Client Authentication For Users

    Using Client Authentication Client Authentication for Users You can use client authentication to verify the identity and access permission of a user, typically an administrator, to an Administration Server instance. Before enabling client authentication for users, the server must have a CA certificate chain and server certificate installed and have SSL enabled.
  • Page 207 Using Client Authentication Copy the Netscape Communicator certificate database files, cert7.db , that contain your certificates to your directory. key3.db .mcc In WindowsNT, the files are located in cert7.db key3.db <username> C:\ProgramFiles\netscape\Users\ In Unix, the files are located in your home directory, cert7.db key3.db is your root directory if you are running...
  • Page 208 Using Client Authentication Managing Servers with Netscape Console • December 2001...

  • Page 209: Chapter 11 Using Snmp To Monitor Servers

    Chapter 11 Using SNMP to Monitor Servers You can use the Simple Network Management Protocol (SNMP) to manage your Netscape servers. This chapter explains how SNMP works and tells you how to set it up on your network. The chapter contains the following sections: •...
  • Page 210 SNMP Basics The machine used to monitor and configure managed devices is called a network management station. A network management station is usually a powerful workstation running network management applications which graphically show information about managed devices. For example, a network management application might show which servers in your enterprise are running and which are shut down, or the application might report the number and type of error messages received.

  • Page 211: How Snmp Works

    SNMP Basics The Windows NT operating system includes an SNMP master agent. Netscape Administration Server employs this service when utilizing SNMP. You can access and operate this master agent through the Network control panel. In the UNIX environment, the master agent is installed with Administration Server. Some UNIX operating systems support an extended version of SNMP called the SNMP multiplexing protocol (usually known as SMUX).

  • Page 212: The Administration Server Mib

    SNMP Basics The Administration Server MIB Netscape Administration Server stores its MIB in a file called netscape-main.mib The Administration Server MIB lists the object identifiers for all installed Netscape servers. It also defines the object identifier shared by all Netscape servers. This object identifier is netscape OJBECT IDENTIFIER: :={enterprises 1450} file may look like this:...

  • Page 213: Types Of Snmp Messages

    SNMP Basics Types of SNMP Messages SNMP defines three types of messages: GET, SET, and trap. The network management station uses GET messages to request data and SET messages to change variable values in the MIB. The messages sent by a server to the network management station are known as trap messages.

  • Page 214: Setting Up Snmp On Unix

    Setting Up SNMP on UNIX Setting Up SNMP on UNIX In general, to use SNMP on UNIX you must have a master agent and at least one subagent installed and running on your system. You need to install a master agent before you can enable a subagent.

  • Page 215: Using A Proxy Snmp Agent On Unix

    Using a Proxy SNMP Agent on UNIX Table 11-1 Overview of Procedures for Enabling SNMP Master Agents and Subagents If your server meets these conditions..follow these procedures • The native agent is running, SMUX is not 1. Install and start a proxy SNMP supported, and the system needs to agent.

  • Page 216: Installing And Starting The Proxy Snmp Agent

    Using a Proxy SNMP Agent on UNIX In order to use both master agents simultaneously, you need to install and start the proxy SNMP agent. You also have to restart the native SNMP master agent using a port number other than the one used by the Netscape Console master agent. Installing and Starting the Proxy SNMP Agent Before you install the proxy SNMP agent, make sure to stop the native master agent.

  • Page 217: To Restart The Native Agent

    Reconfiguring a Native Agent on UNIX To Restart the Native Agent • At the command prompt, enter portNumber (specified in the file) snmpd -P CONFIG For example, on the Solaris platform, using the port in the sample file CONFIG above, you would enter snmpd -P 1161 Reconfiguring a Native Agent on UNIX If your native agent supports SMUX, you don’t need to install a master agent.

  • Page 218: Configuring The Master Agent On Unix

    Configuring the Master Agent on UNIX Configuring the Master Agent on UNIX In order to use SNMP, you must configure the master agent by specifying community strings and trap destinations. Community Strings A community string is a password that an SNMP agent uses for authorization. A community string is a text string that an SNMP master agent uses for authorization.

