Server SSL configuration of IBM® Security Verify Directory Integrator components
You need to define a keystore to enable SSL support for IBM® Security Verify Directory Integrator as a server. The steps provided here will help you perform this task.
About this task
When an IBM Security Directory Server component is used as a server (for example a Server mode Connector) SSL mandates that a keystore to be used by IBM® Security Verify Directory Integrator must be defined. For information on keystores and truststores, see the documentation at http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html The following steps are required to enable SSL support for IBM® Security Verify Directory Integrator as a server:
Note: RMI is enabled by default in the IBM® Security Verify Directory Integrator server. Properties for server authentication carry the default keystore property values.
- If you don't have a java (jks) keystore file already in IBM® Security Verify Directory Integrator create a keystore file using keytool (found in TDI_install_dir/jvm/jre/bin, or TDI_install_dir/jvm/bin depending on your platform). If you don't have a personal key to be used in IBM® Security Verify Directory Integrator get one from a Certificate Authority or create a self-signed key.
- If the certificate in the IBM® Security Verify Directory Integrator is a self-signed certificate, export the certificate.
- If the IBM® Security Verify Directory Integrator certificate is a self-signed certificate, using a key tool, import the exported IBM® Security Verify Directory Integrator certificate to the keystore file in the client as a root authority certificate.
- Edit TDI_install_dir/etc/global.properties file for the keystore file location, keystore file password and keystore file type.
## client authentication javax.net.ssl.keyStore=serverapi\testadmin.jks {protect}-javax.net.ssl.keyStorePassword=administrator javax.net.ssl.keyStoreType=jks
- Enable SSL for the clients (for example, using https in the Web browser).
- Restart IBM® Security Verify Directory Integrator
Note:
- The IBM® Security Verify Directory Integrator server does not manage the keystores/truststores. All that the IBM® Security Verify Directory Integrator server provides to the IBM® Security Verify Directory Integrator components in terms of keystore support is the global.properties or solution.properties files, in which the standard Java keystore/truststore properties can be specified.
- An IBM® Security Verify Directory Integrator component can choose to use the default configured keystore/truststore in global.properties or solution.properties, or it can choose to implement its own handling of SSL sockets (for example implementing a custom SSLServerSocket Java class) so that it can use keystores/truststores different from the default.
- If IBM® Security Verify Directory Integrator needs to use both a client and a server certificate only the default certificate configured in global.properties or solution.properties is used, then this must be the same certificate. An alternative would be to write a custom implementation of the SSLSocket or the SSLServerSocket Java class and make it use a certificate different from the default.
- See section Certificates for the IBM® Security Verify Directory Integrator Web service Suite for specifics on the certificates for IBM® Security Verify Directory Integrator web service components.