IBM Domino Administrator 9.0.1 Social Edition Help

CONFIGURING

Configuring SSL in a Directory Assistance document for a remote LDAP directory
If an IBMŽ DominoŽ server uses a remote LDAP directory to look up credentials during Internet client authentication, or to look up the members of groups during database authorization, specify that the server use SSL to connect to the LDAP directory server. Specify SSL so there are secure communications between the Domino server and the LDAP server, and so that the Domino server can use an X.509 certificate to verify the remote LDAP directory server's identity.

About this task

To use SSL, select SSL in the Channel encryption field on the LDAP tab of the Directory Assistance document for the remote LDAP directory. When you select SSL, you must also make selections for three associated fields:

Accept expired SSL certificates
SSL protocol version
Verify server name with remote server's certificate

Procedure

1. In the Accept expired SSL certificates field choose one:

Yes - (the default) to accept a certificate from the LDAP directory server, even if the certificate has expired.
No - to reject an expired certificate, to provide tighter security.

2. In the SSL protocol version field, select the version number of the SSL protocol to use:

Table 1. SSL protocol version numbers and descriptions

SSL protocol version	Description
V2.0 only	Allows only SSL 2.0 connections.
V3.0 handshake	Attempts an SSL 3.0 connection. If the connection fails and the requestor detects SSL 2.0, attempts to use SSL 2.0 to connect.
V3.0 only	Allows only SSL 3.0 connections.
V3.0 with V2.0 handshake	Attempts an SSL 3.0 connection, but starts with an SSL 2.0 handshake, which displays relevant error messages. Makes an SSL 3.0 connection if possible. Choose V3.0 and V2.0 handshake to receive V2.0 error messages that may occur during a connection attempt. These error messages can provide information about compatibility problems found during the connection.
Negotiated	Allows SSL to determine the protocol version and handshake.

3. In the Verify server name with remote server's certificate field, choose either one:

Enabled (the default)
Disabled

Choose

Enabled

to require that the subject line of the remote server's certificate include the LDAP directory server host name. For this option to work properly, the subject line in the remote server's certificate must include its DNS host name. Keep the option enabled if you are sure that the X.509 certificate of the remote LDAP directory server contains the remote server's host name in the appropriate format.

The Domino CA and some other CAs provide a dialog box into which users enter the subject line when requesting a certificate. For example, the Domino CA prompts each user to enter the remote server's information -- such as, the common name, organizational unit name, organization name, state (or province), and country name. The Domino CA places this information in the subject line and adds the appropriate prefix (cn=, ou=, o=, and so on) to each field. If you used a Domino CA to create the remote server's certificate, enter the remote server's host name in the common name field when using the Verify server name with remote server's certificate option. For example, the Domino CA allows users to enter the following valid subject lines (mailserver.renovations.com is the server's DNS host name):

cn=mailserver.renovations.com, ou=sales, ou=marketing, o=renovations, st=mass, c=us

cn=mailserver, ou=sales - mailserver.renovations.com o=renovations, st=mass, c=us

To ensure that users enter the DNS host name properly, recommend that they enter it as the common name (cn=) when they request a certificate from the Domino CA. Other CAs may have different dialog boxes for entering the subject line; users must follow these dialog boxes to enter the remote server's DNS host name.

Related concepts
Setting up directory assistance

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Feedback on Help or Usability?

Help on Help

All Help Contents