QUEENSLAND POLICE SERVICE GUIDE tO fORm 28 APPLICA tION fOR A PERmIt tO ACQUIRE. The full firearm or weapon details such as serial number, make, model and calibre. Is there a fee for a Permit to Acquire (PTA)? • Yes, a fee is payable at the time of application and is subject to the annual CPI increases.
Directory Server supports several mechanisms that provide secure and trusted communications over the network. LDAPS is the standard LDAP protocol that runs on top of the Secure Sockets Layer (SSL). LDAPS encrypts data and optionally uses certificates for authentication. When the term SSL is used in this chapter, it means the supported protocols SSL2, SSL3 and TLS 1.0.
Directory Server also supports the Start Transport Layer Security (Start TLS) extended operation to enable TLS on an LDAP connection that was originally not encrypted.
In addition, Directory Server supports the Generic Security Service API (GSSAPI) over the Simple Authentication and Security Layer (SASL). The GSSAPI allows you to use the Kerberos Version 5 security protocol on the Solaris and Linux operating systems. An identity mapping mechanism then associates the Kerberos principal with an identity in the directory.
For additional security information, see the NSS web site at
http://www.mozilla.org/projects/security/pki/nss/ .
This chapter provides procedures for configuring security through SSL. For information about ACIs, see Chapter 6, 'Directory Server Access Control'. For information about user access and passwords, see Chapter 8, 'Directory Server Password Policy'.
This chapter covers the following topics:
5.1 Using SSL With Directory Server
The Secure Sockets Layer (SSL) provides encrypted communication and optional authentication between a Directory Server and its clients. SSL can be used over LDAP or with DSML-over-HTTP. SSL is enabled by default over LDAP, but if you are using DSML-over-HTTP, you can easily enable SSL. In addition, replication can be configured to use SSL for secure communications between servers.
Using SSL with simple authentication (bind DN and password) encrypts all data sent to and from the server. Encryption guarantees confidentiality and data integrity. Optionally, clients can use a certificate to authenticate to Directory Server or to a third-party security mechanism through the Simple Authentication and Security Layer (SASL). Certificate-based authentication uses public-key cryptography to prevent forgery and impersonation of either the client or the server.
Directory Server is capable of simultaneous SSL and non-SSL communications on separate ports. For security reasons, you can also restrict all communications to the LDAP secure port. Client authentication is also configurable. You can set client authentication to required or to allowed. This setting determines the level of security you enforce.
SSL enables support for the Start TLS extended operation that provides security on a regular LDAP connection. Clients can bind to the standard LDAP port and then use the Transport Layer Security protocol to secure the connection. The Start TLS operation allows more flexibility for clients, and can help simplify port allocation.
The encryption mechanisms provided by SSL are also used for attribute encryption. Enabling SSL allows you to configure attribute encryption on your suffixes, which protects data while it is stored in the directory. For more information, see Encrypting Attribute Values.
For additional security, you can set access control to directory contents through access control instructions (ACIs). ACIs require a specific authentication method and ensure that data can only be transmitted over a secure channel. Set the ACIs to complement your use of SSL and certificates. For more information, see Chapter 6, 'Directory Server Access Control'.
SSL is enabled by default over LDAP, and you can easily enable SSL for DSML-over-HTTP. In addition, there are some aspects of the SSL configuration that you might want to modify, as described in the following sections.
5.2 Managing Certificates
This section describes how to manage SSL certificates in Directory Server.
To run SSL on Directory Server, you must either use a self-signed certificate or a Public Key Infrastructure (PKI) solution.
The PKI solution involves an external Certificate Authority (CA). For a PKI solution, you need a CA-signed server certificate, which contains both a public key and a private key. This certificate is specific to one Directory Server. How to download torrent files with idm unlimited size. You also need a trusted CA certificate, which contains a public key. The trusted CA certificate ensures that all server certificates from your CA are trusted. This certificate is sometimes called a CA root key or root certificate.
Note:
If you are using certificates for test purposes, you probably want to use self-signed certificates. However, in production, using self-signed certificates is not very secure. In production, use trusted Certificate Authority (CA) certificates.
The procedures in this section use the
dsadm and dsconf commands. For information about these commands, see the dsadm and dsconf man pages.
This section provides the following information about configuring certificates on Directory Server:
5.2.1 To View the Default Self-Signed Certificate
When a Directory Server instance is first created, it contains a default self-signed certificate. A self-signed certificate is a public and private key pair, where the public key is signed by the private key. A self-signed certificate is valid for 24 months.
