Adding credentials

Edit online

You can use the instructions provided here to add credentials using Web Administration Tool.

About this task

Expand the Replication management category in the navigation area of the Web Administration Tool and click Manage credentials
  1. Select the location that you want to use to store the credentials from the list of subtrees.The Web Administration Tool allows you to define credentials in three locations.
    • cn=replication,cn=localhost, which keeps the credentials only on the current server.Note: In most replication cases, locating credentials in cn=replication,cn=localhost is preferred because it provides greater security than replicated credentials located on the subtree. However, there are certain situations in which credentials located on cn=replication,cn=localhost are not available. If you are trying to add a replica under a server, for example serverA and you are connected to a different server with the Web Administration Tool, serverB, the Select credentials field does not display the optioncn=replication,cn=localhost. This is because you cannot read the information or update any information under cn=localhost of the serverA when you are connected to serverB. The cn=replication,cn=localhost is only available when the server under which you are trying to add a replica is the same server that you are connected to with the Web Administration Tool.
    • cn=replication,cn=IBMpolicies, which is available even when the server under which you are trying to add a replica is not the same server that you are connected to with the Web Administration Tool. Credentials placed under this location are replicate to the servers. Note: The location cn=replication,cn=IBMpolicies is only available, if the IBMpolicies support OID, 1.3.18.0.2.32.18, is present under the ibm-supportedcapabilities of the root DSE.
    • Within the replicated subtree, in which case the credentials are replicated with the rest of the subtree. Credentials placed in the replicated subtree are created beneath the ibm-replicagroup=default entry for that subtree.Note: If no subtrees are displayed, go to Adding a subtree for instructions about creating the subtree that you want to replicate.
  2. Click Add.
  3. Enter the name for the credentials you are creating, for example, mycreds, cn= is prefilled in the field for you.
  4. Select the type of authentication method you want to use and click Next.
    • If you selected simple bind authentication:
      1. Enter the DN that the server uses to bind to the replica, for example, cn=any
      2. Enter the password uses when it binds to the replica, for example, secret.
      3. Enter the password again to confirm that there are no typographical errors.
      4. If you want, enter a brief description of the credentials.
      5. Click Finish.
      Note: You might want to record the credential's bind DN and password for future reference. You will need this password when you create the replica agreement.
    • If you selected Kerberos authentication:
      1. Enter your Kerberos bind DN.
      2. Enter a keyfile (the fully-qualified file specification of the key database file). Leave this field blank to use the server's LDAP service name.Note: The server's LDAP service principal name is service/hostname@realm.This comes from standard Kerberos conventions.The service is always ldap.For example, for host myserver.mytown.mycompany.com in Kerberos realm "MYTOWN.MYCOMPANY.COM", the server's principal name is:ldap/myserver.mytown.mycompany.com@MYTOWN.MYCOMPANY.COMThe server gets the host name from the system TCP/IP configuration; the realm name comes from the realm name configured on the Kerberos tab on the Security properties panel.
      3. If you want, enter a brief description of the credentials. No other information is necessary. See Kerberos setup for additional information.
      4. Click Finish.
      The Kerberos panel takes an optional bind DN of the form ibm-kn=xxx@realm and an optional key tab file name (referred to as keyfile on the Web Administration Tool).If a bind DN is specified, the server uses the specified principal name to authenticate to the consumer server.Otherwise, the server's Kerberos service name (ldap/host-name@realm) is used.If a key tab file is used, the server uses the key tab file to obtain the credentials for the specified principal name.If no key tab file is specified, the server uses the key tab file specified in the server's Kerberos configuration.By default, the supplier uses its own service principal to bind with the consumer. For example, if the supplier is named master.our.org.com and the realm is SOME.REALM, the DN is ibm-Kn=ldap/master.our.org.com@SOME.REALM. The realm value is case insensitive. Note: If more than one supplier uses Kerberos authentication to replicate to the same consumer, you must configure all suppliers to use the same Kerberos principal rather than letting them default to using their Kerberos service name.
    • If you selected SSL with certificate authentication you do not need to provide any additional information, if you are using the server's certificate. If you choose to use a certificate other than the server's:
      1. Enter the key file name.
      2. Enter the key file password.
      3. Reenter the key file password to confirm it.
      4. Enter the key label.
      5. If you want, enter a brief description.
      6. Select the Enable PKCS#11 interface support check box to enable PKCS#11 support of crypto hardware.
      7. Click Finish.
      See Secure Sockets Layer for additional information.
Note: If an external credential object is selected while you are adding credentials on consumers during an Add master operation using the Web Administration Tool, then the following settings need to be configured on the machine where the Web server is running:
  • In the JAVA_HOME\jre\lib\security\java.security file, check if the following two entries to register JCE provider and CMS provider are present. If the entries do not exist, add this entry in the java.security file: 
    security.provider.X=com.ibm.crypto.provider.IBMJCE 
security.provider.X+1=com.ibm.security.cmskeystore.CMSProvider
    where, X is the next number in the order.
  • GSKit must be installed and install_location\gsk8\lib or install_location\gsk8\lib64 depending on the platform must be in the system path.
  • For the Web Administration Tool to read the keyfile containing credentials information that the master server uses to connect to the replica, and create credentials on replica, the keyfile must be present in C:\temp for Windows™ platforms, and in /tmp for UNIX™.