friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahy_5.4.0.1/rzahyess-pi.htm

153 lines
10 KiB
HTML
Raw Permalink Blame History

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Directory Server (LDAP) - Enable SSL and Transport Layer Security on the Directory Server</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<img src="delta.gif" alt="Start of change" />
<a name="rzahyess-pi"></a>
<h3 id="rzahyess-pi">Enable SSL and Transport Layer Security on the Directory Server</h3>
<p><span class="bold">SSL</span></p>
<p>If you have <a href="../rzahu/rzahurazhudigitalcertmngmnt.htm">Digital Certificate Manager</a> installed
on your system, you can use Secure Sockets Layer (SSL) security to protect
access to your Directory Server. Before enabling SSL on the directory server,
you might find it helpful to read <a href="rzahyssl-rf.htm#rzahyssl-rf">Secure Sockets Layer (SSL) and Transport Layer Security (TLS) with
the Directory Server</a>.</p>
<p>To enable SSL on your LDAP server, do the following:</p>
<ol type="1">
<li><span class="bold">Associate a certificate with the Directory Server</span>
<ol type="a">
<li>If you want to manage your Directory Server through an SSL connection
from iSeries Navigator, see the iSeries Access for Windows User's Guide (it is optionally
installed on your PC when you installed iSeries Navigator). If you are planning
to allow both SSL and non-SSL connections to the directory server, you can
choose to skip this step.</li>
<li>Start IBM Digital Certificate Manager. See <a href="../rzahu/rzahurzahu66adcmstart.htm">Start
Digital Certificate Manager</a> in the Digital Certificate Manager topic for
more information.</li>
<li>If you need to obtain or create certificates, or otherwise setup or change
your certificate system, do so now. See <a href="../rzahu/rzahurazhudigitalcertmngmnt.htm">Digital Certificate
Manager</a> for information about setting up a certificate system. There are
two server applications and one client application associated with Directory
Server. They are:
<dl>
<dt class="bold">Directory Server application</dt>
<dd>The Directory Server application is the server itself.
</dd>
<dt class="bold">Directory Server publishing application</dt>
<dd>The Directory Server publishing application identifies the certificate
used by publishing.
</dd>
<dt class="bold">Directory Server client application</dt>
<dd> The Directory Server client application identifies the default certificate
used by applications using the LDAP client ILE APIs.
</dd>
</dl></li>
<li>Click the <span class="bold">Select a Certificate Store</span> button.</li>
<li>Select <span class="bold">*SYSTEM</span>. Click <span class="bold">Continue</span>.</li>
<li>Enter the appropriate password for *SYSTEM certificate store. Click <span class="bold">Continue</span>.</li>
<li>When the left navigational menu reloads, expand <span class="bold">Manage
Applications</span>.</li>
<li>Click <span class="bold">Update certificate assignment</span>.</li>
<li>On the next screen, select <span class="bold">Server</span> application. Click <span class="bold">Continue</span>.</li>
<li>Select the <span class="bold">Directory Server server</span>.</li>
<li>Click <span class="bold">Update Certificate Assignment</span> to assign a
certificate to the Directory Server to use to establish its identity to iSeries Access for Windows clients.
<a name="wq299"></a>
<div class="notetitle" id="wq299">Note:</div>
<div class="notebody">If you choose a certificate from a CA whose CA certificate is not
in your iSeries Access for Windows client's key database, you will need to add it in order to
use SSL. Finish
this procedure before beginning that one.</div></li>
<li> Select a certificate from the list to assign to the server.</li>
<li>Click <span class="bold">Assign New Certificate</span>.</li>
<li>DCM reloads to the <span class="bold">Update Certificate Assignment </span> page
with a confirmation message. When you are finished setting up the certificates
for the Directory Server, click <span class="bold">Done</span>.</li></ol></li>
<li><span class="bold">Associate a certificate for the Directory Server publishing</span>. (optional step) If you also want to enable publishing from the system
to a Directory Server through an SSL connection, you might want to also associate
a certificate with the Directory Server publishing. This identifies the default
certificate and trusted CAs for applications using the LDAP ILE APIs that
do not specify their own application id or an alternate key database.