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
To view the default self-signed certificate, use this command:
5.2.2 To Manage Self-Signed Certificates
When you create a Directory Server instance, a default self-signed certificate is automatically provided.
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
5.2.3 To Request a CA-Signed Server Certificate
This procedure explains how to request and install a CA-signed server certificate for use with Directory Server.
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
5.2.4 To Add the CA-Signed Server Certificate and the Trusted CA Certificate
This procedure explains how to install the CA-signed server certificate and trusted CA certificates for use with Directory Server.
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
5.2.5 To Renew an Expired CA-Signed Server Certificate
When your CA-signed server certificate (public key and private key) expires, renew it by using this procedure.
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
5.2.6 To Export and Import a CA-Signed Server Certificate
In some cases you might want to export the public and private keys of a certificate so that you can later import the certificate. For example, you might want the certificate to be used by another server.
The commands in this procedure can be used with certificates that contain wild cards, for example
'cn=*,o=example' .
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
5.2.7 Configuring the Certificate Database Password
By default, Directory Server manages the SSL certificate database password internally through a stored password. When managing certificates, the user does not need to type a certificate password or specify the password file. This option is not very secure because the password is only hidden, not encrypted.
However, if you want to have more control over the use of certificates, you can configure the server so that the user is prompted for a password on the command line. In this case, the user must type the certificate database password for all
dsadm subcommands except autostart , backup , disable-service , enable-service , info , reindex , restore , and stop . The certificate database is located in the directory instance-path /alias .
5.2.7.1 To Configure the Server So the User is Prompted for a Certificate Password
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
5.2.8 Backing Up and Restoring the Certificate Database for Directory Server
When you back up an instance of Directory Server, you back up the Directory Server configuration and the certificates. The backed up certificates are stored in the
archive-path /alias directory.
For information about how to back up and restore Directory Server, see To Make a Backup for Disaster Recovery.
5.3 Configuring SSL Communication
This section contains procedures that help you to choose encryption ciphers.
5.3.1 Disabling Non Secure Communication
When a server instance is created, both an LDAP clear port and a secure LDAP port (LDAPS) are created by default. However, there might be situations where you want to disable non-SSL communications so that the server communicates only through SSL.
The SSL connection is enabled with a default self-signed certificate. If you want to, you can install your own certificates. For instructions on managing certificates and disabling SSL after the server has been started, see Chapter 5, 'Directory Server Security'. For an overview of certificates, certificate databases, and obtaining a CA-signed server certificate, see the Reference for Oracle Directory Server Enterprise Edition.
5.3.1.1 To Disable the LDAP Clear Port
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
5.3.2 Choosing Encryption Ciphers
A cipher is the algorithm used to encrypt and decrypt data. Generally speaking, the more bits that a cipher uses during encryption, the stronger or more secure the encryption is. Ciphers for SSL are also identified by the type of message authentication used. Message authentication is another algorithm that computes a
checksum that guarantees data integrity.
When a client initiates an SSL connection with a server, the client and server must agree on a cipher to use to encrypt information. In any two-way encryption process, both parties must use the same cipher. The cipher used depends upon the current order of the cipher list kept by the server. The server chooses the first cipher presented by the client that matches a cipher in its list. The default cipher value for Directory Server is
all , which means all known secure ciphers supported by the underlying SSL library. However, you can modify this value to only accept certain ciphers.
For more information about the ciphers that are available with Directory Server, see the Reference for Oracle Directory Server Enterprise Edition.
5.3.2.1 To Choose an Encryption Cipher
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
5.4 Configuring Credential Levels and Authentication Methods
The security model that is applied to clients is defined through a combination of the credential level and the authentication method.
Directory Server supports the following credential levels:
Client authentication is a mechanism for the server to verify the identity of the client.
Client authentication can be performed in one of the following ways:
This section provides the following information about configuring the two SASL mechanisms on Directory Server.
For more information about configuring security, see Configuring LDAP Clients to Use Security.
5.4.1 Setting SASL Encryption Levels in Directory Server
Before configuring the SASL mechanism, you must specify whether you require encryption or not. Requirements for SASL encryption are set by the maximum and minimum Strength Security Factor (SSF).
The attributes dsSaslMinSSF and dsSaslMaxSSF represent the encryption key length, and they are stored in
cn=SASL, cn=security, cn=config .
