Secure Sockets Layer and the LDAP module

+

Search Tips   |   Advanced Search

 

Secure Sockets Layer and the LDAP module

IBM HTTP Server provides the ability to use a secure connection between the LDAP module running in the Web server and the LDAP directory server. If this feature is enabled, any communication between the Web server and the directory server is encrypted.

To enable this feature, edit the ldap.prop LDAP configuration file and change the value of ldap.transport to SSL. Create or obtain a certificate database file (X.kdb) and a password stash file (Y.sth). We can use iKeyman to obtain a key database file. Use the ldapstash program to create the stash file. We will also need to change the values for ldap.URL and ldap.group.URL to use port 636 instead of port 389.

The key database file contains the certificates which establish identity. The LDAP server can require that the Web server provide a certificate before allowing queries. When using a certificate with an SSL connection between the LDAP module and the LDAP server, the user ID that IBM HTTP Server is configured to use must have write permission to the key database file containing the certificate.

Certificates establish identity to prevent other users from stealing or overwriting our certificates (and therefore our identity). If someone has read permission to the key database file, they can retrieve the user's certificates and masquerade as that user. Grant read or write permission only to the owner of the key database file.