Configuring PBKDF2 password encryption with Security Directory Server

Edit online

You can configure PBKDF2 password encryption.

Before you begin

Install or upgrade to IBM® Security Directory Server 6.4.0.16 or later fix levels.
Install or upgrade to GSKit 8.0.50.88 or later.
You can download the latest version from Fix Central.

Ensure that you install the latest recommended fix levels for IBM Security Directory Server and GSKit.

Note: Consider the following notes

If GSKit version is older than 8.0.50.88, then, a message is printed in traceibmslapd.log file that, Upgrade GSKit version to 8.0.50.88 or later to use any of PBKDF2 encryption mechanism.
If ibm-slapdPwEncryption is set to PBKDF2 algorithm, and GSKit version is older than, 8.0.50.88, then, server will start in configuration only mode with ERROR message in ibmslapd.log and on console that, upgrade GSKit to 8.0.50.88 or later to set PBKDF2 algorithm for ibm-slapdPwEncryption.

About this task

The feature was introduced in 6.4.0.16.

Procedure

Create and configure a directory server instance.
Stop directory server(ibmslapd) and admin server(ibmdiradm) processes.
Enable the PBKDF2 encryption option in IBM Security Directory Server instance via the following configuration attributes in the "cn=Configuration" entry:
```
ibm-slapdPwEncryption: <Digest_Type>>
ibm-slapdUseNonFIPSCrypt: TRUE
```
The < Digest_Type> can have one of the following values:
- pbkdf2-sha1
- pbkdf2-sha224
- pbkdf2-sha256
- pbkdf2-sha384
- pbkdf2-sha512
The configuration is stored in the ibmslapd.conf file of the respective server instance.
The Directory Administrator can set these values by using the standard ldap modify operation:
For example: /opt/ibm/ldap/V6.4/bin/idsldapmodify -h <hostname> -p <port> -D <adminDN> -w <admin_password> -i confupdate.ldif
where

the following section specifies the contents of confupdate.ldif:
```
dn: cn=Configuration
changetype: modify
replace: ibm-slapdPwEncryption
ibm-slapdPwEncryption: PBKDF2-SHA256
-
replace: ibm-slapdUseNonFIPSCrypt
ibm-slapdUseNonFIPSCrypt: TRUE
```
Note: If, ibm-slapdUseNonFIPSCrypt is missing (default) or not set to TRUE and ibm-slapdPwEncryption is set to any PBKDF2 algorithm, then, the server will start in configuration only mode with the following ERROR message on the console and in the ibmslapd.log file.
ERROR: Set ibm-slapdUseNonFIPSCrypt to TRUE in cn=Configuration entry to set any of PBKDF2 password encryption algorithm for ibm-slapdPwEncryption.

The following environment variable is supported to alter the number of iterations with PBKDF2 algorithms. This variable is set in "cn=Front End, cn=Configuration" of ibmslapd.conf.

ibm-slapdPBKDFNumIterations

The default number of iterations is 10000.
Note: When you use the ibm-slapdPBKDFNumIterations environment variable from the command line, enter in uppercase characters only. For example,
```
env ‘IBM-SLAPDPBKDFNUMITERATIONS=25000’
```
To set the ibm-slapdPBKDFNumIterations attribute in the cn=Front End, cn=Configuration entry of ibmslapd.conf file with ibm-slapdSetenv attribute, the Directory Administrator can set this value by using the following standard ldap modify operation:

/opt/ibm/ldap/V6.4/bin/idsldapmodify -h <hostname> -p <port> -D <adminDN> -w <admin_password> -i confupdate2.ldif

where contents of the confupdate2.ldif are:
```
dn: cn=Front End, cn=Configuration
changetype: modify
add: ibm-slapdSetEnv
ibm-slapdSetEnv: ibm-slapdPBKDFNumIterations=20000
```
The minimum allowed value for ibm-slapdPBKDFNumIterations is 1000 and the maximum allowed value for ibm-slapdPBKDFNumIterations is 10000000.

The server sets a default value of 10000, if the provided value is invalid or is not in the allowed limit. The server will display a warning message on the console and in ibmslapd.log file about the use of incorrect values and the server will use the default value.

You must restart the server after this operation for the new values of ibm-slapdPwEncryption, ibm-slapdUseNonFIPSCrypt and ibm-slapdPBKDFNumIterations to take effect.
Start the directory server and admin server.