Configure LDAP Client Keystore for LDAP Client Authentication
During a TLS handshake when establishing a TLS session between IBM Db2 Data Management Console and target LDAP server, LDAP client authentication or client verification may be required by some LDAP servers. A keystore is required by LDAP client side during this LDAP client authentication.
The LDAP client keystore must contain a client private key and a client certificate as a pair. It is strongly recommended to include the complete certificate chain in the keystore along with the client certificate.
How to verify the client certificate is decided by the configuration of the LDAP server. However, it is best to make sure that the signature algorithm and message digest algorithm of LDAP client is supported by LDAP server. The key length of private and public key of LDAP client meets the security policy of LDAP server. The certificate is not expired yet. The domain name or IP address in the client certificate is consistent with the server where IBM Db2 Data Management Console is installed. The CA which issued the last certificate in the certificate chain provided by LDAP client should be trusted by the LDAP server.
If the tartget LDAP server do not require client authentication, please leave the fields 'keystore name' and 'keystore password' blank at the same time. On the other hand, if client verification is required by LDAP server, all the keystore parameters must be provided at the same time. IBM Db2 Data Management Console do not support a client side keystore without password.
However, please do not set any key password to encrypt the client private key stored in the keystore. IBM Db2 Data Management Console only supports keystore without key passwords.
- Keystore type:
- Only two types of keystores are supported, one is PKCS12 (.p12) and the other is JKS (.jks). Please make sure the selected keystore type is consistent with the configured keystore file.
- Keystore name:
- The file name of the LDAP client side keystore including the file
extension (either .p12 or .jks). This keystore file should be placed
under the 'Config' folder of IBM Db2 Data Management Console installation
path. For example, input file name 'keystore.p12' indicates there
exists a file at,
Absolute file path is not supported here. Special characters and non-alphanumeric unicode characters in file name are not recommended, as different OS may handle them differently.<ConsoleInstallPath>/Config/keystore.p12
- Keystore password:
- The clear text password of keystore file. This is the store password, but not the key password. Please do not set any key password. When doing re-configuration, this password should be provided again. It is recommended that the length of the password is larger than 4.
Generate a Keystore File from Private Key and Certificates
openssl pkcs12 -export -in clcert.pem -inkey key.pem -out keystore.p12 -name <NameOfKeyPair>
Generate a keystore with LDAP client key and certificate along with the complete certificate chain. For example, LDAP client private key stored in 'key.pem' and client certificate is 'clcert.pem', intermediate CA certificate 'im_cacert.pem' and root CA certificate 'root_cacert.pem', output a keystore named 'keystore.p12'.
cat im_cacert.pem root_cacert.pem > ca_cert_chain.pem
openssl pkcs12 -export -in clcert.pem -inkey key.pem -certfile
ca_cert_chain.pem -out keystore.p12 -name <NameOfKeyPair> -caname
<NameOfFirstCACert> -caname rootca <NameofSecondCACert>
.<ConsoleInstallPath>/java/jre/bin/keytool -importkeystore -srckeystore
keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks