Configuring SSL in a Directory Assistance document for a remote LDAP directory

If an HCL Domino® server uses a remote LDAP directory to look up credentials during Internet client authentication, or to look up the members of groups during database authorization, specify that the server use SSL to connect to the LDAP directory server. Specify SSL so there are secure communications between the Domino® server and the LDAP server, and so that the Domino® server can use an X.509 certificate to verify the remote LDAP directory server's identity.

About this task

To use SSL, select SSL in the Channel encryption field on the LDAP tab of the Directory Assistance document for the remote LDAP directory. When you select SSL, you must also make selections for three associated fields:

  • Accept expired SSL certificates
  • SSL protocol version
  • Verify server name with remote server's certificate

Procedure

  1. In the Accept expired SSL certificates field choose one:
    • Yes - (the default) to accept a certificate from the LDAP directory server, even if the certificate has expired.
    • No - to reject an expired certificate, to provide tighter security.
  2. In the SSL protocol version field, select the version number of the SSL protocol to use:
    Table 1. SSL protocol version numbers and descriptions

    SSL protocol version

    Description

    V2.0 only

    Allows only SSL 2.0 connections.

    V3.0 handshake

    Attempts an SSL 3.0 connection. If the connection fails and the requestor detects SSL 2.0, attempts to use SSL 2.0 to connect.

    V3.0 only

    Allows only SSL 3.0 connections.

    V3.0 with V2.0 handshake

    Attempts an SSL 3.0 connection, but starts with an SSL 2.0 handshake, which displays relevant error messages. Makes an SSL 3.0 connection if possible. Choose V3.0 and V2.0 handshake to receive V2.0 error messages that may occur during a connection attempt. These error messages can provide information about compatibility problems found during the connection.

    Negotiated

    Allows SSL to determine the protocol version and handshake.

  3. In the Verify server name with remote server's certificate field, choose either one:
    • Enabled (the default)
    • Disabled

    Choose Enabled to require that the subject line of the remote server's certificate include the LDAP directory server host name. For this option to work properly, the subject line in the remote server's certificate must include its DNS host name. Keep the option enabled if you are sure that the X.509 certificate of the remote LDAP directory server contains the remote server's host name in the appropriate format.

    The Domino® CA and some other CAs provide a dialog box into which users enter the subject line when requesting a certificate. For example, the Domino® CA prompts each user to enter the remote server's information -- such as, the common name, organizational unit name, organization name, state (or province), and country name. The Domino® CA places this information in the subject line and adds the appropriate prefix (cn=, ou=, o=, and so on) to each field. If you used a Domino® CA to create the remote server's certificate, enter the remote server's host name in the common name field when using the Verify server name with remote server's certificate option. For example, the Domino® CA allows users to enter the following valid subject lines (mailserver.renovations.com is the server's DNS host name):

    cn=mailserver.renovations.com, ou=sales, ou=marketing, o=renovations, st=mass, c=us

    cn=mailserver, ou=sales - mailserver.renovations.com o=renovations, st=mass, c=us

    To ensure that users enter the DNS host name properly, recommend that they enter it as the common name (cn=) when they request a certificate from the Domino® CA. Other CAs may have different dialog boxes for entering the subject line; users must follow these dialog boxes to enter the remote server's DNS host name.