GitHubContribute in GitHub: Open doc issue|Edit online

Server SSL configuration of IBM® Security Verify Directory Integrator components

You need to define a keystore to enable SSL support for IBM® Security Verify Directory Integrator as a server. The steps provided here will help you perform this task.

About this task

When an IBM Security Directory Server component is used as a server (for example a Server mode Connector) SSL mandates that a keystore to be used by IBM® Security Verify Directory Integrator must be defined. For information on keystores and truststores, see the documentation at http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html The following steps are required to enable SSL support for IBM® Security Verify Directory Integrator as a server:

Note: RMI is enabled by default in the IBM® Security Verify Directory Integrator server. Properties for server authentication carry the default keystore property values.

  1. If you don't have a java (jks) keystore file already in IBM® Security Verify Directory Integrator create a keystore file using keytool (found in TDI_install_dir/jvm/jre/bin, or TDI_install_dir/jvm/bin depending on your platform). If you don't have a personal key to be used in IBM® Security Verify Directory Integrator get one from a Certificate Authority or create a self-signed key.
  2. If the certificate in the IBM® Security Verify Directory Integrator is a self-signed certificate, export the certificate.
  3. If the IBM® Security Verify Directory Integrator certificate is a self-signed certificate, using a key tool, import the exported IBM® Security Verify Directory Integrator certificate to the keystore file in the client as a root authority certificate.
  4. Edit TDI_install_dir/etc/global.properties file for the keystore file location, keystore file password and keystore file type. ## client authentication javax.net.ssl.keyStore=serverapi\testadmin.jks {protect}-javax.net.ssl.keyStorePassword=administrator javax.net.ssl.keyStoreType=jks
  5. Enable SSL for the clients (for example, using https in the Web browser).
  6. Restart IBM® Security Verify Directory Integrator

Note:

  1. The IBM® Security Verify Directory Integrator server does not manage the keystores/truststores. All that the IBM® Security Verify Directory Integrator server provides to the IBM® Security Verify Directory Integrator components in terms of keystore support is the global.properties or solution.properties files, in which the standard Java keystore/truststore properties can be specified.
  2. An IBM® Security Verify Directory Integrator component can choose to use the default configured keystore/truststore in global.properties or solution.properties, or it can choose to implement its own handling of SSL sockets (for example implementing a custom SSLServerSocket Java class) so that it can use keystores/truststores different from the default.
  3. If IBM® Security Verify Directory Integrator needs to use both a client and a server certificate only the default certificate configured in global.properties or solution.properties is used, then this must be the same certificate. An alternative would be to write a custom implementation of the SSLSocket or the SSLServerSocket Java class and make it use a certificate different from the default.
  4. See section Certificates for the IBM® Security Verify Directory Integrator Web service Suite for specifics on the certificates for IBM® Security Verify Directory Integrator web service components.