Configure IBM Tivoli Directory Server for SSL access

Enable SSL to secure communication between the Tivoli Directory Server and the ISAM components.

• Install and configure Tivoli Directory Server.
• Install GSKit.
• Use the information and links in the tech note for the configuration instructions for Security Directory Server 6.4 and Security Directory Suite 8.0. The information in this topic is for Directory Server v6.3.

See also the information for securing directory communications in the Tivoli Directory Server Knowledge Center for the details of each step. These steps assume that you already configured the Tivoli Directory Server.

Steps

1. Create the key database, associated password stash file, and password on the Tivoli Directory Server system. For example, use the gsk8capicmd_64 to create a database, stash file, and password.
   gsk8capicmd_64 -keydb -create -db /key/myldap.kdb -pw passw0rd -type cms -stash -empty

2. If we do not already have a personal certificate or self-signed certificate, do one of the following procedures:

   For a personal certificate:

   1. Request a personal certificate from a certificate authority (CA).
   2. Receive that personal certificate into the key database file.
   3. Add a signer certificate for the certificate authority to the key database file.

   For a self-signed certificate:

   1. Create a self-signed certificate. For example,
      gsk8capicmd_64 -cert -create -db /key/myldap.kdb -pw serverpwd -sigalg algorithm_id -label serverlabel -dn "cn=LDAP_Server,o=sample" -size keysize

      where:

      db

      Specifies the .kdb file that is the key database.

      pw

      Password to access the key database.

      sigalg

      Signing algorithm used to sign the message. Acceptable values that correspond to a compliance mode are listed in the following table. This setting requires a minimum version of Tivoli Directory Server 6.3.0.17. Skip this setting if we are using an earlier version of Tivoli Directory Server or if the environment does not require a compliance configuration.

      Compliance mode	algorithm_id value	keysize value
      none	SHA1WithRSA	2048
      fips	SHA1WithRSA	2048
      sp800-131-transition	SHA256WithRSA	2048
      sp800-131-strict	SHA256WithRSA	2048
      suite-b-128	SHA256WithECDSA	256
      suite-b-192	SHA384WithECDSA	384

      label

      Label attached to the certificate. The label name is configured in Security Directory Server. Either the label name must match the Security Directory Server configured value, or update the name value in Security Directory Server to match the label that we set here.

      dn

      Indicates an X.500 distinguished name. An example format: CN=common_name, O=organization, C=country.

      size

      The size of the new key pair to be created. This size ranges in value and depends on the key type. For some algorithms, we can specify a 0 value to use the default key size. This size is typically the minimum size that is considered secure. The following list contains the valid values.

      For RSA algorithms:

      512-4096; key sizes in this range must be selected as NIST SP800-131; 8192 is supported for validation only. Available key sizes might vary according to security configurations. For example, we cannot generate 512-bit RSA keys in FIPS mode. Default is 1024.

      For EC algorithms:

      224 - 512 GSKit EC key generation supports P256, P384, and P521 curves only. P521 curve keys use a 512-bit SHA2 hash. The following list contains the default values.

      • 256 (SHA256)
      • 384 (SHA384)
      • 512 (SHA512)

   2. Extract the certificate in ASCII format. For example, type:
      gsk8capicmd_64 -cert -extract -db /key/myldap.kdb -pw serverpwd -label myldap -format ascii -target myldap.cert

      In a subsequent configuration task, you import this certificate to the signer section of the key database on all client systems that securely communicate with the server. A client system is:

      • Any Security Verify Access server system.
      • Any other system that uses the Tivoli Directory Server client to securely communicate with the Tivoli Directory Server.
      • Any system that uses the ISAM Runtime component

3. Configure the Tivoli Directory Server instance to use the certificate in the configuration file. Create an ldif file with the appropriate configuration values in it to perform this step. For information about ldif files, see the Tivoli Directory Server Knowledge Center. If we do not create an ldif file for this step, we must use standard input to enter the configuration.

