ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahu_5.4.0.1/rzahumanageldaploc.htm

106 lines
8.4 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Manage LDAP location for user certificates" />
<meta name="abstract" content="Review this information to learn how to configure DCM to store user certificates in a Lightweight Directory Access Protocol (LDAP) server directory location to extend Enterprise Identity Mapping to work with user certificates." />
<meta name="description" content="Review this information to learn how to configure DCM to store user certificates in a Lightweight Directory Access Protocol (LDAP) server directory location to extend Enterprise Identity Mapping to work with user certificates." />
<meta name="DC.Relation" scheme="URI" content="rzahurzahumanagedcm.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahuandeim.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzahu_manage_ldap_loc" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Manage LDAP location for user certificates</title>
</head>
<body id="rzahu_manage_ldap_loc"><a name="rzahu_manage_ldap_loc"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Manage LDAP location for user certificates</h1>
<div><p>Review this information to learn how to configure
DCM to store user certificates in a Lightweight Directory Access Protocol
(LDAP) server directory location to extend Enterprise Identity Mapping to
work with user certificates.</p>
<div class="section"> <p>By default, Digital Certificate Manager (DCM) stores the user
certificates that the Local Certificate Authority (CA) issues with <span class="keyword">i5/OS™</span> user profiles. However, you
can configure Digital Certificate Manager (DCM) in conjunction with Enterprise
Identity Mapping (EIM) so that when the Local Certificate Authority (CA) issues
user certificates, the public copy of the certificate is stored in a specific
Lightweight Directory Access Protocol (LDAP) server directory location. A
combined configuration of EIM with DCM allows you to store user certificates
in an LDAP directory location to make the certificates more readily available
to other applications. This combined configuration also allows you to use
EIM to manage user certificates as a type of user identity within your enterprise.</p>
<div class="p"><div class="note"><span class="notetitle">Note:</span> If
you want a user to store a certificate from a different CA in the LDAP location,
the user must complete the <span class="uicontrol">Assign a user certificate</span> task.</div>
</div>
<p>EIM
is an <span id="rzahu_manage_ldap_loc__eserver_logo"><a name="rzahu_manage_ldap_loc__eserver_logo"><!-- --></a><img src="eserver.gif" alt="eServer" /></span> technology
that allows you to manage user identities in your enterprise, including <span class="keyword">i5/OS</span> user profiles and user certificates.
If you want to use EIM to manage user certificates, you need to perform these
EIM configuration tasks before performing any DCM configuration tasks: </p>
</div>
<ol><li class="stepexpand"><span>Use the <span class="uicontrol">EIM Configuration</span> wizard in <span class="keyword">iSeries™ Navigator</span> to configure EIM. </span></li>
<li class="stepexpand"><img src="./delta.gif" alt="Start of change" /><span>Create the X.509 registry in the EIM domain to be used
for certificate associations</span><img src="./deltaend.gif" alt="End of change" /></li>
<li class="stepexpand"><img src="./delta.gif" alt="Start of change" /><span>Select the Properties menu option for the Configuration
folder in the EIM domain and enter the X.509 registry name. </span><img src="./deltaend.gif" alt="End of change" /></li>
<li class="stepexpand"><span>Create an EIM identifier for each user that you want to have participate
in EIM. </span></li>
<li class="stepexpand"><span>Create a target association between each EIM identifier and that
user's user profile in the local <span class="keyword">i5/OS</span> user
registry. Use the EIM registry definition name for the local <span class="keyword">i5/OS</span> user
registry that you specified in the <span class="uicontrol">EIM Configuration</span> wizard. </span> <div class="note"><span class="notetitle">Note:</span> For more information about configuring EIM, see the <a href="../rzalv/rzalvmst.htm">EIM</a> topic in the . </div>
</li>
</ol>
<div class="section"> <p>After you complete the necessary EIM configuration tasks, you
must perform the following tasks to finish the overall configuration for using
EIM and DCM together: </p>
<ol><li>In DCM, use the <span class="uicontrol">Manage LDAP Location</span> task to specify
the LDAP directory that DCM will use to store a user certificate that the
Local CA creates. The LDAP location does not need to be on the local <span class="keyword">iSeries</span> system, nor does it need to
be the same LDAP server that EIM uses. When you configure the LDAP location
in DCM, DCM uses the specified LDAP directory to store all user certificates
that the Local CA issues. DCM also uses the LDAP location to store user certificates
processed by the <span class="uicontrol">Assign a user certificate</span> task instead
of storing the certificate with a user profile. </li>
<li>Run the <span class="uicontrol">Convert User Certificates</span> (<a href="../cl/cvtusrcert.htm">CVTUSRCERT</a>) command. This
command copies existing user certificates into the appropriate LDAP directory
location. However, the command only copies certificates for a user that has
had a target association created between an EIM identifier and the user profile.
The command then creates a source association between each certificate and
the associated EIM identifier. The command uses the certificate's subject
distinguished name (DN), issuer DN, and a hash of these DNs along with the
certificate's public key to define the user identity name for the source association.</li>
</ol>
<div class="note"><span class="notetitle">Note:</span> <img src="./delta.gif" alt="Start of change" />To anonymously bind to an LDAP server for CRL processing,
you must use the Directory Server Web Administration Tool and select the "Manage
schema" task to change the security class (also referred to as "access class")
of the certificateRevocationList and authorityRevocationList attributes from
"critical" to "normal", and leave both the <span class="uicontrol">Login distinguished
name</span> field and the <span class="uicontrol">Password</span> field blank. <img src="./deltaend.gif" alt="End of change" /></div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahurzahumanagedcm.htm" title="Use this information to learn how to use DCM to manage your certificates and the applications that use them. Also, you can learn about how to digitally sign objects and how to create and operate your own Certificate Authority.">Manage DCM</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="rzahuandeim.htm" title="Using Enterprise Identity Mapping (EIM) and Digital Certificate Mangers (DCM) together allows you to apply a certificate as the source of an EIM mapping lookup operation to map from the certificate to a target user identity associated with the same EIM identifier.">Digital certificates and Enterprise Identity Mapping (EIM)</a></div>
</div>
</div>
</body>
</html>