Managing LDAP location for user certificates

You can use Digital Certificate Manager (DCM) to store user certificates in a Lightweight Directory Access Protocol (LDAP) server directory location to extend Enterprise Identity Mapping to work with user certificates.

By default, DCM stores the user certificates that the local Certificate Authority (CA) issues with IBM® i user profiles. However, you can configure Digital Certificate Manager (DCM) in conjunction with Enterprise Identity Mapping (EIM) so that when the local Certificate Authority (CA) issues user certificates, the public copy of the certificate is stored in a specific Lightweight Directory Access Protocol (LDAP) server directory location. A combined configuration of EIM with DCM allows you to store user certificates in an LDAP directory location to make the certificates more readily available to other applications. This combined configuration also allows you to use EIM to manage user certificates as a type of user identity within your enterprise.

Note: If you want a user to store a certificate from a different CA in the LDAP location, the user must complete the Assign a user certificate task.

EIM is an eServer™ technology that allows you to manage user identities in your enterprise, including IBM i user profiles and user certificates. If you want to use EIM to manage user certificates, you need to perform these EIM configuration tasks before performing any DCM configuration tasks:

  1. Use the EIM Configuration wizard in System i® Navigator to configure EIM.
  2. Create the X.509 registry in the EIM domain to be used for certificate associations
  3. Select the Properties menu option for the Configuration folder in the EIM domain and enter the X.509 registry name.
  4. Create an EIM identifier for each user that you want to have participate in EIM.
  5. Create a target association between each EIM identifier and that user's user profile in the local IBM i user registry. Use the EIM registry definition name for the local IBM i user registry that you specified in the EIM Configuration wizard.

After you complete the necessary EIM configuration tasks, you must perform the following tasks to finish the overall configuration for using EIM and DCM together:

  1. In DCM, use the Manage LDAP Location task to specify the LDAP directory that DCM will use to store a user certificate that the local CA creates. The LDAP location does not need to be on the local IBM i model, nor does it need to be the same LDAP server that EIM uses. When you configure the LDAP location in DCM, DCM uses the specified LDAP directory to store all user certificates that the local CA issues. DCM also uses the LDAP location to store user certificates processed by the Assign a user certificate task instead of storing the certificate with a user profile.
  2. Run the Convert User Certificates (CVTUSRCERT) command. This command copies existing user certificates into the appropriate LDAP directory location. However, the command only copies certificates for a user that has had a target association created between an EIM identifier and the user profile. The command then creates a source association between each certificate and the associated EIM identifier. The command uses the certificate's subject distinguished name (DN), issuer DN, and a hash of these DNs along with the certificate's public key to define the user identity name for the source association.
Note: To anonymously bind to an LDAP server for CRL processing, you must use the Directory Server Web Administration Tool and select the "Manage schema" task to change the security class (also referred to as "access class") of the certificateRevocationList and authorityRevocationList attributes from "critical" to "normal", and leave both the Login distinguished name field and the Password field blank.