Securing your server with SSL

Edit online

The high-level steps provided here are required to enable SSL support for IBM® Security Verify Directory for server authentication.

About this task

These steps assume you have already installed and configured IBM Security Verify Directory:

Procedure

  1. Install the GSKit package if it is not installed.
    See the Installing and configuring section of the IBM Security Verify Directory documentation for information on installing the GSKit package.
    Note:
    • If the GSKIT_LOCAL_INSTALL_MODE environment variable is set to true, it allows user to use the GSKit version of their choice based on the path they set in LD_LIBRARY_PATH. If the environment variable is set, then the library using the path set in LD_LIBRARY_PATH, LIB, or LIBPATH is loaded. If this environment variable is not set, then the GSKit library installed on system (for example on UNIX™ based system: /usr/lib or /usr/lib64, etc) is loaded. This environment variable is supported only on the client server. All server side wrapper scripts explicitly unassign this variable.
    • The GSKIT_CLIENT_VERSION environment variable is set to the major version of GSKit library. Using this environment variable, user can set the major version number of GSKit library that to use with Security Verify Directory. The name of the GSKit libraries change with the change in the major version number. For example, the name of ssl library shipped with the GSKit 7 is gsk7ssl and with GSKit 8 is gsk8ssl. This environment variable is supported only on the client side. All server side wrapper scripts explicitly unassign this variable.
  2. Generate the IBM Security Verify Directory private key and server certificate using the gsk8capicmd utility.
    The server's certificate can be signed by a commercial Certificate Authority, such as VeriSign, or it can be self-signed with the gsk8capicmd tool. The CA's public certificate (or the self-signed certificate) must also be distributed to the client application's key database file.
  3. Store the server's key database file and associated password stash file on the server. The preferred path for the key database, and stash file is instance_directory\etc folder.
  4. Access the Web-based LDAP administrative interface to configure the LDAP server. SeeUsing Web Administration for the procedures.
  5. If you also want to have secure communications between a master IBM Security Verify Directory and one or more replica servers, you must complete the following additional steps:
    1. Configure the replica directory server.
      Follow the steps shown above for the master, except perform them for each replica. When configuring a replica for SSL, the replica is like the master with respect to its role when using SSL. The master is an LDAP client (using SSL) when communicating with a replica.
    2. Configure the master directory server.
      1. Add the replica's signed server certificate to the master directory server's key database file, as a trusted root. In this situation, the master directory is actually an LDAP client. If using self-signed certificates, you must extract all the self-signed certificates from each replica IBM Security Verify Directory, add them to the master's key database, and ensure they are marked as trusted-roots. Essentially, you are configuring the master as an SSL client of the replica server.
      2. Configure the master IBM Security Verify Directory to be aware of the replica server. Be sure to set the replicaPort attribute to use the port that the replica IBM Security Verify Directory uses for SSL communication.
    3. Restart both the master server and each replica server.
    Note:
    1. Only one key database is permitted per ldap server.
    2. User must provide the required permissions on the key database files for the instance owner for which the files will be used.
    3. For SSL setup in a replication environment, you can have a separate kdb file between supplier and consumer than the one used in the front end of supplier (under cn=SSL, cn=Configuration) to communicate with LDAP client in SSL mode.
    4. In case of Proxy Server, if the proxy server is configured for SSL communication with backend server, it uses the same kdb files specified in the server configuration file (under cn=SSL, cn=Configuration).