  • Page 219: To Add, Edit, Or Remove A Community String Using Netscape Console

    Configuring the Master Agent on UNIX To Add, Edit, or Remove a Community String using Netscape Console In the Netscape Console navigation tree, select the instance of Administration Server that you want to work with. Click Open to open the management window for the server instance. Click the Tasks tab.

  • Page 220: To Add, Edit, Or Remove A Trap Destination

    Configuring the Master Agent on UNIX GET only. Choose this option if you want to use this community string only for requesting data and replying to messages. SET only. Choose this option if you want to allow this community string only for setting variable values.

  • Page 221: Manually Configuring The Master Agent

    Configuring the Master Agent on UNIX Click the appropriate button for the task you are performing. If you are adding a trap destination, click Add. If you are editing a trap destination, select it, and then click Edit. If you are removing a trap destination, select it, and then click Remove. If you are adding or editing a trap destination, enter Manager information as necessary: Manager Station.

  • Page 222: Editing The Master Agent Config File

    Configuring the Master Agent on UNIX Edit the file located in the CONFIG <server-root>/plugins/snmp/magt directory. (Optional) Define variables in the file. sysContact sysLocation CONFIG Instructions for editing the file and defining the CONFIG sysContact variables are detailed below. sysLocation Editing the Master Agent Config File file defines the community and manager with which the master agent CONFIG will work.

  • Page 223: Starting The Master Agent On Unix

    Starting the Master Agent on UNIX COMMUNITY public ALLOW ALL OPERATIONS MANAGER nms2 SEND ALL TRAPS TO PORT 162 WITH COMMUNITY public INITIAL sysLocation “Server room 501 East Middlefield Road Mountain View, CA 94043 USA” INITIAL sysContact “John Doe email: <jdoe@netscape.com>” Starting the Master Agent on UNIX Once you have configured the SNMP master agent, you can start it using Netscape Console or from the command line.

  • Page 224: Starting The Agent From The Command Line

    Starting the Master Agent on UNIX Click the Start button. Starting the Agent from the Command Line If you do not want to start the SNMP master agent from Netscape Console, you can launch it from the command prompt. If you want to run the agent on a port other than 161, you must modify your or system services file and then start the CONFIG...

  • Page 225: To Start The Agent On A Non-Standard Port Using System Services

    Enabling the Subagent on UNIX To Start the Agent on a Non-Standard Port using System Services • Edit the file to allow the master agent to accept connections on /etc/services the standard port as well as on a nonstandard port. For information on editing this file, see your system documentation.
  • Page 226 Using the Windows NT SNMP Service Managing Servers with Netscape Console • December 2001...

  • Page 227: Part 5

    Part 5 Appendixes Appendix A, “Fortezza” Appendix B, “Introduction to Public-Key Cryptography” Appendix C, “Introduction to SSL”...
  • Page 228 Managing Servers with Netscape Console • December 2001...

  • Page 229: Appendix A Fortezza

    Appendix A Fortezza Fortezza is a cryptographic system that combines the use of hardware-based tokens and software-based algorithms to secure electronic information exchange. The US government developed Fortezza to manage sensitive but unclassified information. The information in this chapter applies only to US government agencies and businesses that work with the US government.

  • Page 230: How Fortezza Crypto Cards Are Certified

    How Fortezza Crypto Cards are Certified Each enterprise user must request and obtain a Fortezza crypto card from a CA. Typically, a user who wants to access a Fortezza-secured server plugs the Fortezza crypto card into the PCMCIA reader. By inserting the card and typing in a personal identification number (PIN), the user tells the client to do the following: •...

  • Page 231: Crls And Ckls

    Enabling Fortezza CRLs and CKLs CAs can provide Certificate revocation lists (CRLs) and compromised key lists (CKLs) to help manage keys and certificates that are stored on Fortezza crypto cards. For information on CRLs and CKLs, see “Managing Certificate Lists,” beginning on page 195.

