Secure LDAP protocol (LDAPS) encrypts the communication
between the Access Manager component of Content Manager and the directory
server. LDAPS prevents sensitive information in the directory server
and the LDAP credentials from being sent as clear text.
To
enable LDAPS, install a server certificate that is signed by a certificate
authority in the directory server. Next, create a certificate database
to contain the certificates. Finally, configure the directory server
and the IBM® Cognos® LDAP namespace to use LDAPS.
The
server certificate must be a copy of either
The trusted root certificate and all other certificates that
make up the chain of trust for the directory server certificate
The
trusted root certificate is the certificate of the root certificate
authority that signed the directory server certificate.
The directory server certificate only
The certificates must be Base64 encoded in ASCII (PEM) format.
All certificates except the trusted root certificate must not be self-signed.
Before you begin
IBM
Cognos works with both the cert8.db
and cert7.db versions of the client certificate database. You must use the
certutil tool from Netscape Security Services (NSS) to create the certificate
databases. IBM
Cognos does not accept other versions of
cert8.db files, including those files from the certutil
tool that is provided with Microsoft Active
Directory.
IBM
Cognos includes the certutil tool on
platforms where Netscape Security Services (NSS) is not listed as a system requirement. The
certutil.exe file is located in the
installation_location/bin64 directory. You must add
/bin64 to your LD_LIBRARY_PATH.
For platforms where NSS is listed as a system requirement, please use that version of the
certutil tool.
Procedure
- Create a directory for the certificate database.
- Create the certificate database by typing the following
command:
certutil -N -d certificate_directory
Where certificate_directory is
the directory that you created in step 1.
This command creates
a cert8.db file and a key3.db file
in the new directory.
- Add the certificate authority (CA) certificate or the directory
server certificate to the certificate database by typing the appropriate
command for the type of certificate:
For a CA certificate:
certutil -A -n certificate_name -d certificate_directory -i
CA.cert -t C,C,C
For a directory server certificate:
certutil
-A -n certificate_name -d certificate_directory -i server_certificate.cert
-t P
Where certificate_name is
an alias that you assign, such as the CA name or host name; and server_certificate is
the prefix of the directory server certificate file.
-
Copy the certificate database directory to the
install_location/configuration directory on every location
where Content Manager is installed.
- Configure the directory server to use LDAPS and restart
the directory server.
For more information, see the
documentation for the directory server.
- In each Content Manager location where you configured the
LDAP namespace to use the directory server, start IBM Cognos Configuration.
- In the Explorer window, under , click the LDAP namespace.
- In the Properties window, for the Host
and port property, change the port to the secure LDAPS
port.
For the SSL certificate database property,
specify the path to the cert7.db file.
Important: You can configure your namespace
on-the-fly. That is, you do not have to restart the Cognos Analytics service after you configure the
change. In this case, ensure that you configure the same value for every computer that is running
the Content Manager service. Otherwise, the Content Manager service on the other computers will not
start. Also, ensure that the database is copied to each Content Manager computer.
- In the Explorer window, right-click
the LDAP namespace and click Test.
If
the test fails, revise the properties, ensuring that the correct certificate
is used.
- From the File menu, click Save.
- From the Actions menu, click Restart.
- Repeat steps 6 - 11 on every other location where Content
Manager is installed.