USING NETSCAPE'S DIRECTORY SERVER AND CERTIFICATE SERVER CAN BE A TAG-TEAM EFFORT
If you spend much time surfing the Internet or combing over your company's intranet, you've probably encountered digital certificates and directory services. Businesses often use digital certificates to secure transactions on their Web sites, and companies rely on directories to provide information about their employees and services to customers and other employees. A systems administrator can configure directory and certificate services to operate independently under Windows NT, but these services can also work together in a tag-team effort to let users and systems interact with one another securely.
This article describes how to install Netscape's Directory Server and Certificate Server to work together. I'll also explain how you can configure these servers for a large corporate environment to support a large user base and improve overall performance.
A Certificate and Directory Services Primer
Digital certificates are digital documents that verify that users and systems are who they say they are. Digital certificates can create a secure communication channel between applications. For example, you can obtain digital certificates before creating a Secure Sockets Layer (SSL) connection and use them for SSL communication between a Web browser and a secure Web server. Likewise, a Secure Electronic Transmission (SET) uses digital certificates, and indirect communication via Internet mail messages can use digital certificates for Secure MIME (S/MIME) and pretty good privacy MIME (PGP/MIME) protocols. (For more information about digital certificates, see the sidebar "Digital Certificates 101.") You manage digital certificates using a certificate server.
If you run a Web server, you probably also run a directory server to identify and manage your site's users. Directory servers support the Lightweight Directory Access Protocol (LDAP), which lets applications locate information about people and items on an intranet or portions of the Internet. A digital certificate is just one item that a directory server can store. You can operate a Web server without using a directory server, but I don't recommend this practice.
You can run independent directory and certificate servers, but by pairing the servers, your users can store their public key certificates on the directory server so that other users who use the directory server can access those certificates. For example, paired directory and certificate servers let a user who wants to send an encrypted message simply use LDAP to find the recipient's entry on the directory server and use the public key in the matching certificate to encrypt the message. You can store servers' digital certificates in the same way you store users' certificates. Combining a directory server with a certificate server makes a perfect adjunct to other intranet servers such as mail servers and Web servers.
Netscape SuiteSpot Overview
Netscape provides a directory server and a certificate server that can operate as standalone services, but the servers work best when you use them together with other Netscape servers. The company's SuiteSpot software offers a collection of Internet and intranet servers. Netscape SuiteSpot Standard Edition includes Enterprise (Web) Server Pro, Messaging Server, Directory Server, and other intranet servers. You can purchase Netscape's Certificate Server as a separate product or as part of SuiteSpot Professional Edition, which adds Certificate Server, Proxy Server, and Compass Server to SuiteSpot Standard Edition.
Enterprise Server Pro typically exists on the same system as the other SuiteSpot servers and provides Web-based management for these other products. Although most users see Enterprise Server Pro when they use a Web browser to visit a Web site running SuiteSpot, Directory Server is the server that is central to all others, as Figure 1 shows. Directory Server provides directory assistance information (e.g., names, email addresses, telephone numbers) to users and provides system information (e.g., security data) to other SuiteSpot servers. Directory Server uses the Directory Synchronization Service (DSS) to synchronize mailbox creation with Messaging Server. For information about Directory Server, see Tao Zhou, "Exploring Netscape's Directory Server 3.0," April 1998.
Directory Server lets you securely access the other Netscape servers on your network using usernames and passwords, but this approach isn't sufficient for securely exchanging information between users across the Internet. To ensure secure Web communication, you need to use digital encryption keys and authorized keys in the form of digital certificates.
Certificate Server lets you create, sign, and manage digital certificates using SSL. Certificate Server can act as a Certificate Authority (CA) and a certificate directory system that keeps a list or directory of certificates it issues. You can install Certificate Server on the same system as Enterprise Server Pro, but many IS professionals install Certificate Server on a separate system for security reasons. If users can access Certificate Server, they can create new, signed certificates. Therefore, isolating Certificate Server limits exposure to unwanted hacking because users can access only Directory Server.
The process of pairing Directory Server with Certificate Server is relatively straightforward when the certificate server functions as the CA. However, this configuration becomes more complex as you add more servers.
Scaling Directory and Certificate Services
You can integrate multiple directory servers and certificate servers. Multiple directory servers can distribute the load in an environment where many users need directory access and increase efficiency by providing a directory of remote information locally. Users can access a local directory when creating email to remote users. Many email packages provide this functionality, but a directory server doesn't require users to maintain a personal address book.
You use referrals and replicas to link multiple directory servers. A referral involves forwarding a realtime request from one directory server to another. One server requests directory information from another, the second server responds to the first server's referral, and the first server provides the information to the requestor as if it maintained the requested information. Referrals are useful for occasional external references. They are standard LDAP requests, in which one directory server acts as an LDAP client communicating with an LDAP-compatible directory server. Machine's running Netscape's Directory Server can request referral information from any LDAP-compatible directory server.
Replicas duplicate parts of a remote directory locally. The directory server typically creates and updates the duplicate directory entries on a regular schedule. Replicas work best when one communication can update several entries, application access to a local directory server is more efficient than accessing a remote directory server, and users access the replicated data often. You can locate the remote directory server behind a firewall that application requests can't pass through but directory server requests can. You can also restrict the directory servers to use a secure communication route that isn't available to user applications.