Secure Sockets Layer (SSL) and Transport Layer Security (TLS) with the Directory Server

To make communications with your Directory Server more secure, Directory Server can use Secure Sockets Layer (SSL) security and Transport Layer Security (TLS).

SSL is the standard for Internet security. You can use SSL to communicate with LDAP clients, as well as with replica LDAP servers. You can use client authentication in addition to server authentication to provide additional security to your SSL connections. Client authentication requires that the LDAP client present a digital certificate that confirms the client's identity to the server before a connection is established.

To use SSL, you must have Digital Certificate Manager (DCM), option 34 of IBM® i, installed on your system. DCM provides an interface for you to create and manage digital certificates and certificate stores.

TLS is designed as a successor to SSL and uses the same cryptographic methods but supports more cryptographic algorithms. TLS enables the server to receive secure and unsecure communications from the client over the default port, 389. For secure communications the client must use the StartTLS extended operation.

In order for a client to use TLS:

The Directory Server must be configured to use TLS or SSLTLS.
The -Y option needs to be specified on the client command line utilities.

Note: TLS and SSL are not interoperable. Issuing a start TLS request (the -Y option) over an SSL port causes an operations error.

A client can connect to the secure port (636) using either TLS or SSL. StartTLS is an LDAP feature that allows you to start secure communication over an existing non-secure connection (i.e. port 389). As such, you can only use StartTLS (or command line utility -Y option) with the standard non-secure port (389); you cannot use StartTLS with a secure connection.