   1. Create an ldif file containing the following values. Use our own value for the values that are shown in italics.
      dn: cn=SSL, cn=Configuration
      changetype: modify
      replace: ibm-slapdSslAuth
      ibm-slapdSslAuth: serverAuth

      Use serverAuth or the value that is appropriate for the environment. The other valid value is serverClientAuth.

      dn: cn=SSL, cn=Configuration
      changetype: modify
      replace: ibm-slapdSecurity
      ibm-slapdSecurity: SSL

      Use SSL or the value that is appropriate for the environment. The valid values are none, SSL, SSlOnly, TLS, SSLTLS.

      dn: cn=SSL, cn=Configuration
      changetype: modify
      replace: ibm-slapdSslKeyDatabase
      ibm-slapdSslKeyDatabase: /key/myldap.kdb
      dn: cn=SSL, cn=Configuration
      changetype: modify
      replace: ibm-slapdSslCertificate
      ibm-slapdSslCertificate: serverlabel
      
      dn: cn=SSL, cn=Configuration
      changetype: modify
      replace: ibm-slapdSslKeyDatabasepw
      ibm-slapdSslKeyDatabasepw: serverpwd

   2. Save the file and name it. For example, name itserverauth.ldif.

   3. Run the ldapmodify command.
      idsldapmodify -h server.in.ibm.com -p 389 -D cn=root -w root -i /home/dsrdbm01/serverauth.ldif

      where:

      h hostname

      Host on which the LDAP server is running.

      p port_number

      Specifies an alternative TCP port where the LDAP server is listening. The default LDAP port is 389. If -p is not specified and -Z is specified, the default LDAP SSL port 636 is used.

      D binddn

      Usebinddn to bind to the LDAP directory. binddn is a string-represented DN. When used with -m DIGEST-MD5, it specifies the authorization ID. It can be either a DN or an authzId string that starts with u: or dn:. -D binddn -w passwd does not call bind functions on superuser DNs.

      i filename

      Entry modification information from an LDIF file instead of from standard input. If an LDIF file is not specified, we must use standard input to specify the update records in LDIF format.

4. Update the compliance type (such as FIPS), if required for your environment. This step requires a minimum version of Tivoli Directory Server 6.3.0.17. Skip this step if we are using an earlier version of Tivoli Directory Server or if your environment does not require a compliance configuration. Create an ldif file with the appropriate configuration values in it to perform this step. For information about ldif files, see the Tivoli Directory Server Knowledge Center. If we do not create an ldif file for this step, we must use standard input to enter the configuration.
   1. Choose the compliance mode to use in the environment.
      • none
      • fips
      • sp800-131-transition
      • sp800-131-strict
      • suite-b-128
      • suite-b-192

      For descriptions of these compliance modes, see the documentation that came with the Tivoli Directory Server fix pack.

