Configure IBM Security Directory Server for z/OS for SSL access

When ISAM and LDAP services are not on the same protected network, enable SSL communication between the LDAP server and the clients that support Security Verify Access. This protocol provides secure and encrypted communications between each server and client. Security Verify Access uses these communications channels as part of the process for making authentication and authorization decisions.

The following high-level steps are required to enable SSL/TLS support on z/OS . These steps assume that you installed and configured the LDAP directory server, installed z/OS Cryptographic Services System SSL, and set STEPLIB, LPALIB, or LINKLIST.

Steps

1. Configure the LDAP server to listen for LDAP requests on the SSL port for server authentication and optionally, client authentication. See Security options in the ibmslapd.conf file.
2. Generate the LDAP server private key and server certificate. Mark the certificate as the default in the key database or key ring, or identify the certificate by using its label on the sslCertificate option in the configuration file.

   The z/OS LDAP Server can use certificates in a key ring that is managed with the RACF RACDCERT command.

   The gskkyman utility, which was used in previous releases, also can be used and an example of using that utility to create a key database file can be found in Create a key database file.

3. Restart the LDAP server.

• Security options in the ibmslapd.conf file
  We can modify the ibmslapd.conf file so that we can configure the options for SSL.
• Create a key database file
  Use the gskkyman utility so that we can create a key database file.

Parent topic: IBM Tivoli Directory Server for z/OS installation and configuration