To make communications with your Directory Server more secure, Directory Server can use Secure Sockets Layer (SSL) security and Transport Layer Security (TLS).
SSL is the standard for Internet security. You can use SSL to communicate with LDAP clients, as well as with replica LDAP servers. You can use client authentication in addition to server authentication to provide additional security to your SSL connections. Client authentication requires that the LDAP client present a digital certificate that confirms the client's identity to the server before a connection is established.
To use SSL, you must have Digital Certificate Manager (DCM), option 34 of i5/OS, installed on your system. DCM provides an interface for you to create and manage digital certificates and certificate stores. See the "Digital Certificate Manager" topic for information about digital certificates and using DCM. For information about SSL on iSeries, see the "Secure Sockets Layer (SSL)" topic.
TLS is designed as a successor to SSL and uses the same cryptographic
methods but supports more cryptographic algorithms. For information about
TLS on the iSeries server, see Supported SSL and Transport
Layer Security (TLS) protocols. TLS enables the server to receive secure
and unsecure communications from the client over the default port, 389. For
secure communications the client must use the StartTLS extended operation.
In order for a client to use TLS:
A client can connect to the secure port (636) using either TLS or SSL. StartTLS is an LDAP feature that allows you to start secure communication over an existing non-secure connection (i.e. port 389). As such, you can only use StartTLS (or command line utility -Y option) with the standard non-secure port (389); you cannot use StartTLS with a secure connection.
For more information, see Enable SSL and Transport Layer Security on the Directory Server.