Setting up the directory server for SSL connection

Edit online

To set up an IBM Verify Identity Governance - Virtual Appliance, you can set up the directory server for an SSL connection.

Before you begin

Depending on how your system administrator customized your system, you might not have access to this task. To obtain access to this task or to have someone complete it for you, contact your system administrator.

About this task

Note: This step can be treated as optional for a sandbox environment used for internal testing. Note that this step is mandatory for the production environment.

The iKeyman utility is in the IBM® Security Directory Server.

Procedure

  1. Create a certificate.
    Use the iKeyman utility to create a self-signed certificate and extract the certificate to make it available for secure communication.
    1. Start the iKeyman utility.
      For example, type the gsk7ikm command in the /usr/local/ibm/gsk7/bin directory.
      For Windows, start the utility from : C:\Program Files\IBM\ldap\V6.4\java\jre\bin
    2. If the iKeyman utility cannot locate Java™, run this command:
      export JAVA_HOME=opt/IBM/ldapv6.4/java/jre
    3. On the IBM Key Management page, select Key Database File > Open > New.
    4. Select a default database type of CMS.
    5. In the File Name field, type a name for the CMS key database file.
      For example, type: LDAPSERVER_TEST1234.kdb.

      For example, the value specifies application_serverhostname.

      application is the directory server, and serverhostname is the server that has the directory server.

    6. In the Location field, specify a location to store the key database file.
      For example, type /certs.
    7. Click OK.
    8. On the Password menu:
      1. Type and then confirm a password, such as Pa$$word1.
      2. Specify the highest password strength possible.
      3. Specify Stash the password to a file?.
      4. Click OK.
    9. Select Create > New Self Signed Certificate and specify a label that matches the CMS key database file name, such as LDAPSERVER_TEST1234.

      This example uses the same name (LDAPSERVER_TEST1234) for both the certificate name and the key database file that contains the certificate.

    10. Type IBM in the Organization field, accept the remaining field default values, and click OK.
      A self-signed certificate, including public and private keys, now exists.
    11. For subsequent use with clients, extract the contents of the certificate into an ASCII Base-64 Encoded file. Complete these steps:
      1. Select Extract Certificate.
      2. Specify a data type of DER Data.

        A file with an extension of .der contains binary data. This format can be used only for a single certificate. Specify this format to extract a self-signed certificate.

      3. Specify the name of the certificate file name you created, such as LDAPSERVER_TEST1234.der.
      4. Specify a location, such as /certs, in which you previously stored the key database file.
      5. Click OK.
    12. Verify that the /certs directory contains the following files:
      Table 1. Files in the /certs directory
      File Description
      LDAPSERVER_TEST1234.crl Not used in this example.
      LDAPSERVER_TEST1234.der The certificate.
      LDAPSERVER_TEST1234.kdb Key database file that has the certificate.
      LDAPSERVER_TEST1234.rdb Not used in this example.
      LDAPSERVER_TEST1234.sth Stash file that has the password
      Note: If you use an existing or newly acquired certificate from a CA, copy it to the /certs directory on root file system of the directory server.
    For more information, see:
  2. Enable the directory server for an SSL connection.
    Use an LDIF file to configure SSL on the directory server and to specify a secure port.
    1. If the directory server is not running, start the server.
      For example, on UNIX, type the command as /opt/IBM/ldap/V6.4/sbin/ibmslapd -I itimldap, where -I specifies the instance.
      For Windows, type the command as: C:\Program Files\IBM\ldap\V6.4\sbin>ibmslapd.cmd -I itimldap, where -I specifies the instance.
    2. Create an LDIF file, such as ssl.ldif, with the following data: 
      dn: cn=SSL,cn=Configuration
changetype: modify
replace: ibm-slapdSecurity
ibm-slapdSecurity: sslonly
-
replace: ibm-slapdSslKeyDatabase
ibm-slapdSslKeyDatabase: /certs/LDAPSERVER_TEST1234.kdb
-
add:ibm-slapdSslKeyDatabasePW
ibm-slapdSslKeyDatabasePW: server
      Note: The empty lines that contain only the - (hyphen) character are expected for LDIF file formatting.
      To change the secured port from the default port number 636, add these additional lines:
      replace: ibm-slapdSecurePort
ibm-slapdSecurePort: 637
      If you have more than one certificate, specify the certificate name as follows to manage the SSL connection for the directory server:
      add: ibm-slapdSslCertificate
ibm-slapdSslCertificate: certificatename
    3. Place the LDIF file in the following directory: 
      /opt/IBM/ldap/V6.4/bin
    4. Run the idsldapmodify command, which modifies the password policy by adding the LDIF file to the process. 
      idsldapmodify -D cn=root -w passwd -i ssl.ldif
      -D
      Binds to the LDAP directory, which is cn=root in this example.
      -w
      Uses the passwd value, which is the directory server administrator password, as the password for authentication.
      -i
      Reads the entry modification information from an LDIF file instead of from standard input. In this example, the file is named ssl.ldif.

      A successful result produces a message similar to the following one:

      Operation 0 modifying entry cn=SSL,cn=Configuration
    5. Test the directory server to confirm that it is listening on the default secure port 636. Follow these steps:
      1. Stop the directory server. For Unix, type the command as /opt/IBM/ldap/V6.4/sbin/ibmslapd -k -I itimldap. For Windows, use this command: C :\Program Files\IBM\ldap\V6.4\sbin>ibmslapd.cmd -k -I itimldap, where -I specifies the instance.
      2. Start the directory server. For Unix, type the command as /opt/IBM/ldap/V6.4/sbin/ibmslapd -I itimldap, where -I specifies the instance. For Windows, use this command: C:\Program Files\IBM\ldap\V6.4\sbin>ibmslapd.cmd -I itimldap, where -I specifies the instance.
      3. Determine whether the directory server is listening on port 636.

        For example, display statistics for the network interface with the directory server by typing the command as (for Unix): netstat -an |grep 636. For Windows, use this command: netstat -ano | find 636

        A return message that indicates the port is listening might be this example:
        tcp    0   0 9.42.62.72:636  0.0.0.0:*   LISTEN