  • Page 232: To Enable Fortezza On Administration Server

    Enabling Fortezza To Enable Fortezza on Administration Server Install your Fortezza card reader. See “To Install an External Security Device” on page 182 for more information. Activate SSL When prompted to choose ciphers, select the Fortezza ciphers. See “To Activate SSL on a Netscape Server or a Netscape 4.x Server” on page 190 for more information.

  • Page 233: Appendix B Introduction To Public-Key Cryptography

    Appendix B Introduction to Public-Key Cryptography Public-key cryptography and related standards and techniques underlie security features of many Netscape products, including signed and encrypted email, form signing, object signing, single sign-on, and the Secure Sockets Layer (SSL) protocol. This document introduces the basic concepts of public-key cryptography. •...
  • Page 234 Internet Security Issues The great flexibility of TCP/IP has led to its worldwide acceptance as the basic Internet and intranet communications protocol. At the same time, the fact that TCP/IP allows information to pass through intermediate computers makes it possible for a third party to interfere with communications in the following ways: •...

  • Page 235: Encryption And Decryption

    Encryption and Decryption • Authentication allows the recipient of information to determine its origin—that is, to confirm the sender’s identity. • Nonrepudiation prevents the sender of information from claiming at a later date that the information was never sent. The sections that follow introduce the concepts of public-key cryptography that underlie these capabilities.

  • Page 236: Symmetric-Key Encryption

    Encryption and Decryption Symmetric-Key Encryption With symmetric-key encryption, the encryption key can be calculated from the decryption key and vice versa. With most symmetric algorithms, the same key is used for both encryption and decryption, as shown in Figure B-1. Figure B-1 Symmetric-Key Encryption Implementations of symmetric-key encryption can be highly efficient, so that users...

  • Page 237: Public-Key Encryption

    Encryption and Decryption Public-Key Encryption The most commonly used implementations of public-key encryption are based on algorithms patented by RSA Data Security. Therefore, this section describes the RSA approach to public-key encryption. Public-key encryption (also called asymmetric encryption) involves a pair of keys—a public key and a private key—associated with an entity that needs to authenticate its identity electronically or to sign or encrypt data.

  • Page 238: Key Length And Encryption Strength

    Encryption and Decryption cryptography. Client software such as Communicator can then use your public key to confirm that the message was signed with your private key and that it hasn’t been tampered with since being signed. “Digital Signatures” (beginning on page 239) and subsequent sections describe how this confirmation process works.

  • Page 239: Digital Signatures

    Digital Signatures Digital Signatures Encryption and decryption address the problem of eavesdropping, one of the three Internet security issues mentioned at the beginning of this document. But encryption and decryption, by themselves, do not address the other two problems mentioned in “Internet Security Issues” (beginning on page 233): tampering and impersonation.

  • Page 240: Certificates And Authentication

    Certificates and Authentication Figure B-3 shows two items transferred to the recipient of some signed data: the original data and the digital signature, which is basically a one-way hash (of the original data) that has been encrypted with the signer’s private key. To validate the integrity of the data, the receiving software first uses the signer’s public key to decrypt the hash.

  • Page 241: A Certificate Identifies Someone Or Something

    Certificates and Authentication A Certificate Identifies Someone or Something A certificate is an electronic document used to identify an individual, a server, a company, or some other entity and to associate that identity with a public key. Like a driver’s license, a passport, or other commonly used personal IDs, a certificate provides generally recognized proof of a person’s identity.

  • Page 242: Authentication Confirms An Identity

    Certificates and Authentication Authentication Confirms an Identity Authentication is the process of confirming an identity. In the context of network interactions, authentication involves the confident identification of one party by another party. Authentication over networks can take many forms. Certificates are one way of supporting authentication.

  • Page 243: Password-Based Authentication

    Certificates and Authentication Password-Based Authentication Figure B-4 shows the basic steps involved in authenticating a client by means of a name and password. Figure B-4 assumes the following: • The user has already decided to trust the server, either without authentication or on the basis of server authentication via SSL.

  • Page 244: Certificate-Based Authentication

    Certificates and Authentication As shown in the next section, one of the advantages of certificate-based authentication is that it can be used to replace the first three steps in Figure B-4 with a mechanism that allows the user to supply just one password (which is not sent across the network) and allows the administrator to control user authentication centrally.
  • Page 245 Certificates and Authentication two assumptions are true only if unauthorized personnel have not gained access to the user’s machine or password, the password for the client software’s private key database has been set, and the software is set up to request the password at reasonable frequent intervals.

  • Page 246: How Certificates Are Used

    Certificates and Authentication evaluation process can employ a variety of standard authorization mechanisms, potentially using additional information in an LDAP directory, company databases, and so on. If the result of the evaluation is positive, the server allows the client to access the requested resource. As you can see by comparing Figure B-5 to Figure B-4, certificates replace the authentication portion of the interaction between the client and the server.
  • Page 247 Certificates and Authentication • Server SSL certificates. Used to identify servers to clients via SSL (server authentication). Server authentication may be used with or without client authentication. Server authentication is a requirement for an encrypted SSL session. For more information, see “SSL Protocol” on page 248. Example: Internet sites that engage in electronic commerce (commonly known as e-commerce) usually support certificate-based server authentication, at a minimum, to establish an encrypted SSL session and to assure customers that...

  • Page 248: Ssl Protocol

    Certificates and Authentication SSL Protocol The Secure Sockets Layer (SSL) protocol is a set of rules governing server authentication, client authentication, and encrypted communication between servers and clients. SSL is widely used on the Internet, especially for interactions that involve exchanging confidential information such as credit card numbers. SSL requires a server SSL certificate, at a minimum.

  • Page 249: Form Signing

    Certificates and Authentication known as nonrepudiation. In other words, signed email makes it very difficult for the sender to deny having sent the message. This is important for many forms of business communication. (For information about the way digital signatures work, see “Digital Signatures,”...

  • Page 250: Object Signing

    Certificates and Authentication keeping track of different passwords, tend to choose poor ones, and tend to write them down in obvious places. Administrators must keep track of a separate password database on each server and deal with potential security problems related to the fact that passwords are sent over the network routinely and frequently.

  • Page 251: Contents Of A Certificate

    Certificates and Authentication The “objects” signed with object signing technology can be applets or other Java code, JavaScript scripts, plug-ins, or any kind of file. The “signature” is a digital signature. Signed objects and their signatures are typically stored in a special file called a JAR file.

  • Page 252: A Typical Certificate

    Certificates and Authentication DNs may include a variety of other name-value pairs. They are used to identify both certificate subjects and entries in directories that support the Lightweight Directory Access Protocol (LDAP). The rules governing the construction of DNs can be quite complex and are beyond the scope of this document.
  • Page 253 Certificates and Authentication Here are the data and signature sections of a certificate in human-readable format: Certificate: Data: Version: v3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Issuer: OU=Ace Certificate Authority, O=Ace Industry, C=US Validity: Not Before: Fri Oct 17 18:36:25 1997 After: Sun Oct 17 18:36:25 1999...