<ol type="a">
<li><a href="../rzahu/rzahurzahu66adcmstart.htm">Start</a> IBM Digital Certificate Manager.</li>
<li>Click the <span class="bold">Select a Certificate Store</span> button.</li>
<li>Select <span class="bold">*SYSTEM</span>. Click <span class="bold">Continue</span>.</li>
<li>Enter the appropriate password for *SYSTEM certificate store. Click <span class="bold">Continue</span>.</li>
<li>When the left navigational menu reloads, expand <span class="bold">Manage
Applications</span>.</li>
<li>Click <span class="bold">Update certificate assignment</span>.</li>
<li>On the next screen, select <span class="bold">Client</span> application. Click <span class="bold">Continue</span>.</li>
<li>Select the <span class="bold">Directory Server publishing</span>.</li>
<li>Click <span class="bold">Update Certificate Assignment </span> to assign a
certificate to the Directory Server publishing that will establish its identity.</li>
<li> Select a certificate from the list to assign to the server.</li>
<li>Click <span class="bold">Assign new certificate</span>.</li>
<li>DCM reloads to the <span class="bold">Update Certificate Assignment </span> page
with a confirmation message.
<a name="wq301"></a>
<div class="notetitle" id="wq301">Note:</div>
<div class="notebody">These steps assume that you are
already publishing information to the Directory Server with a non-SSL connection.
See <a href="rzahyusr-pi.htm#rzahyusr-pi">Publish information to the Directory Server</a> for complete information about setting up publishing.</div></li></ol></li>
<li><span class="bold">Associate a certificate for the Directory Server client</span>. (optional step) If you have other applications that use SSL connections
to a Directory Server, you must also associate a certificate with a the Directory
Server client.
<ol type="a">
<li><a href="../rzahu/rzahurzahu66adcmstart.htm">Start</a> IBM Digital Certificate Manager.</li>
<li>Click the <span class="bold">Select a Certificate Store</span> button.</li>
<li>Select <span class="bold">*SYSTEM</span>. Click <span class="bold">Continue</span>.</li>
<li>Enter the appropriate password for *SYSTEM certificate store. Click <span class="bold">Continue</span>.</li>
<li>When the left navigational menu reloads, expand <span class="bold">Manage
Applications</span>.</li>
<li>Click <span class="bold">Update certificate assignment</span>.</li>
<li>On the next screen, select <span class="bold">Client</span> application. Click <span class="bold">Continue</span>.</li>
<li>Select the <span class="bold">Directory Server client</span>.</li>
<li>Click <span class="bold">Update Certificate Assignment </span> to assign a
certificate to the Directory Server client that will establish its identity.</li>
<li> Select a certificate from the list to assign to the server.</li>
<li>Click <span class="bold">Assign New Certificate</span>.</li>
<li>DCM reloads to the <span class="bold">Update Certificate Assignment </span> page
with a confirmation message.</li></ol></li></ol>
<p>After SSL is enabled, you can <a href="rzahycptpi.htm#rzahycptpi">change the port</a> that
the Directory Server uses for secured connections.</p>
<p><span class="bold">TLS</span></p>
<p><img src="delta.gif" alt="Start of change" />In order to use SSL or TLS, you must enable it in the iSeries
Navigator.</p>
<ol type="1">
<li>In iSeries Navigator, expand <span class="bold">Network</span>.</li>
<li>Expand <span class="bold">Servers</span>.</li>
<li>Right-click <span class="bold">Directory</span> and select <span class="bold">Properties</span>.</li>
<li>On the <span class="bold">Network</span> tab check the check box next to <span class="bold">Secure</span>.</li></ol><img src="deltaend.gif" alt="End of change" />
<p><img src="delta.gif" alt="Start of change" />You can also specify the port number that you want to make secure.
Clicking the <span class="bold">Secure</span> check box is an indication
that an application can start an SSL or TLS connection over the secure port.
It is also an indication that an application can issue a StartTLS operation
to allow a TLS connection over the non secure port. Alternatively, TLS can
be invoked by using the -Y option from a client command line utility. If using
the command line, the ibm-slapdSecurity attribute must be equal to TLS or
SSLTLS.<img src="deltaend.gif" alt="End of change" /></p>
<p>For more information on SSL and TLS, see <a href="rzahyssl-rf.htm#rzahyssl-rf">Secure Sockets Layer (SSL) and Transport Layer Security (TLS) with
the Directory Server</a>.</p><img src="deltaend.gif" alt="End of change" />
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink