IBM Tivoli Directory Server, Version 6.3

Input parameters

keydatabase

Specifies the name of the key database file with kdb extension. The key database file typically contains one or more certificates from the certificate authorities (CAs) that are trusted by the clients. If the LDAP server is configured to provide only server authentication then a private key and client certificate are not required. If the user wants to use the crypto device under key storage mode only then the keydatabase parameter can be NULL. If the client needs the crypto device to work only in accelerator mode then the kdb file must be specified. If the key database file and password are NULL then the default ldapkey.kdb file will be used as the key database and the password will be used from default ldapkey.sth file.

User is given a provision to have some keys stored on device, which can be Personal Certificates with private key, and some in the key database file, which can be Signer Certificates with public keys. Therefore, a specific certificate will be selected either from the local kdb file or from crypto device based on the certificate label used.

keydatabase_pwd
Specifies the password that is used to protect the contents of the key database file. This password is important, particularly when it protects one or more private keys stored in the key database file. If NULL is passed to this parameter and the key database file is NULL, then password for the default ldapkey.kdb file will be taken from ldapkey.sth file.
ssl_timeout
Specifies the SSL timeout value in seconds. The timeout value controls the frequency with which the SSL protocol stack regenerates session keys. If ssl_timeout is set to 0, then the default value SSLV3_CLIENT_TIMEOUT is used. Otherwise, the value specified in the parameter is used, this value should be less than or equal to 86,400 (number of seconds in a day). If ssl_timeout is greater than 86,400, then LDAP_PARAM_ERROR is returned.
pSSLReasonCode
Specifies a pointer to the SSL reason code that contains additional information in event of an error occurs during the initialization of the SSL stack. See ldapssl.h for reason codes that can be returned.
pkcs11arg
Specifies a struct data type that contains information about the different crypto device settings to enable key storage and accelerator mode.

An instance of a structure contain following fields:

Libpath
Specifies a null terminated string that defines the driver path of the file that need to be used to access PKCS11 device.
Token_label
Specifies a null terminated string that defines the label that is assigned to the PKCS11 device for access.
Token_pwd
Specifies a null terminated string that defines the password phrase to access the PKCSC11 device.
Keystorage
The value of this parameter can be 0 or 1. If set to 1, it indicates that the crypto device need to be used as key storage. If set to 0, it indicates that the crypto device will not function as key storage.
Accelerator
Specifies an integer value determining the type of accelerated operation that a client need from the PKCS11 device.

Under acceleration mode, the PKCS11 device can be configured to do three different operations: Symmetric operation, Digest operation, and Random Data Generation operation.

The accelerator value should be one of the options listed below:

#define LDAP_SSL_ACCELERATION_MODE_NONE          0
#define LDAP_SSL_ACCELERATION_MODE_SYM           1
#define LDAP_SSL_ACCELERATION_MODE_DIG           2
#define LDAP_SSL_ACCELERATION_MODE_SYM_DIG       3
#define LDAP_SSL_ACCELERATION_MODE_RND           4
#define LDAP_SSL_ACCELERATION_MODE_RND_SYM       5
#define LDAP_SSL_ACCELERATION_MODE_RND_DIG       6
#define LDAP_SSL_ACCELERATION_MODE_SYM_DIG_RND   7

[ Top of Page | Previous Page | Next Page ]