The server allows any level of encryption, including no encryption. This means that Directory Server accepts
dsSaslMinSSF and dsSaslMaxSSF values greater than 256. However, no SASL mechanisms currently support an SSF greater than 128. Directory Server negotiates these values down to the highest SSF possible (128). Therefore, the highest actual SSF might be less than the configured maximum, depending on the underlying mechanisms available.
SASL security factor authentication depends two main items: the minimum and maximum factors requested by the server and client applications, and the available encryption mechanisms, which are provided by the underlying security components. In summary, the server and client attempt to use the highest available security factor that is less than or equal to the maximum factors set on both, but greater than or equal to the minimum factors on both.
The default minimum SASL security factor for Directory Server,
dsSaslMinSSF , is 0 , meaning no protection. The actual minimum depends on the client setting, unless you change the minimum for Directory Server. In practice, you should set the minimum to the lowest level that you actually want the server and client to use. If the server and client fail to negotiate a mechanism that meets the minimum requirements, the connection is not established.
5.4.1.1 To Require SASL Encryption
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
To require SASL encryption, set the
dsSaslMinSSF value to the minimum encryption required.
5.4.1.2 To Disallow SASL Encryption
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
To disallow SASL encryption, set both the
dsSaslMinSSF and dsSaslMaxSSF values to zero.
5.4.2 SASL Authentication Through DIGEST-MD5
The DIGEST-MD5 mechanism authenticates clients by comparing a hashed value sent by the client with a hash of the user's password. However, because the mechanism must read user passwords, all users that want to be authenticated through DIGEST-MD5 must have
{CLEAR} passwords in the directory. When storing {CLEAR} passwords in the directory, you must ensure that access to password values is properly restricted through ACIs, as described in Chapter 6, 'Directory Server Access Control'. In addition, you need to configure attribute encryption in the suffix, as described in Encrypting Attribute Values.
5.4.2.1 To Configure the DIGEST-MD5 Mechanism
The following procedure explains how to configure Directory Server to use DIGEST-MD5.
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
5.4.2.2 DIGEST-MD5 Identity Mappings
Identity mappings for SASL mechanisms try to match the credentials of the SASL identity with a user entry in the directory. Authentication fails if the mapping cannot find a DN that corresponds to the SASL identity. See the Reference for Oracle Directory Server Enterprise Edition for a complete description of this mechanism.
The SASL identity is a string called the Principal that represents a user in a format specific to each mechanism. In DIGEST-MD5, clients should create a Principal that contains either a
dn: prefix and an LDAP DN or a u: prefix followed by any text determined by the client. During the mapping, the Principal that is sent by the client is available in the ${Principal} placeholder.
The following entry in your server configuration is the default identity mapping for DIGEST-MD5:
This identity mapping assumes that the
dn field of the Principal contains the exact DN of an existing user in the directory.
5.4.2.2.1 To Define Your Own Identity Mappings for DIGEST-MD5
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
5.4.3 SASL Authentication Through GSSAPI
The Generic Security Service API (GSSAPI) over SASL allows you to use a third-party security system such as Kerberos V5 to authenticate clients. The GSSAPI library is available for the Solaris and Linux operating systems. Oracle recommends that you install the Kerberos V5 implementation on a Sun Enterprise Authentication Mechanism (SEAM) server.
The server uses the GSSAPI to validate the identity of the user. Then, the SASL mechanism applies the GSSAPI mapping rules to obtain a DN that is the bind DN for all operations during this connection.
5.4.3.1 To Configure the Kerberos System
Configure the Kerberos software according to the manufacturer's instructions. If you are using the Sun Enterprise Authentication Mechanism 1.0.1 server, use this procedure.
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
Before You Begin
On Solaris, Kerberos 5 packages are installed by default.
On Linux, be sure the following Kerberos 5 packages are installed:
For more information, see the operating system documentation.
5.4.3.2 To Configure the GSSAPI Mechanism
The following procedure explains how to configure Directory Server to use GSSAPI:
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
5.4.3.3 GSSAPI Identity Mappings
Identity mappings for SASL mechanisms try to match credentials of the SASL identity with a user entry in the directory. Authentication fails if the mapping cannot find a DN that corresponds to the SASL identity.
