Using Web Administration

You can configure the security settings using the instructions at Web Administration Tool.

1. Go to the Web Administration console.
2. Click Server administration.
3. Click Manage security properties.
4. Click Settings.
5. Enable the type of security connections, select one of the following radio buttons:

   Option	Description
   None	Enables the server to receive only unsecure communications from the client. The default port is 389.
   SSL	Enables the server to receive either secure (default port 636) or unsecure (default port 389) communications from the client. The default port is 636.
   SSL only	Enables the server to receive only secure communications from the client. This is the most secure way to configure your server. The default port is 636.
   TLS	Enables the server to receive secure and unsecure communications from the client over the default port, 389. For secure communications the client must start the TLS extended operation. See Transaction Layer Security for more information.
   SSL and TLS	Enables the server to receive secure and unsecure communications from the client over the default port, 389. For secure communications on the default port, the client must start the TLS extended operation. The server also receives secure communications over the SSL port, 636. See Transaction Layer Security for more information. Note: The TLS and the SSL and TLS options are only available if your server supports TLS. TLS and SSL do not interoperate. Sending a start TLS request over the secure port results in an operations error.

6. Select the authentication method. Note: You must distribute the server certificate to each client. For server and client authentication you also must add the certificate for each client to the server's key database.

   Option	Description
   Server authentication	For server authentication, the Directory Server supplies the client with the Directory Server's X.509 certificate during the initial SSL handshake. If the client validates the server's certificate, then a secure, encrypted communication channel is established between the Directory Server and the client application. For server authentication to work, the Directory Server must have a private key and associated server certificate in the server's key database file.
   Server and client authentication	This type of authentication provides for two-way authentication between the LDAP client and the LDAP server. With client authentication, the LDAP client must have a digital certificate (based on the X.509 standard). This digital certificate is used to authenticate the LDAP client to the Directory Server. See Client authentication.

7. When you are finished, click Apply to save your changes without exiting, or click OK to apply your changes and exit, or click Cancel to exit this panel without making any changes.
8. You must stop and restart both the Directory Server and the Administration Server for the changes to take effect.
   1. Stop the server. See Start or stop the server , if you need information about performing this task.
   2. Stop the Administration Server using one of the following methods.
      • Remotely, issue the command:ibmdirctl -D <adminDN> -w <adminPW> admstop
      • Locally issue the command:idsdiradm <instancename> -k
      See Stopping an instance of the directory Administration Server , if you need information about performing this task.
   3. Start the Administration Server. This must be done locally.
      • Issue the command:idsdiradm <instancename>
      See Starting an instance of the directory Administration Server , if you need information about performing this task.
   4. Start the server. See Start or stop the server , if you need information about performing this task.