Communication Between The Web Admin Server And The Web Admin Browser; Enterprise Client/Server Communications; Web Access Server Communications; Disabling The Ssl 2.0 Protocol - Novell IFOLDER 3.7 - SECURITY ADMINISTRATION Manual

2.1.2 LDAP Server Certificate via YaST Install
If you enabled Require a Secure Connection between the LDAP server and the iFolder Server
during the YaST install, the LDAP server certificate is accepted without any user confirmation or
verification.
The LDAP server certificate is stored in the server's Trust certificate store. The LDAP certificate
®
is managed using the certmgr management utility provided by Mono . You can use this utility to
update the expired certificates as well as to add new certificates to the server's Trust store. For
more information about deleting or updating the certificate, see the certmgr man page (http://
manpages.unixforum.co.uk/man-pages/linux/suse-linux-10.1/1/certmgr-man-page.html).
2.2 Communication between the Web Admin
Server and the Web Admin Browser
By default, the Novell iFolder Web Admin uses SSL for communications to the iFolder enterprise
server being managed. For most deployments, this setting should not be changed. If the Web Admin
service and the iFolder enterprise service are on the same server, SSL is not required. For HTTP
connections, the password is passed in the clear.

2.3 Enterprise Client/Server Communications

By default, the iFolder enterprise server is configured for shared iFolder access. Client/Server
communication is not through SSL. All data is sent to the server in the clear. For most deployments,
this setting is used for high performance. This setting can be changed during the simias-server-setup
configuration for iFolder.
If you disable SSL for client/server communications, you should use a VPN (virtual private
network) for communications over wireless networks and outside the firewall. For information, see
Section 4.3, "Securing Communications with a VPN If SSL Is Disabled," on page 19.

2.4 Web Access Server Communications

By default, the iFolder Web Access server is configured to require SSL. All Web-browser-based
communication to the Web Access server is encrypted by using the SSL protocol. In most
deployments, this setting should not be changed because iFolder uses Forms-based authentication
for browser communications, which means passwords are sent to the server in the clear. For
information, see "Configuring the Web Access Server for SSL Communications with Web
Browsers" in theOES 2 SP1: Novell iFolder 3.7 Administration Guide.

2.5 Disabling the SSL 2.0 Protocol

The built-in protections of SSL 3.0 for version rollback attacks (where the session is rolled back to
SSL 2.0 even when both client and server support SSL 3.0) are not effective against a version
rollback attackers who can brute force the key and substitute a new ENCRYPTED-KEY-DATA
message containing the same key (but with normal padding) before the application specified wait
threshold has expired. You can disable SSL 2.0 on the server, so it is not possible to establish a
session using SSL 2.0, and so version rollback attacks are not be possible.
For information about disabling the SSL 2.0 protocol for the Apache server, see "Configuring the
SSL Cipher Suites for the Apache Server".
12 OES 2 SP1 Linux: Novell iFolder 3.7 Security Administration Guide