ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahy_5.4.0.1/rzahyssl-rf.htm

65 lines
4.4 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Directory Server (LDAP) - Secure Sockets Layer (SSL) and Transport Layer Security (TLS) with
the Directory Server</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<a name="rzahyssl-rf"></a>
<h3 id="rzahyssl-rf">Secure Sockets Layer (SSL) and Transport Layer Security (TLS) with
the Directory Server</h3>
<p>To make communications with your Directory Server more secure, Directory Server can
use Secure Sockets Layer (SSL) security and Transport Layer Security (TLS).</p>
<p>SSL is the standard for Internet security. You can use SSL to communicate
with LDAP clients, as well as with replica LDAP servers. You can use client
authentication in addition to server authentication to provide additional
security to your SSL connections. Client authentication requires that the
LDAP client present a digital certificate that confirms the client's identity
to the server before a connection is established.</p>
<p>To use SSL, you must have Digital Certificate Manager (DCM), option 34
of i5/OS, installed on your system. DCM provides an interface for you to create
and manage digital certificates and certificate stores. See the &quot;<a href="../rzahu/rzahurazhudigitalcertmngmnt.htm">Digital Certificate Manager</a>&quot; topic for information about digital certificates
and using DCM. For information about SSL on iSeries, see the &quot;<a href="../rzain/rzainoverview.htm">Secure Sockets Layer (SSL)</a>&quot; topic.</p>
<p><img src="delta.gif" alt="Start of change" />TLS is designed as a successor to SSL and uses the same cryptographic
methods but supports more cryptographic algorithms. For information about
TLS on the iSeries server, see <a href="../rzain/rzainrzaintls.htm">Supported SSL and Transport
Layer Security (TLS) protocols</a>. TLS enables the server to receive secure
and unsecure communications from the client over the default port, 389. For
secure communications the client must use the StartTLS extended operation.<img src="deltaend.gif" alt="End of change" /></p>
<p>In order for a client to use TLS:</p>
<ol type="1">
<li>The Directory Server must be configured to use TLS or SSLTLS. See <a href="rzahyess-pi.htm#rzahyess-pi">Enable SSL and Transport Layer Security on the Directory Server</a>.</li>
<li>The -Y option needs to be specified on the client command line utilities.</li></ol>
<a name="wq49"></a>
<div class="notetitle" id="wq49">Note:</div>
<div class="notebody">TLS and SSL are not interoperable. Issuing a start TLS
request (the -Y option) over an SSL port causes an operations error.</div>
<p>A client can connect to the secure port (636) using either TLS or SSL.
StartTLS is an LDAP feature that allows you to start secure communication
over an existing non-secure connection (i.e. port 389). As such, you can
only use StartTLS (or command line utility -Y option) with the standard non-secure
port (389); you cannot use StartTLS with a secure connection.</p>
<p>For more information, see <a href="rzahyess-pi.htm#rzahyess-pi">Enable SSL and Transport Layer Security on the Directory Server</a>.</p>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>