Set up the directory server for SSL connection

To set up an ISIM virtual appliance, we can set up the directory server for an SSL connection.

The iKeyman utility is in the IBM Security Directory Server.

  1. Create a certificate. Use the iKeyman utility to create a self-signed certificate and extract the certificate to make it available for secure communication.
    1. Start the iKeyman utility. For example, enter the gsk7ikm command in the /usr/local/ibm/gsk7/bin directory.

    2. If the iKeyman utility cannot locate Java™, run this command: export JAVA_HOME=opt/IBM/ldapv6.3/java/jre

    3. On the IBM Key Management page, select Key Database File > Open > New.

    4. Select a default database type of CMS.

    5. In the File Name field, type a name for the CMS key database file. For example, type: LDAPSERVER_TEST1234.kdb.

      For example, the value specifies application_serverhostname.

      application is the directory server, and serverhostname is the server that has the directory server.

    6. In the Location field, specify a location to store the key database file. For example, type /certs.

    7. Click OK.

    8. On the Password menu:

      1. Enter and then confirm a password, such as Pa$$word1.
      2. Specify the highest password strength possible.
      3. Specify Stash the password to a file?.

      4. Click OK.

    9. Select Create > New Self Signed Certificate and specify a label that matches the CMS key database file name, such as LDAPSERVER_TEST1234. This example uses the same name (LDAPSERVER_TEST1234) for both the certificate name and the key database file containing the certificate.

    10. Enter IBM in the Organization field, accept the remaining field default values, and click OK. A self-signed certificate, including public and private keys, now exists.
    11. For subsequent use with clients, extract the contents of the certificate into an ASCII Base-64 Encoded file. Complete these steps:

      1. Select Extract Certificate.
      2. Specify a data type of DER Data.

        A file with an extension of .der contains binary data. This format can be used only for a single certificate. Specify this format to extract a self-signed certificate..

      3. Name of the certificate file name we created, such as LDAPSERVER_TEST1234.der.
      4. Specify a location, such as /certs, in which you previously stored the key database file.

      5. Click OK.
    12. Verify that the /certs directory contains the following files:

      File Description
      LDAPSERVER_TEST1234.crl Not used in this example.
      LDAPSERVER_TEST1234.der The certificate.
      LDAPSERVER_TEST1234.kdb Key database file that has the certificate.
      LDAPSERVER_TEST1234.rdb Not used in this example.
      LDAPSERVER_TEST1234.sth Stash file that has the password
      If we use an existing or newly acquired certificate from a CA, copy it to the /certs directory on root file system of the directory server.
    See:

Parent topic: Install a directory server


Related