  • Page 254: How Ca Certificates Are Used To Establish Trust

    Certificates and Authentication Here is the same certificate displayed in the 64-byte-encoded form interpreted by software: -----BEGIN CERTIFICATE----- MIICKzCCAZSgAwIBAgIBAzANBgkqhkiG9w0BAQQFADA3MQswCQYDVQQGEwJVUzER MA8GA1UEChMITmV0c2NhcGUxFTATBgNVBAsTDFN1cHJpeWEncyBDQTAeFw05NzEw MTgwMTM2MjVaFw05OTEwMTgwMTM2MjVaMEgxCzAJBgNVBAYTAlVTMREwDwYDVQQK EwhOZXRzY2FwZTENMAsGA1UECxMEUHViczEXMBUGA1UEAxMOU3Vwcml5YSBTaGV0 dHkwgZ8wDQYJKoZIhvcNAQEFBQADgY0AMIGJAoGBAMr6eZiPGfjX3uRJgEjmKiqG 7SdATYazBcABu1AVyd7chRkiQ31FbXFOGD3wNktbf6hRo6EAmM5/R1AskzZ8AW7L iQZBcrXpc0k4du+2Q6xJu2MPm/8WKuMOnTuvzpo+SGXelmHVChEqooCwfdiZywyZ NMmrJgaoMa2MS6pUkfQVAgMBAAGjNjA0MBEGCWCGSAGG+EIBAQQEAwIAgDAfBgNV HSMEGDAWgBTy8gZZkBhHUfWJM1oxeuZc+zYmyTANBgkqhkiG9w0BAQQFAAOBgQBt I6/z07Z635DfzX4XbAFpjlRl/AYwQzTSYx8GfcNAqCqCwaSDKvsuj/vwbf91o3j3 UkdGYpcd2cYRCgKi4MwqdWyLtpuHAH18hHZ5uvi00mJYw8W2wUOsY0RC/a/IDy84 hW3WWehBUqVK5SY4/zJ4oTjx7dwNMdGwbWfpRqjd1A== -----END CERTIFICATE----- How CA Certificates Are Used to Establish Trust Certificate authorities (CAs) are entities that validate identities and issue certificates.

  • Page 255: Ca Hierarchies

    Certificates and Authentication CA Hierarchies In large organizations, it may be appropriate to delegate the responsibility for issuing certificates to several different certificate authorities. For example, the number of certificates required may be too large for a single CA to maintain; different organizational units may have different policy requirements;...

  • Page 256: Certificate Chains

    Certificates and Authentication Certificate Chains CA hierarchies are reflected in certificate chains. A certificate chain is series of certificates issued by successive CAs. Figure B-7 shows a certificate chain leading from a certificate that identifies some entity through two subordinate CA certificates to the CA certificate for the root CA (based on the CA hierarchy shown in Figure B-6).

  • Page 257: Verifying A Certificate Chain

    Certificates and Authentication In Figure B-7, the Engineering CA certificate contains the DN of the CA (that is, USA CA), that issued that certificate. USA CA’s DN is also the subject name of the next certificate in the chain. • Each certificate is signed with the private key of its issuer.
  • Page 258 Certificates and Authentication Figure B-8 Verifying a Certificate Chain All the Way to the Root CA Figure B-8 shows what happens when only Root CA is included in the verifier’s local database. If a certificate for one of the intermediate CAs shown in Figure B-8, such as Engineering CA, is found in the verifier’s local database, verification stops with that certificate, as shown in Figure B-9.
  • Page 259 Certificates and Authentication Expired validity dates, an invalid signature, or the absence of a certificate for the issuing CA at any point in the certificate chain causes authentication to fail. For example, Figure B-10 shows how verification fails if neither the Root CA certificate nor any of the intermediate CA certificates are included in the verifier’s local database.

  • Page 260: Managing Certificates

    Managing Certificates Managing Certificates The set of standards and services that facilitate the use of public-key cryptography and X.509 v3 certificates in a network environment is called the public key infrastructure (PKI). PKI management is complex topic beyond the scope of this document.

  • Page 261: Certificates And The Ldap Directory

    Managing Certificates Netscape Certificate Management System allows an organization to set up its own certificate authority and issue certificates. Issuing certificates is one of several managements tasks that can be handled by separate Registration Authorities. Certificates and the LDAP Directory The Lightweight Directory Access Protocol (LDAP) for accessing directory services supports great flexibility in the management of certificates within an organization.

  • Page 262: Renewing And Revoking Certificates

    Managing Certificates Keys can be generated by client software or generated centrally by the CA and distributed to users via an LDAP directory. There are trade-offs involved in choosing between local and centralized key generation. For example, local key generation provides maximum nonrepudiation, but may involve more participation by the user in the issuing process.

  • Page 263: Registration Authorities

    Managing Certificates intervals and checking the list as part of the authentication process. For some organizations, it may be preferable to check directly with the issuing CA each time a certificate is presented for authentication. This procedure is sometimes called real-time status checking.
  • Page 264 Managing Certificates Managing Servers with Netscape Console • December 2001...

