Linux information > Blueprints for Linux on IBM systems > Security blueprints > Using MIT-Kerberos with IBM Tivoli Directory Server backend > Setting up IBM Tivoli Directory Server
Enable ITDS to use SSL/TLS
By default, ITDS V6.2 does not comes configured to use SSL or TLS connections. To enable SSL and TLS, make sure that a Server Certificate (self-signed or issued by a Certificate Authority) is configured in a CMS database and make sure that the Directory Server is running (idsspald -I dsrdbm01 is running).
About this task
Follow these steps:
Procedure
- Create an LDAP Data Interchange Format (LDIF) file named enable_SSLTLS.ldif, containing the following (modify as appropriate):
dn: cn=SSL,cn=Configuration changetype: modify replace: ibm-slapdSslAuth ibm-slapdSslAuth: serverAuth - replace: ibm-slapdSecurity ibm-slapdSecurity: SSLTLS dn: cn=SSL,cn=Configuration changetype: modify replace: ibm-slapdSSLKeyDatabase ibm-slapdSSLKeyDatabase: /home/dsrdbm01/idsslapd-dsrdbm01/etc/serverkey.kdb - replace:ibm-slapdSslCertificate ibm-slapdSslCertificate: IDS Instance - replace: ibm-slapdSSLKeyDatabasePW ibm-slapdSSLKeyDatabasePW: cmspass
Note: Watch for trailing spaces in the LDIF file (which may cause syntax errors). The example above has no trailing spaces after each line. - Use the ITDS client LDAP command ldapmodify to merge the configuration:
[root@itds ~]# /opt/ibm/ldap/V6.2/bin/ldapmodify -v -D cn=root -w ldaprootpass \ -i enable_SSLTLS.ldif ldap_init(localhost, 389) replace ibm-slapdSslAuth: BINARY (10 bytes) serverAuth replace ibm-slapdSecurity: BINARY (6 bytes) SSLTLS Operation 0 modifying entry cn=SSL,cn=Configuration replace ibm-slapdSSLKeyDatabase: BINARY (48 bytes) /home/dsrdbm01/idsslapd-dsrdbm01/etc/serverkey.kdb replace ibm-slapdSslCertificate: BINARY (12 bytes) IDS Instance replace ibm-slapdSSLKeyDatabasePW: BINARY (6 bytes) cmspass Operation 1 modifying entry cn=SSL,cn=Configuration [root@itds ~]#
Note that the ldapmodify command, when a hostname is not specified, will try to modify the instance running in the local host at the default port.
- Restart the Directory Server's instance and Administration daemon:
[root@itds ~]# /opt/ibm/ldap/V6.2/sbin/idsslapd -k -I dsrdbm01 GLPSRV176I Terminated directory server instance 'dsrdbm01' normally. [root@itds ~]# /opt/ibm/ldap/V6.2/sbin/ibmdiradm -k -I dsrdbm01 GLPADM034I Stopped Admin Daemon instance: 'dsrdbm01'. [root@itds ~]# /opt/ibm/ldap/V6.2/sbin/ibmdiradm -I dsrdbm01 GLPADM056I Admin Daemon starting. ... GLPCOM003I Non-SSL port initialized to 3538. GLPCOM004I SSL port initialized to 3539. [root@itds ~]# /opt/ibm/ldap/V6.2/sbin/idsslapd -I dsrdbm01 GLPSRV041I Server starting. ... GLPCOM003I Non-SSL port initialized to 389. GLPCOM004I SSL port initialized to 636. [root@itds ~]#
Watch for errors or warnings on the output of each command.
- Check for SSL connectivity locally using ITDS ldapsearch command:
[root@itds ~]# /opt/ibm/ldap/V6.2/bin/ldapsearch -D cn=root -w ldaprootpass \ -s sub -Z -K /home/dsrdbm01/idsslapd-dsrdbm01/etc/serverkey.kdb \ -P cmspass objectclass=* cn=localhost cn=localhost objectclass=container objectclass=top ... [root@itds ~]#
- Check for errors or warnings on the output. The command above tests the SSL connectivity only. For testing the TLS connectivity, replace the -Zparameter with -Y.
Parent topic: Setting up IBM Tivoli Directory Server