Setting up SSL on the LDAP server
To set up Secure Sockets Layer (SSL) on the LDAP server, install the LDAP crypto filesets and GSKit filesets to enable server encryption support. These file sets can be found on the AIX® expansion pack.
Follow these steps to enable SSL support for the IBM® Directory server authentication.
- Install the GSKitv8 for the IBM Security Directory Server Version 6.4. For more information about installing the GSKitv8 for the IBM Security Directory Server Version 6.4, refer to the Setting up an IBM Security Directory Server topic.
- Generate the IBM Directory server private key and server certificate using the correct GSKit key
management utility. You must use the gsk8capicmd or
gsk8capicmd_64 command for the IBM Security Directory Server version 6.4, or
later. Note: A commercial Certification Authority (CA), such as VeriSign, might sign the server's certificate. Alternatively, the GSKit key management tool might self-sign the server's certificate. The public certificate or the self-signed certificate of the CA must be distributed to the key database file of the client application.
- Store the key database file of the server and its associated password stash file on the server. The default path for the key database, /usr/ldap/etc, is a typical location.
- Run the following command to set up the server, where mykey.kdb is the
key database and keypwd is the password to the key
database:
# mksecldap -s -a cn=admin -p pwd -S rfc2307aix -k /usr/ldap/etc/mykey.kdb -w keypwd