  • Page 265: Appendix C Introduction To Ssl

    Appendix C Introduction to SSL This document introduces the Secure Sockets Layer (SSL) protocol. Originally developed by Netscape, SSL has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers. • The SSL Protocol •...
  • Page 266 The SSL Protocol Figure C-1 Where SSL Runs The SSL protocol runs above TCP/IP and below higher-level protocols such as HTTP or IMAP. It uses TCP/IP on behalf of the higher-level protocols, and in the process allows an SSL-enabled server to authenticate itself to an SSL-enabled client, allows the client to authenticate itself to the server, and allows both machines to establish an encrypted connection.

  • Page 267: Ciphers Used With Ssl

    Ciphers Used with SSL The SSL protocol includes two sub-protocols: the SSL record protocol and the SSL handshake protocol. The SSL record protocol defines the format used to transmit data. The SSL handshake protocol involves using the SSL record protocol to exchange a series of messages between an SSL-enabled server and an SSL-enabled client when they first establish an SSL connection.

  • Page 268: Cipher Suites With Rsa Key Exchange

    Ciphers Used with SSL Decisions about which cipher suites a particular organization decides to enable depend on trade-offs among the sensitivity of the data involved, the speed of the cipher, and the applicability of export rules. Some organizations may want to disable the weaker ciphers to prevent SSL connections with weaker encryption.
  • Page 269 Ciphers Used with SSL Table C-1 Cipher Suites Supported by the SSL Protocol That Use the RSA Key-Exchange Algorithm Strength Category and Cipher Suites Recommended Use Strongest Cipher Suite Triple DES With 168-Bit Encryption and SHA-1 Message Authentication Permitted for deployments within the United States only.

  • Page 270: Fortezza Cipher Suites

    Ciphers Used with SSL Table C-1 Cipher Suites Supported by the SSL Protocol That Use the RSA Key-Exchange Algorithm Strength Category and Cipher Suites Recommended Use Exportable Cipher Suites RC4 With 40-Bit Encryption and MD5 Message Authentication These cipher suites are not as RC4 40-bit encryption permits approximately 1.1 * 10 (a trillion) strong as those listed above, but...
  • Page 271 Ciphers Used with SSL Table C-2 Cipher Suites Supported by Netscape When Using Fortezza for SSL 3.0 Strength Category and Cipher Suites Recommended Use Strong Fortezza Cipher Suites RC4 With 128-bit Encryption and SHA-1 Message Authentication Permitted for deployments Like RC4 with 128-bit encryption and MD5 message authentication, within the United States only.

  • Page 272: The Ssl Handshake

    The SSL Handshake The SSL Handshake The SSL protocol uses a combination of public-key and symmetric key encryption. Symmetric key encryption is much faster than public-key encryption, but public-key encryption provides better authentication techniques. An SSL session always begins with an exchange of messages called the SSL handshake. The handshake allows the server to authenticate itself to the client using public-key techniques, then allows the client and the server to cooperate in the creation of symmetric keys used for rapid encryption, decryption, and tamper detection...
  • Page 273 The SSL Handshake If the server has requested client authentication, the server attempts to authenticate the client (for details, see “Client Authentication,” which begins on page 277). If the client cannot be authenticated, the session is terminated. If the client can be successfully authenticated, the server uses its private key to decrypt the premaster secret, then performs a series of steps (which the client also performs, starting from the same premaster secret) to generate the master secret.

  • Page 274: Server Authentication

    The SSL Handshake • In the case of client authentication, the client encrypts some random data with the client’s private key—that is, it creates a digital signature. The public key in the client’s certificate can correctly validate the digital signature only if the corresponding private key was used.
  • Page 275 The SSL Handshake Figure C-2 Authentication of a Client Certificate An SSL-enabled client goes through these steps to authenticate a server’s identity: Is today’s date within the validity period? The client checks the server certificate’s validity period. If the current date and time are outside of that range, the authentication process won’t go any further.

