Support User Manuals

Apple 10.6 Server User Manual

Open as PDF

of 197

Chapter 4 Enhancing Security 59

Kerberos also provides a single sign-on environment where users must authenticate

only once a day, week, or other period of time, easing authentication loads for users.

Mac OS X Server and Mac OS X versions 10.3 through 10.6 support Kerberos version 5.

About Certicates, SSL, and Public Key Infrastructure

Mac OS X Server supports services that use Secure Sockets Layer (SSL) to ensure

encrypted data transfer. It uses a Public Key Infrastructure (PKI) system to generate and

maintain certicates for use with SSL-enabled services.

PKI systems allow the two parties in a data transaction to be authenticated to each

other and to use encryption keys and other information in identity certicates to

encrypt and decrypt messages traveling between them.

PKI enables multiple communicating parties to establish condentiality, message

integrity, and message source authentication without exchanging secret information

in advance.

SSL technology relies on a PKI system for secure data transmission and user

authentication. It creates an initial secure communication channel to negotiate a

faster, secret key transmission. Mac OS X Server uses SSL to provide encrypted data

transmission for mail, web, and directory services.

The following sections contain more background information about key aspects of PKI.

Public and Private Keys

Within a PKI, two digital keys are created: the public key and the private key.

The private key isn’t distributed to anyone and is often encrypted by a passphrase.

The public key is distributed to other communicating parties.

Basic key capabilities can be summed up as follows:

Key type Capabilities

Public

Â Can encrypt messages that can only by

decrypted by the holder of the corresponding

Private key.

Â Can verify the signature on a message to

ensure that it is coming from a Private key.

Private

Â Can digitally sign a message or certicate,

claiming authenticity.

Â Can decrypt messages that were encrypted

with the Public key.

Â Can encrypt messages that can only be

decrypted by the private key.

previous next