Tarantella Administration Guide > Security > Getting started with the Tarantella Security Pack

Getting started with the Tarantella Security Pack

Installing the Tarantella Security Pack on a Tarantella server lets you give users secure connections between their client devices and that Tarantella server. The connections are secured using SSL, the Secure Sockets Layer.

Secure connections have these benefits:

Internet transactions are open to many forms of attack, for example packet-sniffing, DNS spoofing, and man-in-the-middle attacks. It is critical to recognize that even when SSL is used, a connection is only secure if SSL is configured correctly.

The Tarantella Security Pack can only help raise security levels as part of an ongoing security strategy. The Tarantella Security Pack can't transform your intranet into a high-security installation by itself.

Enabling secure connections

Once the Tarantella Security Pack is installed on a Tarantella server, you must do the following before secure connections are possible:

1. Obtain and install a Tarantella Security license key (if your Tarantella installation is fully licensed). If you're evaluating Tarantella you can also evaluate the without installing a license key.
2. Obtain and install an X.509 certificate for the Tarantella server to use. An X.509 certificate enables the Tarantella server to identify itself to a client device. (There are important security considerations regarding the types of X.509 certificate you can use.)
3. Turn on the Tarantella Security Pack for that server, using tarantella security start. This enables secure connections for the users you've configured to have them.

Giving users different types of connection

You can decide which users receive secure (SSL-based) connections, and which users receive standard (unencrypted) connections. To do so, you configure the Connections attribute for a person object, organizational unit object, or organization object.

You can configure the type of connection based on these factors:

• Who the user is. Perhaps only members of the Accounts department need secure connections.
• The DNS name (or IP address) of the user's client device. Perhaps users only need secure connections when accessing Tarantella over the Internet.
• The Tarantella server's DNS name (or IP address). Perhaps users only need secure connections when accessing one particular Tarantella server.

The initial connection to a Tarantella server -- before users type their username and password -- is always secure if the Tarantella Security Pack is installed and running. This means that usernames and passwords are always sent securely. Once the user is identified, the connection may be downgraded to a standard connection according to your configuration.

Here are some examples for customizing connection types:

• If you only want the members of one department to have secure connections.
• If your users only need secure connections when accessing Tarantella over the Internet.
• If your users only need a secure connection to one particular Tarantella server.

The Tarantella Security Pack and secure (HTTPS) web servers

The Tarantella Security Pack secures Tarantella-related connections between the client device and Tarantella server. It does not secure any other type of connection: for example, the connections made to a web server on the same host.

We recommend that you use a secure (HTTPS) web server. To do so you need an X.509 certificate for the web server as well as for the Tarantella server. Some web servers allow you to share the X.509 certificate between the web server and the Tarantella Security Pack.

Firewalls

Secure connections between the client device and Tarantella server use port 5307/tcp.