Setting up SSL on the LDAP client
To use SSL on an LDAP client, install the idsldap.clt_max_crypto32bit64 and idsldap.clt_max_crypto64bit64 filesets from the second volume of the AIX® DVD along with the Global Security Kit (GSKit) filesets from the AIX® expansion pack DVD.
Follow these steps after setting up SSL on the LDAP server.
- Run the gsk8capicmd or gsk8capicmd_64 command to generate the key database on each client. For more information about generating the key database on each client, refer to the On the C-based LDAP client system section in the The gskcapicmd tool topic.
- Copy the server certificate to each of the clients. If the server SSL uses a self-signed certificate, you must extract the certificate first.
- On each client system, run the gsk8capicmd or gsk8capicmd_64 command to add the server certificate to the key database.
- To enable SSL for each client, run the following
command:
# mksecldap -c -h servername -a adminDN -p pwd -k /usr/ldap/etc/mykey.kdb -p keypwd
The full path to the key database is /usr/ldap/etc/mykey.kdb and the password to the key is keypwd. If the key password is not entered from the command line, the system uses a stashed password file from the same directory. The stashed password file must have the same name as the key database with an extension of .sth such as mykey.sth).