Configure SSL for the directory server

Use an LDIF file to configure SSL on the directory server and to specify a secure port.

1. If the directory server is not running, start the server. For example, on UNIX, type this command:

   /opt/IBM/ldap/V6.1/sbin/ibmslapd -I itimldap

   Where -I specifies the instance.

2. Create an LDIF file, such as ssl.ldif, with the following data:

   dn: cn=SSL,cn=Configuration
   changetype: modify replace: ibm-slapdSslAuth
   ibm-slapdSslAuth: serverauth
   -
   replace: ibm-slapdSecurity
   ibm-slapdSecurity: sslonly
   -
   replace: ibm-slapdSslKeyDatabase
   ibm-slapdSslKeyDatabase: /certs/LDAPSERVER_TEST1234.kdb

   The empty lines that contain only the - (hyphen) character are required for LDIF file formatting.

   To change the secured port from the default port number 636, add these additional lines.

   replace: ibm-slapdSecurePort
   ibm-slapdSecurePort: 637

3. Place the LDIF file in the following directory:

   /opt/IBM/ldap/V6.1/bin

4. Run the idsldapmodify command, which modifies the password policy by adding the LDIF file to the process.

   idsldapmodify -D cn=root -w passwd -i ssl.ldif

   -D

   Binds to the LDAP directory, which is cn=root in this example.

   -w

   Uses the passwd value, which is the directory server administrator password, as the password for authentication.

   -i

   Reads the entry modification information from an LDIF file instead of from standard input. In this example, the file is named ssl.ldif.

   A successful result produces a message similar to the following one.

   Operation 0 modifying entry cn=SSL,cn=Configuration

5. Test the directory server to confirm that it is listening on the default secure port 636. Follow these steps:
   1. Stop the directory server. Type /opt/IBM/ldap/V6.1/sbin/ibmslapd -k:.
   2. Start the directory server. Type /opt/IBM/ldap/V6.1/sbin/ibmslapd -I itimldap.

      Where -I specifies the instance.

   3. Determine whether the directory server is listening on port 636. For example, display statistics for the network interface with the directory server by typing netstat -an |grep 636. A return message that indicates the port is listening might be this example:

      tcp    0   0 9.42.62.72:636  0.0.0.0:*   LISTEN
      

Parent topic: Secure communication with supported middleware