Enabling secure communication to the LDAP server

Secure LDAP protocol (LDAPS) encrypts the communication between the Access Manager component of Content Manager and the directory server. LDAPS prevents sensitive information in the directory server and the LDAP credentials from being sent as clear text.

To enable LDAPS, install a server certificate that is signed by a certificate authority in the directory server. Next, create a certificate database to contain the certificates. Finally, configure the directory server and the IBM® Cognos® LDAP namespace to use LDAPS.

The server certificate must be a copy of either

  • The trusted root certificate and all other certificates that make up the chain of trust for the directory server certificate

    The trusted root certificate is the certificate of the root certificate authority that signed the directory server certificate.

  • The directory server certificate only

The certificates must be Base64 encoded in ASCII (PEM) format. All certificates except the trusted root certificate must not be self-signed.

Before you begin

IBM Cognos works with both the cert8.db and cert7.db versions of the client certificate database. You must use the certutil tool from Netscape Security Services (NSS) to create the certificate databases. IBM Cognos does not accept other versions of cert8.db files, including those files from the certutil tool that is provided with Microsoft Active Directory.

IBM Cognos includes the certutil tool on platforms where Netscape Security Services (NSS) is not listed as a system requirement. The certutil.exe file is located in the installation_location/bin64 directory. You must add /bin64 to your LD_LIBRARY_PATH.

For platforms where NSS is listed as a system requirement, please use that version of the certutil tool.

Procedure

  1. Create a directory for the certificate database.
  2. Create the certificate database by typing the following command:

    certutil -N -d certificate_directory

    Where certificate_directory is the directory that you created in step 1.

    This command creates a cert8.db file and a key3.db file in the new directory.

  3. Add the certificate authority (CA) certificate or the directory server certificate to the certificate database by typing the appropriate command for the type of certificate:
    • For a CA certificate:

      certutil -A -n certificate_name -d certificate_directory -i CA.cert -t C,C,C

    • For a directory server certificate:

      certutil -A -n certificate_name -d certificate_directory -i server_certificate.cert -t P

    Where certificate_name is an alias that you assign, such as the CA name or host name; and server_certificate is the prefix of the directory server certificate file.

  4. Copy the certificate database directory to the install_location/configuration directory on every location where Content Manager is installed.
  5. Configure the directory server to use LDAPS and restart the directory server.

    For more information, see the documentation for the directory server.

  6. In each Content Manager location where you configured the LDAP namespace to use the directory server, start IBM Cognos Configuration.
  7. In the Explorer window, under Security > Authentication, click the LDAP namespace.
  8. In the Properties window, for the Host and port property, change the port to the secure LDAPS port.

    For the SSL certificate database property, specify the path to the cert7.db file.

    Important: You can configure your namespace on-the-fly. That is, you do not have to restart the Cognos Analytics service after you configure the change. In this case, ensure that you configure the same value for every computer that is running the Content Manager service. Otherwise, the Content Manager service on the other computers will not start. Also, ensure that the database is copied to each Content Manager computer.
  9. In the Explorer window, right-click the LDAP namespace and click Test.

    If the test fails, revise the properties, ensuring that the correct certificate is used.

  10. From the File menu, click Save.
  11. From the Actions menu, click Restart.
  12. Repeat steps 6 - 11 on every other location where Content Manager is installed.