2.3 Configuring Secured Communication Using TLS Parameters

LDAP Proxy allows you to configure various Transport Layer Security parameters required for TLS communication.

You modify the <tls-opts> node in the nlpconf.xml file to define the certificate information, ciphers, and protocols that you plan to use for TLS communication. For example, the <tls-opts> node should look like this:

<service protocol="ldaps">
       <addr-ipv4>x.x.x.x</addr-ipv4>
       <port>636</port>
       <tls-opts>
             <certificate-file-name>CertificateFileName.pem</certificate-file-name>
             <ciphers>CipherString</ciphers>
             <protocol>ProtocolString</protocol>
        </tls-opts>
</service>

Example:

<service protocol="ldaps">
       <addr-ipv4>1.1.1.1</addr-ipv4>
       <port>636</port>
       <tls-opts>
             <certificate-file-name>servercertificate.pem</certificate-file-name>
             <ciphers>HIGH</ciphers>
             <protocol>+TLSv1.2</protocol>
        </tls-opts>
</service>

In the above example, certificate information is defined as servercertificate.pem, cipher is defined as HIGH, and the protocol is defined as +TLSv1.2. The interface is defined by IP address 1.1.1.1 and port 636.

NOTE:

  • • The <tls-opts> is an optional node. If the protocol is specified as LDAPS under the listener configuration, you must specify the certificate as indicated in this example.

  • • The certificate information can be defined inside the <tls-opts> node if you are using TLS. Otherwise, define it under the listener configuration. For more information, see Configuring Certificate Information.

  • We recommend to use the TLSv1.2 protocol as the most secured way of communication. Other versions of the TLS are considered as less secured and supported to provide backward compatibility only.

If you want to skip the Certificate Revocation List (CRL) check, you must set the <tls-opts skip-crl-check parameter to true in the nlpconf.xml file. By default, this parameter will be set to false.

IMPORTANT:Skipping CRL Check is not recommended.

Example:

<backend-server id-backend-server="Backend1"> 
    <service protocol="ldaps">
        <addr-ipv4>172.17.0.2</addr-ipv4>
        <port>636</port>
        <tls-opts skip-crl-check="true">
        </tls-opts>
    </service>
</backend-server>

In the above example, the CRL check has been skipped by specifying <tls-opts skip-crl-check="true"> in the nlpconf.xml file. This configuration will be functional when specified inside the <backend server> node.

You can configure the following parameters for LDAP Proxy:

2.3.1 Configuring Certificate Information

If you specify the protocol as LDAPS under the <service> tag of the nlpconf.xml file while configuring listeners, you must provide the certificate file information. The LDAP Proxy listener needs be configured with a X.509 certificate. This certificate should be in a PKCS#12 file along with the private key and all the CA certificates in the chain. Also, ensure that the LDAP Proxy server's IP address or DNS name resides in the Common Name (CN) field of the certificate's subject name or in the Subject Alternative Name list. You can obtain a PKCS#12 certificate file for the LDAP Proxy listener from any of the following Certificate Authority (CA).

  • eDirectory

    Create a LDAP Proxy server certificate in eDirectory and export it using Certificate Management in Identity Console. For more information, see Understanding the Certificate Server in the eDirectory Administration Guide.

  • Active Directory Microsoft Management Console (MMC) Certificate snap-in

    Refer to the Active Directory documentation for more information.

  • Third-party CA

    Refer to the third-party documentation for more information.

To decrypt the private key information and store the information in the local secret store, run the nlpcert utility.

  1. Export the library path by using the following command:

    . /opt/novell/ldapproxy/bin/nlppath

  2. Run the nlpcert utility by using the following command:

    nlpcert -i <infile.pfx> -o <outfile.pem>

    Option

    Description

    -i <inputFile>

    --infile=<inputFile>

    The name of the input file. The input file should be a PKCS#12 file with encrypted private key and server certificate or a .pem file generated using the nlpexportcert utility.

    -p <password>

    --password=<password>

    (Optional) The password of the private key.

    -c, --convert

    The option to convert the .pem files that were generated using the nlpexportcert utility.

    -v, --version

    The version of the output file generated by the nlpcert utility.

    -o <outputFile>

    --outfile=<outputFile>

    The name of the output file where server certificate will be stored in .pem format.

    NOTE:While upgrading to 1.5.2 version, the nlpcert utility automatically converts the existing certificate files that were created by the nlpexportcert utility.

