Securing your server with SSL

Edit online

The high-level steps provided here are required to enable SSL support for Directory Server for server authentication.

About this task

These steps assume you have already installed and configured IBM® Security Directory Suite:

Procedure

  1. Install the GSKit package if it is not installed.
    See the Installation and Configuration section of the IBM Security Directory Suite documentation for information on installing the GSKit package.
    Note:
    • If the GSKIT_LOCAL_INSTALL_MODE environment variable is set to true, it allows user to use the GSKit version of their choice based on the path they set in LD_LIBRARY_PATH. If the environment variable is set, then the library using the path set in LD_LIBRARY_PATH, LIB, or LIBPATH is loaded. If this environment variable is not set, then the GSKit library installed on system (for example on UNIX based system: /usr/lib or /usr/lib64, etc) is loaded. This environment variable is supported only on the client server. All server side wrapper scripts explicitly unassign this variable.
    • The GSKIT_CLIENT_VERSION environment variable is set to the major version of GSKit library. Using this environment variable, user can set the major version number of GSKit library that to use with Directory Server. The name of the GSKit libraries change with the change in the major version number. For example, the name of ssl library shipped with the GSKit 7 is gsk7ssl and with GSKit 8 is gsk8ssl. This environment variable is supported only on the client side. All server side wrapper scripts explicitly unassign this variable.
  2. Generate the Directory Server private key and server certificate using the ikeyman utility.
    The server's certificate can be signed by a commercial CA, such as VeriSign, or it can be self-signed with the ikeyman tool. The CA'spublic certificate (or the self-signed certificate) must also be distributed to the client application's key database file.
    Note: With IBM Security Directory Suite, Version 8.0.1.x, GSKit, Version 8.0.50.xx is provided. The gskikm utility is not available with GSKit version 8.
  3. Store the server's key database file and associated password stash file on the server. The default path for the key database,instance_directory\etc directory, is a typical location.
  4. Access the Web-based LDAP administrative interface to configure the LDAP server. SeeUsing Web Administration for the procedures.
  5. If you also want to have secure communications between a master Directory Server and one or more replica servers, you must complete the following additional steps:
    1. Configure the replica Directory Server.
      Follow the steps shown above for the master, except perform them for each replica. When configuring a replica for SSL, the replica is like the master with respect to its role when using SSL. The master is an LDAP client (using SSL) when communicating with a replica.
    2. Configure the master Directory Server.
      1. Add the replica's signed server certificate to the master directory server's key database file, as a trusted root. In this situation, the master directory is actually an LDAP client. If using self-signed certificates, you must extract all the self-signed certificates from each replica Directory Server, add them to the master's key database, and ensure they are marked as trusted-roots. Essentially, you are configuring the master as an SSL client of the replica server.
      2. Configure the master Directory Server to be aware of the replica server. Be sure to set the replicaPort attribute to use the port that the replica Directory Server uses for SSL communication.
    3. Restart both the master server and each replica server.
    Note:
    1. Only one key database is permitted per ldap server.
    2. User must provide the required permissions on the key database files for the instance owner for which the files will be used.
    3. For SSL setup in a replication environment, you can have a separate kdb file between supplier and consumer than the one used in the front end of supplier (under cn=SSL, cn=Configuration) to communicate with LDAP client in SSL mode.
    4. In case of Proxy Server, if the Proxy Server is configured for SSL communication with backend server, it uses the same kdb files specified in the server configuration file (under cn=SSL, cn=Configuration).