Setting up for SSL/TLS
SSL support is provided with LDAP and does not need to be
separately installed, nor does the LDAP server use the SSL/TLS services
provided by the z/VM SSL server (you do not protect the LDAP server
ports in the same manner as that currently used for other servers
such as FTP). The LDAP server contains the ability to protect LDAP
access with Secure Sockets Layer (SSL) and Transport Layer (TLS) security.
There are two types of connections that support secure communication:
- An SSL/TLS only secure connection. This connection requires that the first communication between the client and the server be the handshake that negotiates the secure communication. From that point on only secure communication can occur on the connection.
- A bimodal connection that supports secure and non-secure communication. The client is expected to begin communication in a non-secure mode. At some time during communication, the client may change to secure communication by sending a StartTLS extended operation after which the handshake to negotiate secure communication occurs followed by secure communication. The client may shutdown secure communication causing a StopTLS alert to be sent and the server will continue communication in a non-secure mode. At a later time, the client may restart secure communication by sending another StartTLS extended operation followed by the handshake.