Enable SSL and Transport Layer Security on the Directory Server

SSL

If you have Digital Certificate Manager installed on your system, you can use Secure Sockets Layer (SSL) security to protect access to your Directory Server. Before enabling SSL on the directory server, you might find it helpful to read Secure Sockets Layer (SSL) and Transport Layer Security (TLS) with the Directory Server.

To enable SSL on your LDAP server, do the following:

1. Associate a certificate with the Directory Server
   1. If you want to manage your Directory Server through an SSL connection from iSeries Navigator, see the iSeries Access for Windows User's Guide (it is optionally installed on your PC when you installed iSeries Navigator). If you are planning to allow both SSL and non-SSL connections to the directory server, you can choose to skip this step.
   2. Start IBM Digital Certificate Manager. See Start Digital Certificate Manager in the Digital Certificate Manager topic for more information.
   3. If you need to obtain or create certificates, or otherwise setup or change your certificate system, do so now. See Digital Certificate Manager for information about setting up a certificate system. There are two server applications and one client application associated with Directory Server. They are:

      Directory Server application

      The Directory Server application is the server itself.

      Directory Server publishing application

      The Directory Server publishing application identifies the certificate used by publishing.

      Directory Server client application

      The Directory Server client application identifies the default certificate used by applications using the LDAP client ILE APIs.

   4. Click the Select a Certificate Store button.
   5. Select *SYSTEM. Click Continue.
   6. Enter the appropriate password for *SYSTEM certificate store. Click Continue.
   7. When the left navigational menu reloads, expand Manage Applications.
   8. Click Update certificate assignment.
   9. On the next screen, select Server application. Click Continue.
   10. Select the Directory Server server.
   11. Click Update Certificate Assignment to assign a certificate to the Directory Server to use to establish its identity to iSeries Access for Windows clients.
       Note:
       If you choose a certificate from a CA whose CA certificate is not in your iSeries Access for Windows client's key database, you will need to add it in order to use SSL. Finish this procedure before beginning that one.
   12. Select a certificate from the list to assign to the server.
   13. Click Assign New Certificate.
   14. DCM reloads to the Update Certificate Assignment page with a confirmation message. When you are finished setting up the certificates for the Directory Server, click Done.
2. Associate a certificate for the Directory Server publishing. (optional step) If you also want to enable publishing from the system to a Directory Server through an SSL connection, you might want to also associate a certificate with the Directory Server publishing. This identifies the default certificate and trusted CAs for applications using the LDAP ILE APIs that do not specify their own application id or an alternate key database.
   1. Start IBM Digital Certificate Manager.
   2. Click the Select a Certificate Store button.
   3. Select *SYSTEM. Click Continue.
   4. Enter the appropriate password for *SYSTEM certificate store. Click Continue.
   5. When the left navigational menu reloads, expand Manage Applications.
   6. Click Update certificate assignment.
   7. On the next screen, select Client application. Click Continue.
   8. Select the Directory Server publishing.
   9. Click Update Certificate Assignment to assign a certificate to the Directory Server publishing that will establish its identity.
   10. Select a certificate from the list to assign to the server.
   11. Click Assign new certificate.
   12. DCM reloads to the Update Certificate Assignment page with a confirmation message.
       Note:
       These steps assume that you are already publishing information to the Directory Server with a non-SSL connection. See Publish information to the Directory Server for complete information about setting up publishing.
3. Associate a certificate for the Directory Server client. (optional step) If you have other applications that use SSL connections to a Directory Server, you must also associate a certificate with a the Directory Server client.
   1. Start IBM Digital Certificate Manager.
   2. Click the Select a Certificate Store button.
   3. Select *SYSTEM. Click Continue.
   4. Enter the appropriate password for *SYSTEM certificate store. Click Continue.
   5. When the left navigational menu reloads, expand Manage Applications.
   6. Click Update certificate assignment.
   7. On the next screen, select Client application. Click Continue.
   8. Select the Directory Server client.
   9. Click Update Certificate Assignment to assign a certificate to the Directory Server client that will establish its identity.
   10. Select a certificate from the list to assign to the server.
   11. Click Assign New Certificate.
   12. DCM reloads to the Update Certificate Assignment page with a confirmation message.

After SSL is enabled, you can change the port that the Directory Server uses for secured connections.

TLS

In order to use SSL or TLS, you must enable it in the iSeries Navigator.

1. In iSeries Navigator, expand Network.
2. Expand Servers.
3. Right-click Directory and select Properties.
4. On the Network tab check the check box next to Secure.

You can also specify the port number that you want to make secure. Clicking the Secure check box is an indication that an application can start an SSL or TLS connection over the secure port. It is also an indication that an application can issue a StartTLS operation to allow a TLS connection over the non secure port. Alternatively, TLS can be invoked by using the -Y option from a client command line utility. If using the command line, the ibm-slapdSecurity attribute must be equal to TLS or SSLTLS.

For more information on SSL and TLS, see Secure Sockets Layer (SSL) and Transport Layer Security (TLS) with the Directory Server.