  • Page 276: Man-In-The-Middle Attack

    The SSL Handshake doesn’t correspond to the private key used by the CA to sign the server certificate, the client won’t authenticate the server’s identity. If the CA’s digital signature can be validated, the server treats the user’s certificate as a valid “letter of introduction”...

  • Page 277: Client Authentication

    The SSL Handshake The encrypted information exchanged at the beginning of the SSL handshake is actually encrypted with the rogue program’s public key or private key, rather than the client’s or server’s real keys. The rogue program ends up establishing one set of session keys for use with the real server, and a different sent of session keys for use with the client.
  • Page 278 The SSL Handshake Figure C-3 Authentication and Verification of a Client Certificate An SSL-enabled server goes through these steps to authenticate a user’s identity: Does the user’s public key validate the user’s digital signature? The server checks that the user’s digital signature can be validated with the public key in the certificate.
  • Page 279 The SSL Handshake Is the issuing CA a trusted CA? Each SSL-enabled server maintains a list of trusted CA certificates, represented by the shaded area on the right side of Figure C-3. This list determines which certificates the server will accept. If the DN of the issuing CA matches the DN of a CA on the server’s list of trusted CAs, the answer to this question is yes, and the server goes on to Step 4.
  • Page 280 The SSL Handshake Managing Servers with Netscape Console • December 2001...

  • Page 281: Glossary

    Glossary access control The process of controlling who is allowed to do what to a server, onscreen element, task, or directory entry. See also access control instruction (ACI), access control list (ACL). access control instruction (ACI) A rule that permits or restricts access to a server, onscreen element, task, or directory entry.
  • Page 282 authentication Assurance that a party to a computerized transaction is not an impostor. Authentication typically involves the use of a password, certificate, PIN, or other information that can be used to validate identity over a computer network. See also certificate authentication, client authentication, password authentication, server authentication.
  • Page 283 certificate chain A hierarchical series of certificates signed by successive certificate authorities. A certificate chain contains a CA certificate that identifies a certificate authority (CA) and that is used to sign certificates issued by that authority. This CA certificate can in turn be signed by the CA certificate of a parent CA, and so on up to a root CA.
  • Page 284 Configuration Administrator The person who can manage all resources in the Netscape Console navigation tree. For more information, see “Administrators” on page 93. Configuration Administrators group A static group whose members have unrestricted access to the configuration directory. The group is stored in the configuration directory under the following DN: ou=Groups, ou=TopologyManagement, o=NetscapeRoot configuration directory Typically, a subtree of a directory containing application...
  • Page 285 eavesdropping Surreptitious interception of information sent over a network by an entity for which the information is not intended. encryption The process of scrambling information in a way that disguises its meaning. See also decryption. external security device A key-pair and certificate database stored in an external device such as a smart card.
  • Page 286 information panel The right-hand side of the “Servers and Applications” tab in the main Netscape Console window. Displays detailed information about a selected resource. instance See server instance. internal security device A key-pair and a certificate database stored in a software file on a host computer.
  • Page 287 managed devices A piece of hardware or software that is controlled over SNMP. managed object configuration and management settings that can be read and changed by an SNMP master agent. management information base See MIB. master agent See SNMP master agent. member A directory entry that is part of a group.
  • Page 288 NMS See network management station. nonrepudiation The inability of a sender of information to claim that the information was never sent. A digital signature provides one form of nonrepudiation. object class A definition of a type of directory entry. An object class includes definitions of the attributes that are contained in a directory entry.
  • Page 289 public-key infrastructure (PKI) The standards and services that facilitate the use of public-key encryption and certificates in a networked environment. RDN See relative distinguished name. registration authority (RA) An entity that receives and authenticates certificate requests, and then forwards them to a CA. relative distinguished name The name of a directory entry, before the entry’s ancestors have been appended to the string to form the full distinguished name.
  • Page 290 server Instances of server software that provide specific services such as directory database, messaging, and publishing. server authentication The process of identifying a server to a client. See also client authentication. server certificate A single certificate, associated only with your server, that identifies your server to clients.
  • Page 291 smart card A small device (typically about the size of a credit card), that contains a microprocessor and is capable of storing keys and certificates, as well as performing cryptographic operations. Smart cards implement some or all of the PKCS #11 interface. SNMP See Simple Network Management Protocol (SNMP).
  • Page 292 TCP/IP Transmission Control Protocol/Internet Protocol. The main network protocol for the Internet and for enterprise (company) networks. token See security device. topology A hierarchical representation of all the resources that are registered in a configuration directory. trap message Messages sent messages by a managed device to the network management station.

