Converting LDAP-UX to use SSL (HP-UX)

The utility used to create and manipulate the keys is certutil, found as /opt/ldapux/contrib/bin/certutil. The certutil utiltiy is actually a tool created by the Mozilla project, and it has a detailed explaination available. HP only supports the use of Netscape Directory Server or Microsoft Windows Active Directory. Mainly, this means that the docs are there and that they will help you if need be; it doesn’t mean it doesn’t work. The relevant documentation (at least for my versions of HP-UX 11i) is:

• LDAP-UX Client Services B.04.00 Administrator’s Guide (J4269-90053) (PDF)
• LDAP-UX Client Services B.04.00 with Windows Active Directory Administrator’s Guide (J4269-90049) (PDF)

It appears, however, that there is a more recent version of LDAP-UX:

• LDAP-UX Client Services B.04.15 Administrator’s Guide (J4269-90075) (PDF)
• LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator’s Guide (J4269-90076) (PDF)

A good description of the schema LDAP-UX wants was given by Simon Elder in this message. There is a copy of the HP LDAP-UX Schema available; it appears to be some sort of standard POSIX schema.

Here, we assume that LDAP-UX is already configured using non-SSL connections, that the /etc/pam.conf has been configured, and that the name service switch file /etc/nsswitch.conf has been configured.

The best time to set up SSL and TLS is before you run LDAP; however, it is possible to do it afterwards. First, you need the certificate authority (CA) certificate from the server (just one). Make sure your certificate database is cleared first:

rm -f /etc/opt/ldapux/key3.db
rm -f /etc/opt/ldapux/cert[78].db

Make sure that you are deleting the right files. Once these are deleted, change directories to /opt/ldapux and run this command against your server’s key (cert.ca in this example) in order to properly populate the database:

/opt/ldapux/contrib/bin/certutil -N -d /etc/opt/ldapux
/opt/ldapux/contrib/bin/certutil -A -n my-ca-cert -t "C,," -d /etc/opt/ldapux -a -i cert.ca

This will populate the database that the LDAP-UX client uses. Then run the set up to reconfigure:

cd /opt/ldapux/config
./setup

When the setup program asks if you want to re-enter the data (server, etc.) answer Yes. The program will then fully configure the client to use SSL, and will restart the client when necessary.