IBM Security Directory Integrator Server Instance Security

You can set up a server instance with help of encryption algorithms and the miscellaneous configuration files. Learn more about it through the information provided here.

This section does not deal with the specifics of client (IBM Security Directory Integrator-based or other) access to an IBM Security Directory Integrator Server, this is discussed in Remote Server API; instead, it focuses on the encryption algorithms used, and the miscellaneous configuration files needed to set up a server instance.

The IBM Security Directory Integrator Server requires a keystore containing both its private key and associated certificate/public key that is used for PKI encryption of Config Files, properties in Properties files, Server User registry files and other objects, as well as being used for SSL communication.

The system properties api.keystore and api.key.alias specify the keystore and the key alias of the Server's certificate/key within the keystore. The password of the keystore and the password of the key itself (if different from the keystore password) are specified in the Server's stash file. Access to a keystore is guarded by a password, defined at the time the keystore is created, by the person who creates the keystore, and changeable only when providing the current password. In addition, each private key in a keystore can be guarded by its own password. For more information on the stash file of the server, see section Stash File.

The RSA algorithm is used for encryption of files and property values. It is used as a block cipher where the block size is determined by the modulus component of the RSA key. Encryption is done in ECB (Electronic Codebook) mode. PKCS#1 Padding is applied separately on each block. Note that the same RSA key-pair, which is used for encryption of files, is also used for SSL communication with the Server. IBM Security Directory Integrator uses the RSA implementation from the IBMJCE security provider. All key sizes supported by that provider are also supported by IBM Security Directory Integrator. From IBM Security Directory Integrator v7.0, secret key ciphers can also be employed for encryption. RSA is used as the default for compatibility with earlier versions, but secret key ciphers are much faster and much more secure than public key ciphers.

DES and AES algorithms are used for encryption of password-protected configuration files. An encryption key (DES or AES) is derived from the UTF-8 binary representation of the password. The derived encryption key is 64 bit for DES and 128 bit for AES. ECB mode is used with no padding.

DES/AES keys are derived from passwords, when using password-protected configuration files. Apart from the above, the IBM Security Directory Integrator does not generate keys. Existing keys are loaded from an external keystore. Key establishment and keystore access are performed through the IBMJCE and IBMJSSE2 security providers. All key sizes and algorithms supported by those providers can be used with the IBM Security Directory Integrator.