Enable ITDS to use SSL/TLS

Linux information > Blueprints for Linux on IBM systems > Security blueprints > Using MIT-Kerberos with IBM Tivoli Directory Server backend > Setting up IBM Tivoli Directory Server

Enable ITDS to use SSL/TLS

By default, ITDS V6.2 does not comes configured to use SSL or TLS connections. To enable SSL and TLS, make sure that a Server Certificate (self-signed or issued by a Certificate Authority) is configured in a CMS database and make sure that the Directory Server is running (idsspald -I dsrdbm01 is running).

About this task

Follow these steps:

Procedure

1. Create an LDAP Data Interchange Format (LDIF) file named enable_SSLTLS.ldif, containing the following (modify as appropriate):

   dn: cn=SSL,cn=Configuration changetype: modify replace: ibm-slapdSslAuth ibm-slapdSslAuth: serverAuth - replace: ibm-slapdSecurity ibm-slapdSecurity: SSLTLS  dn: cn=SSL,cn=Configuration changetype: modify replace: ibm-slapdSSLKeyDatabase ibm-slapdSSLKeyDatabase: /home/dsrdbm01/idsslapd-dsrdbm01/etc/serverkey.kdb - replace:ibm-slapdSslCertificate ibm-slapdSslCertificate: IDS Instance - replace: ibm-slapdSSLKeyDatabasePW ibm-slapdSSLKeyDatabasePW: cmspass

   Note: Watch for trailing spaces in the LDIF file (which may cause syntax errors). The example above has no trailing spaces after each line.
2. Use the ITDS client LDAP command ldapmodify to merge the configuration:

   [root@itds ~]# /opt/ibm/ldap/V6.2/bin/ldapmodify -v -D cn=root -w ldaprootpass \                -i enable_SSLTLS.ldif ldap_init(localhost, 389) replace ibm-slapdSslAuth: 	BINARY (10 bytes) serverAuth replace ibm-slapdSecurity: 	BINARY (6 bytes) SSLTLS Operation 0 modifying entry cn=SSL,cn=Configuration  replace ibm-slapdSSLKeyDatabase: 	BINARY (48 bytes) /home/dsrdbm01/idsslapd-dsrdbm01/etc/serverkey.kdb replace ibm-slapdSslCertificate: 	BINARY (12 bytes) IDS Instance replace ibm-slapdSSLKeyDatabasePW: 	BINARY (6 bytes) cmspass Operation 1 modifying entry cn=SSL,cn=Configuration  [root@itds ~]#

   Note that the ldapmodify command, when a hostname is not specified, will try to modify the instance running in the local host at the default port.

3. Restart the Directory Server's instance and Administration daemon:

   [root@itds ~]# /opt/ibm/ldap/V6.2/sbin/idsslapd -k -I dsrdbm01 GLPSRV176I Terminated directory server instance 'dsrdbm01' normally. [root@itds ~]# /opt/ibm/ldap/V6.2/sbin/ibmdiradm -k -I dsrdbm01 GLPADM034I Stopped Admin Daemon instance: 'dsrdbm01'. [root@itds ~]# /opt/ibm/ldap/V6.2/sbin/ibmdiradm -I dsrdbm01 GLPADM056I Admin Daemon starting. ... GLPCOM003I Non-SSL port initialized to 3538. GLPCOM004I SSL port initialized to 3539. [root@itds ~]# /opt/ibm/ldap/V6.2/sbin/idsslapd -I dsrdbm01 GLPSRV041I Server starting. ... GLPCOM003I Non-SSL port initialized to 389. GLPCOM004I SSL port initialized to 636. [root@itds ~]#

   Watch for errors or warnings on the output of each command.

4. Check for SSL connectivity locally using ITDS ldapsearch command:

   [root@itds ~]# /opt/ibm/ldap/V6.2/bin/ldapsearch -D cn=root -w ldaprootpass \                 -s sub -Z -K /home/dsrdbm01/idsslapd-dsrdbm01/etc/serverkey.kdb \                 -P cmspass objectclass=* cn=localhost cn=localhost objectclass=container objectclass=top ... [root@itds ~]#

5. Check for errors or warnings on the output. The command above tests the SSL connectivity only. For testing the TLS connectivity, replace the -Zparameter with -Y.

Parent topic: Setting up IBM Tivoli Directory Server

---

发送反馈

---