    Examples:

    • To create a .pem file for LDAP Proxy from a PKCS#12 file, run the following command:

      nlpcert -i server_cert.pfx -o private-cert.pem

    • To convert a .pem file created by nlpexportcert utility, run the following:

      The nlp-install script automatically converts the existing certificates to the new format using the nlpcert utility during the upgrade process only if the server certificates are present in the /etc/opt/novell/ldapproxy/conf/ssl/private directory. Otherwise, these certificates are not automatically converted. To convert the certificates, run the following command:

      nlpcert -i exportcert.pem -c -o server_cert.pem

      NOTE:Regardless of whether you are creating a new certificate or converting an existing certificate, move server_cert.pem to /etc/opt/novell/ldapproxy/conf/ssl/private directory, and use server_cert.pem in the <certificate-file-name> tag of nlpconf.xml.

    IMPORTANT:The certificate file created by nlpcert utility on one server cannot be used to configure LDAP Proxy on another server because the private key is stored in local secret store with the file name as the key. Also, you are not recommended to rename the .pem file generated by nlpcert utility.

2.3.2 Configuring Ciphers

You can configure your own list of ciphers using the OpenSSL Cipher List Format during the TLS Communication. The following are a few examples of using Cipher List Format:

  • For RSA certificates: !CAMELLIA:!DH:!SRP:!MD5:HIGH+aRSA

  • For ECDSA certificates: HIGH+aECDSA

  • For Suite B 128-bit compliant cipher suite with ECDSA certificates: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256

  • For Suite B 192-bit compliant cipher suite with ECDSA certificates: ECDHE-ECDSA-AES128-GCM-SHA256

For more information on Cipher List Format, refer to the OpenSSL Ciphers documentation.

Example 1: Configuring Ciphers for a Listener

<listener id-listener="listener1">
    <service protocol="ldaps">
       <addr-ipv4>1.1.1.1</addr-ipv4>
       <port>636</port>
       <tls-opts>
             <certificate-file-name>servercertificate.pem</certificate-file-name>
             <ciphers>HIGH</ciphers>
             <protocol>+TLSv1.2</protocol>
        </tls-opts>
    </service>
</listener>

In this example, listener is defined as listener1 which uses servercertificate.pem certificate file and allows HIGH strength ciphers only. The listener accepts connections on IP address 1.1.1.1 and port 636.

Example 2: Configuring Ciphers for a Back-End Server

<backend-server id-backend-server="Backend1">
    <service protocol="ldaps">
       <addr-ipv4>1.1.1.1</addr-ipv4>
       <port>636</port>
       <tls-opts>
             <ciphers>HIGH</ciphers>
             <protocol>+TLSv1.2</protocol>
        </tls-opts>
    </service>
</backend-server>

In this example, back-end server is defined as Backend1 and LDAP Proxy connects to this back-end server at IP address 1.1.1.1 and port 636 using HIGH strength ciphers.

2.3.3 Configuring Protocols

LDAP Proxy gives you the flexibility to configure the list of protocols required during the TLS communication with Proxy server and LDAP server. To control the list of protocols, define the <protocol> tag under the <tls-opts> node in the nlpconf.xml file. You can configure the following protocol strings with LDAP Proxy:

  • SSLv3

  • TLSv1.0

  • TLSv1.1

  • TLSv1.2

  • ALL

Each protocol string should be preceded by a “+†or a “-†symbol. The “+†symbol indicates that the protocol string(s) are allowed and the “-†symbol indicates that the protocol string(s) are not allowed to get configured with LDAP Proxy. If you have not configured any protocols yet, all supported protocols except SSLv3 are allowed by default. The following table lists a few TLS protocol configurations:

Protocol Configuration

Description

+TLSv1.2

Allows only TLSv1.2

+ALL-TLSv1.0

Allows all except TLSv1.0

+ALL-TLSv1.2-TLSv1.1

Allows SSLv3 and TLSv1.0

+ALL

Allows SSLv3, TLSv1.0, TLSv1.1, TLSv1.2

Example 1: Configuring Protocols for a Listener

<listener id-listener="listener1">
    <service protocol="ldaps">
       <addr-ipv4>1.1.1.1</addr-ipv4>
       <port>636</port>
       <tls-opts>
            <certificate-file-name>CertificateFileName.pem</certificate-file-name>
            <ciphers>HIGH</ciphers>
            <protocol>+TLSv1.2</protocol>
       </tls-opts>
    </service>
</listener>

In this example, listener1 accepts client connections only if they use TLS protocol TLSv1.2.

Example 2: Configuring Protocols for a Back-End Server

<backend-server id-backend-server="Backend1">
    <service protocol="ldaps">
       <addr-ipv4>1.1.1.1</addr-ipv4>
       <port>636</port>
       <tls-opts>
            <ciphers>ECDSA</ciphers>
            <protocol>+ALL-SSLv3</protocol>
       </tls-opts>
    </service>
</backend-server>

In this example, the protocol is defined as +ALL-SSLv3 which means LDAP Proxy can connect to the back-end server using the TLSv1.0, 1.1 or 1.2. During the SSL handshake LDAP Proxy and the back-end server negotiate the highest protocol version that both support.