The SASL identity is a string called the Principal that represents a user in a format specific to each mechanism. In Kerberos using GSSAPI, the Principal is an identity with the format uid
[/ instance][@ realm] . The uid can contain an optional instance identifier followed by an optional realm that is often a domain name. For example, the following strings are all valid user Principals:
Initially, no GSSAPI mapping is defined in the directory. Define a default mapping and any custom mappings that you need according to how your clients define the Principal that your clients use.
5.4.3.3.1 To Define Identity Mappings for GSSAPI
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
5.5 Configuring LDAP Clients to Use Security
The following sections explain how to configure and use SSL in LDAP clients that want to establish secure connections with Directory Server. In an SSL connection, the server sends its certificate to the client. The client must first authenticate the server by trusting its certificate. Then, the client can optionally initiate one of the client authentication mechanisms by sending its own certificate or information for one of the two SASL mechanism. The SASL mechanisms are DIGEST-MD5 and GSSAPI using Kerberos V5.
The following sections use the
ldapsearch tool as an example of an SSL-enabled LDAP client.
To configure SSL connections on other LDAP clients, refer to the documentation provided with your application.
Note:
Some client applications implement SSL but do not verify that the server has a trusted certificate. These client applications use the SSL protocol to provide data encryption but cannot guarantee confidentiality nor protect against impersonation.
The following sections explain how to configure LDAP clients to use security:
5.5.1 Using SASL DIGEST-MD5 in Clients
When using the DIGEST-MD5 mechanism in clients, you do not need to install a user certificate. However, if you want to use encrypted SSL connections, you must still trust the server certificate as described in Managing Certificates.
5.5.1.1 Specifying a Realm
A realm defines the namespace from which the authentication identity is selected. In DIGEST-MD5 authentication, you must authenticate to a specific realm.
Directory Server uses the fully qualified host name of the machine as the default realm for DIGEST-MD5. The server uses the lowercase value of the host name that is found in the
nsslapd-localhost configuration attribute.
If you do not specify a realm, the default realm offered by the server is used.
5.5.1.2 Specifying Environment Variables
In the UNIX environment, you must set the
SASL-PATH environment variable so that the LDAP tools can find the DIGEST-MD5 libraries. The DIGEST-MD5 library is a shared library that is dynamically loaded by the SASL plug-in. Set the SASL_PATH environment variable as follows:
This path assumes that Directory Server is installed on the same host where the LDAP tools are invoked.
5.5.1.3 Examples of the
|
Variable Type | Example Value |
---|---|
Fully qualified computer name
|
directory.example.com
|
Installation directory
|
/opt/SUNWdsee
|
Instance path
|
/local/dsInst
|
Server user
|
unixuser
|
Server group
|
unixgroup
|
Server port
|
389
|
Suffix
|
dc=example,dc=com
|
5.5.2.3.12 Directory Server Machine: Configure the Directory Server to Enable GSSAPI
First, create the file
/data/ds/shared/bin/gssapi.ldif
to define the mapping that should be used by the Directory Server, and to identify which Kerberos user is authenticating, based on the Principal. Create the file contents to be the same as what is shown in the following example.
where SASL-library is the following:
install-path
/lib/private/
Next, use the
ldapmodify
command to update the Directory Server to enable GSSAPI with the appropriate mappings, as shown in the following example:
5.5.2.3.13 Directory Server Machine: Create a Directory Server Keytab
As mentioned previously, to authenticate Kerberos users through GSSAPI, the Directory Server must have its own Principal in the KDC. For authentication to work properly, the Principal information must reside in a Kerberos keytab on the Directory Server machine. This information must be in a file that is readable by the user account under which the Directory Server operates.
Create a keytab file with the correct properties by using the following command sequence:
Change the permissions and ownership on this custom keytab. Make the keytab owned by the user account used to run Directory Server and readable only by that user:
By default, the Directory Server tries to use the standard Kerberos keytab in the file
/etc/kerb5/krb5.keytab
. However, making this file readable by the Directory Server user could constitute a security risk, which is why a custom keytab was created for the Directory Server.
Configure the Directory Server to use the new custom keytab. Do this by setting the
KRB5_KTNAME
environment variable.
Finally, restart the Directory Server to allow these changes to take effect:
5.5.2.3.14 Directory Server Machine: Add a Test User to the Directory Server
To authenticate a Kerberos user to the Directory Server, there must be a directory entry for the user that corresponds to the Kerberos Principal for that user.
In a previous step, a test user was added to the Kerberos database with a Principal of
[email protected]
. Because of the identity mapping configuration added to the directory, the corresponding directory entry for that user must have a DN of uid=kerberos-test,ou=People,dc=example,dc=com
.