  • Page 293: Index

    Index options 134 overview and syntax 133 access control tasks 135 examples of 168 usage examples 143 overview 167–171 Admin Server, See Administration Server to navigation tree 170 admin_ip.pl, overview and usage 143 Access Control Instruction, See ACI administration domain Access Control List, defined 167 changing user directory settings for 128 access log...
  • Page 294 setting paths for log files 116 certificate database using SSL on 123 backing up 189 starting and restarting 111–113 restoring from a backup 189 stopping 113 certificate group storage of URLs by Netscape Console 46 creating 103 Administration Server Administrator defined 98 changing user name or password for 108 certificate request, sending as email 186...
  • Page 295 client SSL certificates defined 246 enabling on Administration Server 191 dbdir, option for modutil 149 logging in to Netscape Console using 46–49 dc, RDN keyword 84 overview of 197–198 preparing to use 198 default, command for modutil 147 setting up between servers 205 delete, command for modutil 147 using certmap.conf 198–201 digital signatures...
  • Page 296 email, signed and encrypted 248 GET, type of SNMP message 213 enable, command for modutil 147 getAc[cessLog], admconfig task 137 enableD[SGWAccess], admconfig task 136 getAdd[resses], admconfig task 137 enc[ryption], option for admconfig 134 getAdminUI[D], admconfig task 137 encryption getAdminUs[ers], admconfig task 138 defined 235 getCa[cheLifetime], admconfig task 138 overview of SSL 179...
  • Page 297 i[nputFile], option for admconfig 134 l, RDN keyword 84 information panel, defined 51 LDAP URL, contructing 102 InitFn, certmap.conf property 201 ldapdelete, defined 144 installation ldapmodify, defined 144 Administration Server 26 ldapsearch, defined 144 Directory Server 26 libfile, option for modutil 149 Express Mode 27 library, certmap.conf property 201 modes 27...
  • Page 298 using JAR information file with 152–153 See also JAR information file password changing for a user or administrator 106–108 using for authentication 242 password-based authentication, defined 243–244 per-file keys, See JAR information file permission, See ACI native agent defined 214 per-platform keys, See JAR information file reconfiguring 217 PKCS #11 module...
  • Page 299 relative distinguished name, See RDN server management window, See management window renewal request, generating for certificate 192–194 server, pre-4.0 resources, defined 51 migrating from 71 restart, Administration Server 111–113 SET, type of SNMP message 213 rules, See ACI Set Permissions dialog box, described 171 setAc[cessLog], admconfig task 137 setAdd[resses], admconfig task 137 setAdminP[wd], admconfig task 137...
  • Page 300 proxy agent 215 sysContact, defining in master agent CONFIG file proxy agent defined 215 setting up 214–215 sysLocation, defining in master agent CONFIG file setting up on Windows NT 225 starting a proxy agent 216 enabling subagent 218 subagent defined 210 trap destinations 218 See also master agent See also subagent...
  • Page 301 of a stand-alone version of Netscape Console 33–35 See also installation user authentication, See authentication user directory failover support 128 overview 127 settings 127 See also Directory Server user entries administrators 93 changing passwords for 106 creating 90 editing 106 locating 88 preferred language of 93 removing 108...
  • Page 302 Managing Servers with Netscape Console • December 2001...

This manual is also suitable for:

Netscape management system 6.0

Table of Contents