ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahy_5.4.0.1/rzahymdu-rf.htm

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights                   -->
<!-- Use, duplication or disclosure restricted by            -->
<!-- GSA ADP Schedule Contract with IBM Corp.                -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Directory Server (LDAP) - Using SSL with the LDAP command line utilities</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link --> 
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>


<a name="rzahymdu-rf"></a>
<h3 id="rzahymdu-rf">Using SSL with the LDAP command line utilities</h3>
<p><a href="rzahyssl-rf.htm#rzahyssl-rf">Secure Sockets Layer (SSL) and Transport Layer Security (TLS) with
the Directory Server</a> discusses using SSL with the Directory Server LDAP server.
This information includes managing and creating trusted Certificate Authorities
with Digital Certificate Manager.</p>
<p>Some of the LDAP servers accessed by the client use server authentication
only. For these servers, you only need to define one or more trusted root
certificates in the certificate store. With server authentication, the client
can be assured that the target LDAP server has been issued a certificate by
one of the trusted Certificate Authorities (CAs). In addition, all LDAP transactions
that flow over the SSL connection with the server are encrypted. This includes
the LDAP credentials that are supplied on application program interfaces (APIs)
that are used to bind to the directory server. For example, if the LDAP server
is using a high-assurance Verisign certificate, you should do the following:</p>
<ol type="1">
<li>Obtain a CA certificate from Verisign.</li>
<li>Use DCM to import it into your certificate store.</li>
<li>Use DCM to mark it as trusted.</li></ol><p class="indatacontent">If the LDAP server is using a privately issued server certificate, the
servers administrator can supply you with a copy of the servers certificate
request file. Import the certificate request file into your certificate store
and mark it as trusted.</p>
<p>If you use the shell utilities to access LDAP servers that use both client
authentication and server authentication, you must do the following:</p>
<ul>
<li>Define one or more trusted root certificates in the system certificate
store. This allows the client to be assured that the target LDAP server has
been issued a certificate by one of the trusted CAs. In addition, all LDAP
transactions that flow over the SSL connection with the server are encrypted.
This includes the LDAP credentials that are supplied on application program
interfaces (APIs) that are used to bind to the directory server.</li>
<li>Create a key pair and request a client certificate from a CA.
After receiving the signed certificate from the CA, receive the certificate
into the key ring file on the client.</li></ul>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>