Before you can add the user to the directory, you must create the file
testuser.ldif
with the following contents.
Next, use
ldapmodify
to add this entry to the server:
5.5.2.3.15 Directory Server Machine: Get a Kerberos Ticket as the Test User
The test user exists in the Kerberos database and Directory Server and the KDC. Therefore, it is now possible to authenticate as the test user to the Directory Server over Kerberos through GSSAPI.
First, use the
kinit
command to get a Kerberos ticket for the user, as shown in the following example:
Then, use the
klist
command to view information about this ticket:
5.5.2.3.16 Client Machine: Authenticate to the Directory Server Through GSSAPI
The final step is to authenticate to the Directory Server by using GSSAPI. The
ldapsearch
utility provided with the Directory Server provides support for SASL authentication, including GSSAPI, DIGEST-MD5, and EXTERNAL mechanisms. However, to bind by using GSSAPI you must provide the client with the path to the SASL library. Provide the path by setting the SASL_PATH
environment variable to the lib/sasl
directory:
To actually perform a Kerberos-based authentication to the Directory Server using
ldapsearch
, you must include the -o mech=GSSAPI
and -o authzid=
principal arguments.
You must also specify the fully qualified host name, shown here as
-h directory.example.com
, which must match the value of the nsslapd-localhost
attribute on cn=config
for the server. This use of the -h
option is needed because the GSSAPI authentication process requires the host name provided by the client to match the host name provided by the server.
The following example retrieves the
dc=example,dc=com
entry while authenticated as the Kerberos test user account created previously:
Check the Directory Server access log to confirm that the authentication was processed as expected:
This example shows that the bind is a three-step process. The first two steps return LDAP result
14
(SASL bind in progress), and the third step shows that the bind was successful. The method=sasl
and mech=GSSAPI
tags show that the bind used the GSSAPI SASL mechanism. The dn='uid=kerberos-test,ou=people,dc=example,dc=com'
at the end of the successful bind response shows that the bind was performed as the appropriate user.
5.6 Pass-Through Authentication
Pass-through authentication (PTA) is a mechanism by which bind requests are filtered by bind DN. One Directory Server (the delegator) receives the bind request and, based on the filter, can consult another Directory Server (the delegate) to authenticate bind requests. As part of this functionality, the PTA plug-in enables the delegator Directory Server to accept simple password-based bind operations for entries that are not necessarily stored in its local database.
5.6.1 PTA Plug-In and DSCC
The PTA plug-in is also used by DSCC for private communication with the server. When a server instance is registered in DSCC, the PTA plug-in is enabled and the DSCC URL is added as an argument.
Note:
If your server is registered in DSCC and you need to use PTA, you must preserve the following settings while modifying the PTA plug-in.
-
Keep the
enabled
propertyon
. -
Keep the DSCC URL in the argument, although you can add other values to the
argument
property.
If the PTA plug-in is disabled or the DSCC URL is removed from the argument, the server instance will appear as
inaccessible
in DSCC. If this happens, DSCC will automatically give you the option of resetting the PTA plug-in.
You can also fix this problem by unregistering and registering the Directory Server instance into DSCC. To perform these operations, you can use either DSCC or the
dsccreg remove-server
and dsccreg add-server
commands. For more information about the dsccreg
command, see dsccreg.
5.6.2 Configuring the PTA Plug-in
PTA plug-in configuration information is specified in the
cn=Pass Through Authentication,cn=plugins,cn=config
entry on the PTA server.
The PTA plug-in is a system plug-in, which is disabled by default. It can be enabled and setup using the
dsconf
command or using DSCC.
5.6.2.1 Setting up the PTA Plug-In
-
Run the following
dsconf
commands:The plug-in argument specifies the LDAP URL identifying the hostname of the authenticating directory server, an optional port, and the PTA subtree. If no port is specified, the default port is389
with LDAP and636
with LDAPS. You may also set the optional connection parameters described in the following sections. If the PTAsubtree exists in the PTAhost, the plug-in will not pass the bind request to the authenticatingHost, and the bind will be processed locally without any pass-through. -
Restart the server as described in Starting, Stopping, and Restarting a Directory Server Instance.
5.6.2.2 Configuring PTA to Use a Secure Connection
Because the PTA plug-in must send bind credentials including the password to the authenticating directory, we recommend using a secure connection. To configure the PTA directory to communicate with the authenticating directory over SSL:
-
Configure and enable SSL in both the PTA and authenticating directories, as described in Chapter 5, 'Directory Server Security'.
-
Create or modify the PTA plug-in configuration to use LDAPS and the secure port in the LDAP URL, for example:
5.6.2.3 Setting the Optional Connection Parameters
The PTA plug-in arguments accept a set of optional connection parameters after the LDAP URL:
The parameters must be given in the order shown. Although these parameters are optional, if you specify one of them, you must specify them all. If you do not want to customize all parameters, specify their default values given below. Make sure there is a space between the subtree parameter and the optional parameters.
You can configure the following optional parameters for each LDAP URL:
-
maxconns
- The maximum number of connections the PTA server can open simultaneously to the authenticating server. This parameter limits the number of simultaneous binds that can be passed-through to the authenticating server. The default value is3
. -
maxops
- The maximum number of bind requests the PTA directory server can send simultaneously to the authenticating directory server within a single connection. This parameter further limits the number of simultaneous pass-through authentications. The default is value is5
. -
timeout
- The maximum delay in seconds that you want the PTA server to wait for a response from the authenticating server. The default value is300
seconds (five minutes). -
ldapver
- The version of the LDAP protocol you want the PTA server to use when connecting to the authenticating server. The allowed values are2
for LDAPv2 and3
for LDAPv3. The default value is3
. -
connlife
- The time limit in seconds within which the PTA server will reuse a connection to the authenticating server. If a bind in the PTA subtree is requested by a client after this time has expired, the server closes the PTA connection and opens a new one. The server will not close the connection unless a bind request is initiated and the server determines the timeout has been exceeded. If you do not specify this option, or if only one authenticating server is listed in the LDAP URL, no time limit will be enforced. If two or more hosts are listed, the default is300
seconds (five minutes).
Note:
While setting the
argument
property using the dsconf
command, put the value in double quotes to protect spaces. For example:
5.6.2.4 Specifying Multiple Servers and Subtrees
You may configure the PTA plug-in with multiple arguments to specify multiple authenticating servers, multiple PTA subtrees, or both. Each argument contains one LDAP URL and may have its own set of connection options.
When there are multiple authenticating servers for the same PTA subtree, they act as failover servers. The plug-in will establish connections to them in the order listed whenever a PTA connection reaches the timeout limit. If all connections time out, the authentication fails.
When there are multiple PTA subtrees defined, the plug-in will pass-through the authentication request to the corresponding server according to the bind DN. The following example shows four PTA plug-in arguments that define two PTA subtrees, each with a failover server for authentication and server-specific connection parameters:
Summary
Video transcript available at https://www.youtube.com/watch?v=fbpS0uBh7b0.What Physical Therapist Assistants and Aides Do
Physical therapist assistants, sometimes called PTAs, and physical therapist aides work under the direction and supervision of physical therapists. They help patients who are recovering from injuries and illnesses regain movement and manage pain.
Work Environment
Most physical therapist assistants and aides work in physical therapists’ offices or in hospitals. Physical therapist assistants and aides are frequently on their feet and moving as they set up equipment and help care for patients.
How to Become a Physical Therapist Assistant or Aide
Physical therapist assistants entering the profession need an associate’s degree from an accredited program. All states require physical therapist assistants to be licensed or certified. Physical therapist aides usually have a high school diploma and receive on-the-job training.
Pay
Kumpulan Serial Number Idm
The median annual wage for physical therapist aides was $26,240 in May 2018.
The median annual wage for physical therapist assistants was $58,040 in May 2018.
Job Outlook
Overall employment of physical therapist assistants and aides is projected to grow 30 percent from 2016 to 2026, much faster than the average for all occupations. Demand for physical therapy is expected to increase in response to the healthcare needs of an older population and individuals with chronic conditions, such as diabetes and obesity.
State & Area Data
Explore resources for employment and wages by state and area for physical therapist assistants and aides.
Application For Security Guard Card
Similar Occupations
Compare the job duties, education, job growth, and pay of physical therapist assistants and aides with similar occupations.
Application For Security Guard
More Information, Including Links to O*NET
X509 Serial Number
Learn more about physical therapist assistants and aides by visiting additional resources, including O*NET, a source on key characteristics of workers and occupations.
Comments are closed.
Author
Write something about yourself. No need to be fancy, just an overview.