106 lines
8.4 KiB
HTML
106 lines
8.4 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="task" />
|
||
|
<meta name="DC.Title" content="Manage LDAP location for user certificates" />
|
||
|
<meta name="abstract" content="Review this information to learn how to configure DCM to store user certificates in a Lightweight Directory Access Protocol (LDAP) server directory location to extend Enterprise Identity Mapping to work with user certificates." />
|
||
|
<meta name="description" content="Review this information to learn how to configure DCM to store user certificates in a Lightweight Directory Access Protocol (LDAP) server directory location to extend Enterprise Identity Mapping to work with user certificates." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzahurzahumanagedcm.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzahuandeim.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzahu_manage_ldap_loc" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Manage LDAP location for user certificates</title>
|
||
|
</head>
|
||
|
<body id="rzahu_manage_ldap_loc"><a name="rzahu_manage_ldap_loc"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Manage LDAP location for user certificates</h1>
|
||
|
<div><p>Review this information to learn how to configure
|
||
|
DCM to store user certificates in a Lightweight Directory Access Protocol
|
||
|
(LDAP) server directory location to extend Enterprise Identity Mapping to
|
||
|
work with user certificates.</p>
|
||
|
<div class="section"> <p>By default, Digital Certificate Manager (DCM) stores the user
|
||
|
certificates that the Local Certificate Authority (CA) issues with <span class="keyword">i5/OS™</span> user profiles. However, you
|
||
|
can configure Digital Certificate Manager (DCM) in conjunction with Enterprise
|
||
|
Identity Mapping (EIM) so that when the Local Certificate Authority (CA) issues
|
||
|
user certificates, the public copy of the certificate is stored in a specific
|
||
|
Lightweight Directory Access Protocol (LDAP) server directory location. A
|
||
|
combined configuration of EIM with DCM allows you to store user certificates
|
||
|
in an LDAP directory location to make the certificates more readily available
|
||
|
to other applications. This combined configuration also allows you to use
|
||
|
EIM to manage user certificates as a type of user identity within your enterprise.</p>
|
||
|
<div class="p"><div class="note"><span class="notetitle">Note:</span> If
|
||
|
you want a user to store a certificate from a different CA in the LDAP location,
|
||
|
the user must complete the <span class="uicontrol">Assign a user certificate</span> task.</div>
|
||
|
</div>
|
||
|
<p>EIM
|
||
|
is an <span id="rzahu_manage_ldap_loc__eserver_logo"><a name="rzahu_manage_ldap_loc__eserver_logo"><!-- --></a><img src="eserver.gif" alt="eServer" /></span> technology
|
||
|
that allows you to manage user identities in your enterprise, including <span class="keyword">i5/OS</span> user profiles and user certificates.
|
||
|
If you want to use EIM to manage user certificates, you need to perform these
|
||
|
EIM configuration tasks before performing any DCM configuration tasks: </p>
|
||
|
</div>
|
||
|
<ol><li class="stepexpand"><span>Use the <span class="uicontrol">EIM Configuration</span> wizard in <span class="keyword">iSeries™ Navigator</span> to configure EIM. </span></li>
|
||
|
<li class="stepexpand"><img src="./delta.gif" alt="Start of change" /><span>Create the X.509 registry in the EIM domain to be used
|
||
|
for certificate associations</span><img src="./deltaend.gif" alt="End of change" /></li>
|
||
|
<li class="stepexpand"><img src="./delta.gif" alt="Start of change" /><span>Select the Properties menu option for the Configuration
|
||
|
folder in the EIM domain and enter the X.509 registry name. </span><img src="./deltaend.gif" alt="End of change" /></li>
|
||
|
<li class="stepexpand"><span>Create an EIM identifier for each user that you want to have participate
|
||
|
in EIM. </span></li>
|
||
|
<li class="stepexpand"><span>Create a target association between each EIM identifier and that
|
||
|
user's user profile in the local <span class="keyword">i5/OS</span> user
|
||
|
registry. Use the EIM registry definition name for the local <span class="keyword">i5/OS</span> user
|
||
|
registry that you specified in the <span class="uicontrol">EIM Configuration</span> wizard. </span> <div class="note"><span class="notetitle">Note:</span> For more information about configuring EIM, see the <a href="../rzalv/rzalvmst.htm">EIM</a> topic in the . </div>
|
||
|
</li>
|
||
|
</ol>
|
||
|
<div class="section"> <p>After you complete the necessary EIM configuration tasks, you
|
||
|
must perform the following tasks to finish the overall configuration for using
|
||
|
EIM and DCM together: </p>
|
||
|
<ol><li>In DCM, use the <span class="uicontrol">Manage LDAP Location</span> task to specify
|
||
|
the LDAP directory that DCM will use to store a user certificate that the
|
||
|
Local CA creates. The LDAP location does not need to be on the local <span class="keyword">iSeries</span> system, nor does it need to
|
||
|
be the same LDAP server that EIM uses. When you configure the LDAP location
|
||
|
in DCM, DCM uses the specified LDAP directory to store all user certificates
|
||
|
that the Local CA issues. DCM also uses the LDAP location to store user certificates
|
||
|
processed by the <span class="uicontrol">Assign a user certificate</span> task instead
|
||
|
of storing the certificate with a user profile. </li>
|
||
|
<li>Run the <span class="uicontrol">Convert User Certificates</span> (<a href="../cl/cvtusrcert.htm">CVTUSRCERT</a>) command. This
|
||
|
command copies existing user certificates into the appropriate LDAP directory
|
||
|
location. However, the command only copies certificates for a user that has
|
||
|
had a target association created between an EIM identifier and the user profile.
|
||
|
The command then creates a source association between each certificate and
|
||
|
the associated EIM identifier. The command uses the certificate's subject
|
||
|
distinguished name (DN), issuer DN, and a hash of these DNs along with the
|
||
|
certificate's public key to define the user identity name for the source association.</li>
|
||
|
</ol>
|
||
|
<div class="note"><span class="notetitle">Note:</span> <img src="./delta.gif" alt="Start of change" />To anonymously bind to an LDAP server for CRL processing,
|
||
|
you must use the Directory Server Web Administration Tool and select the "Manage
|
||
|
schema" task to change the security class (also referred to as "access class")
|
||
|
of the certificateRevocationList and authorityRevocationList attributes from
|
||
|
"critical" to "normal", and leave both the <span class="uicontrol">Login distinguished
|
||
|
name</span> field and the <span class="uicontrol">Password</span> field blank. <img src="./deltaend.gif" alt="End of change" /></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahurzahumanagedcm.htm" title="Use this information to learn how to use DCM to manage your certificates and the applications that use them. Also, you can learn about how to digitally sign objects and how to create and operate your own Certificate Authority.">Manage DCM</a></div>
|
||
|
</div>
|
||
|
<div class="reltasks"><strong>Related tasks</strong><br />
|
||
|
<div><a href="rzahuandeim.htm" title="Using Enterprise Identity Mapping (EIM) and Digital Certificate Mangers (DCM) together allows you to apply a certificate as the source of an EIM mapping lookup operation to map from the certificate to a target user identity associated with the same EIM identifier.">Digital certificates and Enterprise Identity Mapping (EIM)</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|