+

Search Tips   |   Advanced Search

Home

 

SSL and the Lightweight Directory Access Protocol module

IBM HTTP Server provides the ability to use a secure connection between the LDAP module running in the Web server and the LDAP server. If this feature is enabled, any communication between the Web server and the server is encrypted.

To enable this feature, edit the ldap.prop LDAP configuration file and change the value of ldap.transport to SSL. Create or obtain a certificate database file (X.kdb) and a password stash file (Y.sth). You can use ikeyman to obtain a key database file. You must use the ldapstash program to create the stash file. You will also need to change the values for ldap.URL and ldap.group.URL to use port 636 instead of port 389.

The key database file contains the certificates which establish identity. The LDAP server can require that the Web server provide a certificate before allowing queries. When using a certificate with an SSL connection between the LDAP module and the LDAP server, the user ID that IHS is configured to use must have write permission to the key database file containing the certificate.

Certificates establish identity to prevent other users from stealing or overwriting your certificates (and therefore your identity). If someone has read permission to the key database file, they can retrieve the user's certificates and masquerade as that user. Grant read or write permission only to the owner of the key database file.