   2. Create an ldif file containing the appropriate values for the compliance mode to use.

      Compliance mode	Values for cn=Front End, cn=Configuration	Attributes for cn=SSL, cn=Configuration
      none	ibm-slapdSetenv: IBMSLAPD_SECURITY_PROTOCOL=SSLV3,TLS10,TLS11,TLS12	ibm-slapdSecurity: SSLTLS ibm-slapdSslFIPSModeEnabled: false ibm-slapdSslFIPSProcessingMode: false ibm-slapdSslCipherSpec: AES ibm-slapdSslCipherSpec: AES-128 ibm-slapdSslCipherSpec: RC4-128-MD5 ibm-slapdSslCipherSpec: RC4-128-SHA ibm-slapdSslCipherSpec: TripleDES-168 ibm-slapdSslCipherSpec: DES-56 ibm-slapdSslCipherSpec: RC2-40-MD5 ibm-slapdSslCipherSpec: RC4-40-MD5 ibm-slapdSslCipherSpec: TLS_RSA_WITH_3DES_EDE_CBC_SHA ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_128_CBC_SHA ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_256_CBC_SHA ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_128_GCM_SHA256 ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_256_GCM_SHA384 ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_128_CBC_SHA256 ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_256_CBC_SHA256 ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ibm-slapdSslCipherSpec: TLS_RSA_WITH_RC4_128_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_RC4_128_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
      fips	ibm-slapdSetenv: IBMSLAPD_SECURITY_PROTOCOL=TLS10,TLS11,TLS12	ibm-slapdSecurity: SSLTLS ibm-slapdSslFIPsProcessingMode: true ibm-slapdSslCipherSpec: AES ibm-slapdSslCipherSpec: AES-128 ibm-slapdSslCipherSpec: TripleDES-168 ibm-slapdSslCipherSpec: TLS_RSA_WITH_3DES_EDE_CBC_SHA ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_128_CBC_SHA ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_256_CBC_SHA ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_128_GCM_SHA256 ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_256_GCM_SHA384 ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_128_CBC_SHA256 ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_256_CBC_SHA256 ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      sp800-131-transition	ibm-slapdSetenv: IBMSLAPD_SECURITY_PROTOCOL=TLS10,TLS11,TLS12	ibm-slapdSecurity: SSLTLS ibm-slapdSslFIPsProcessingMode: true ibm-slapdSslCipherSpec: AES ibm-slapdSslCipherSpec: AES-128 ibm-slapdSslCipherSpec: TripleDES-168 ibm-slapdSslCipherSpec: TLS_RSA_WITH_3DES_EDE_CBC_SHA ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_128_CBC_SHA ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_256_CBC_SHA ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_128_GCM_SHA256 ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_256_GCM_SHA384 ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_128_CBC_SHA256 ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_256_CBC_SHA256 ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      sp800-131-strict	ibm-slapdSetenv: IBMSLAPD_SECURITY_PROTOCOL=TLS12 ibm-slapdSetenv: IBMSLAPD_SSL_EXTN_SIGALG= GSK_TLS_SIGALG_RSA_WITH_SHA224, GSK_TLS_SIGALG_RSA_WITH_SHA256, GSK_TLS_SIGALG_RSA_WITH_SHA384, GSK_TLS_SIGALG_RSA_WITH_SHA512, GSK_TLS_SIGALG_ECDSA_WITH_SHA224, GSK_TLS_SIGALG_ECDSA_WITH_SHA256, GSK_TLS_SIGALG_ECDSA_WITH_SHA384, GSK_TLS_SIGALG_ECDSA_WITH_SHA512	ibm-slapdSecurity: SSLTLS ibm-slapdSslFIPsProcessingMode: true ibm-slapdSslCipherSpec: TLS_RSA_WITH_3DES_EDE_CBC_SHA ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_128_CBC_SHA ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_256_CBC_SHA ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_128_GCM_SHA256 ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_256_GCM_SHA384 ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_128_CBC_SHA256 ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_256_CBC_SHA256 ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      suite-b-128	ibm-slapdSetenv: IBMSLAPD_SUITEB_MODE=128	ibm-slapdSecurity: SSLTLS
      suite-b-192	ibm-slapdSetenv: IBMSLAPD_SUITEB_MODE=192	ibm-slapdSecurity: SSLTLS

   3. Save the file and name it. For example, name it compmode.ldif.

   4. Run the ldapmodify command. Replace the values in italics with our own values.
      idsldapmodify -h server.in.ibm.com -p 389 -D cn=root -w root -i /home/dsrdbm01/compmode.ldif

      where:

      h hostname

      Host on which the LDAP server is running.

      p port_number

      Specifies an alternative TCP port where the LDAP server is listening. The default LDAP port is 389. If -p is not specified and -Z is specified, the default LDAP SSL port 636 is used.

      D binddn

      Use binddn to bind to the LDAP directory.binddn is a string-represented DN. When used with -m DIGEST-MD5, it specifies the authorization ID. It can be either a DN or an authzId string that starts with u: or dn:. -D binddn -w passwd does not call bind functions on superuser DNs.

      i filename

      Entry modification information from an LDIF file instead of from standard input. If an LDIF file is not specified, we must use standard input to specify the update records in LDIF format.

5. Make a note of the SSL secure port number on this server. The default secure port number is 636.
6. Copy the signer certificate and have it available to copy onto the computer on which Security Verify Access components are installed and with which we want to enable SSL communication. In a subsequent task, we add this certificate to the key database on that computer.

Parent topic: Security Directory Server installation