Scribd
Upload
70 views21 pages

Enable SSL On SDS6.4 Using CA Certificates

Enable SSL on SDS6.4 using CA certificates

Uploaded by

principledleopard
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
70 views21 pages

Enable SSL On SDS6.4 Using CA Certificates

Enable SSL on SDS6.4 using CA certificates

Uploaded by

principledleopard
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

Enable SSL on IBM Security

Directory Server 6.4


Using CA certificates

Juan Quema
IBM Security Directory Server
L2 Support

© Copyright IBM Corp. 2020


Agenda

• Create a Certificate Authority


• Generate a Certificate Request (CSR) on the LDAP server
• Certificate Authority signs CSR
• Add and receive CA certificates into LDAP’s .kdb
• Configure LDAP instance with SSL
• Test SSL
• Hints & Tips
• Useful Links
Create a Certificate Authority
Create a Certificate Authority
• NOTES:
Ø We will perform this SSL exercise from the command line using the GSKIT V8 provided utility
gsk8capicmd_64.
Ø We will use the same host where the LDAP instance resides to create the Certificate Authority.

• Create CA CMS key database (.kdb) file


gsk8capicmd_64 -keydb -create -db ca.kdb -pw secret -stash

• Create CA root signer certificate


gsk8capicmd_64 -cert -create -db ca.kdb -stashed -dn “CN=CA,O=CA,C=US” -expire 365 -label “CA Root
Signer” -default_cert yes -ca true

• Verify CA certificate
gsk8capicmd_64 -cert -list -db ca.kdb -stashed

• Extract CA root signer certificate


gsk8capicmd_64 -cert -extract -db ca.kdb -stashed -label “CA Root Signer” -format ascii -target ca.arm
Generate a Certificate Request (CSR) on the LDAP server
Generate a Certificate Request (CSR) on the LDAP server
• NOTE:
Ø We will create the .kdb in the $HOME/etc folder for the instance.
• Create a CMS key database (.kdb)

gsk8capicmd_64 -keydb -create -db server.kdb -pw secret -stash

• Generate Certificate Request (CSR) in the server.kdb

gsk8capicmd_64 -certreq -create -db server.kdb -stashed -label ”LDAP CA certificate" -dn
"CN=ldapserverhost.ibm.com,OU=Austin,O=IBM" -file ldapcert_request.arm

• Verify CSR in the server.kdb


gsk8capicmd_64 -certreq -list -db server.kdb -stashed

• Transport/upload CSR file to the CA for signature


Certificate Authority signs CSR
Certificate Authority signs CSR
• Sign CSR File
gsk8capicmd_64 -cert -sign -file ldapcert_request.arm -db ca.kdb -label "CA Root Signer" -stashed -target
ldapcert_signed.arm -expire 365

• Transport both CA Root signer certificate and the newly signed CSR files to the LDAP server
Ø ca.arm
Ø ldapcert_signed.arm
Add and receive CA certificates into LDAP’s .kdb
Add and receive CA certificates into LDAP’s .kdb
• Add CA root signer certificate into LDAP’s server.kdb
gsk8capicmd_64 -cert -add -db server.kdb -stashed -label “CA Root Signer” -file ca.arm -format ascii -trust
enable

• Receive the signed CSR into LDAP’s server.kdb


gsk8capicmd_64 -cert -receive -db server.kdb -stashed -file ldapcert_signed.arm -default_cert yes

• List content of server.kdb


gsk8capicmd_64 -cert -list -db server.kdb -stashed

• Retrieve details of any certificate


gsk8capicmd_64 -cert -details -db server.kdb –stashed -label “LDAP CA certificate"

• Extract new LDAP CA signed certificate and share with client for SSL connections – if
needed.
gsk8capicmd_64 -cert -extract -db server.kdb -stashed -label “LDAP CA certificate" -target
ldapservercert.arm -format ascii
Configure LDAP instance with SSL
Configure LDAP instance with SSL

• We will configure SSL on an existing instance: ldapinst

• Make ldapinst as the owner of the server.kdb


chown ldapinst:idsldap server.kdb
Configure LDAP instance with SSL
• idsldapmodify -p #port -D cn=root -w ? -i enable_ssl.ldif
where enable_ssl.ldif :
dn: cn=SSL,cn=Configuration
changetype: modify
replace: ibm-slapdSslAuth
ibm-slapdSslAuth: serverAuth
-
replace: ibm-slapdSecurity
ibm-slapdSecurity: SSL
-
replace: ibm-slapdSSLKeyDatabase
ibm-slapdSSLKeyDatabase: /home/ldapinst/idsslapd-ldapinst/etc/server.kdb
-
replace: ibm-slapdSSLKeyDatabasePW
ibm-slapdSSLKeyDatabasePW: secret
-
replace: ibm-slapdSslCertificate
ibm-slapdSslCertificate: LDAP CA certificate
Configure LDAP instance with SSL
• Restart the LADP instance after configuring SSL
• Stop
ibmslapd -I ldapinst –k
ibmdiradm -I ldapinst

• Start
ibmslapd -I ldapinst –n
ibmdiradm -I ldapinst
• Verify if LDAP instance is running
ps -ef | grep ibmslapd
ps -ef | grep ibmdiradm
Test SSL
Test SSL
• NOTE:
Ø If the Certificate Authority (CA) that signed the client’s cert is different than the CA that signed the server’s certificate then
obtain a copy of this secondary CA and add it to the client’s .kdb. If the CA is the same then there is no further action
required on the client side.

Ø There is no need to add a copy of the LDAP server’s certificate into the client’s .kdb or viceversa.

• If needed add the missing CA root signer cert into the client’s .kdb
• Example:
gsk8capicmd_64 -cert -add -db client.kdb -stashed -label “A New CA Root Signer” -file ca.arm -format ascii -
trust enable
• Perform a secure connection to the LDAP server
idsldapsearch -Z -h <ldapserver_hostname> -p <secure_port> -D cn=root -w ? -K client.kdb -P <keydb
password> -s <scope> -b <base dn> objectclass=*
Hints & Tips
Hints & Tips
• If you –receive signed cert before adding the actual CA root signer certificate first, then you will get an
error similar to the one below:
gsk8capicmd_64 -cert -receive -db server.kdb -stashed -file ldapcert_signed.arm -default_cert yes
CTGSK2146W An invalid certificate chain was found.

Additional untranslated info: No certificate chain built

Additional untranslated info: GSKKM_VALIDATIONFAIL_SUBJECT:


[Class=]GSKVALMethod::PKIX[Issuer=]CN=CA,O=CA,C=US[#=]704bd13a1adf77a3[Subject=]CN=ldapserverhost.ibm.com,OU=Austin,O=IBM

CTGSK2043W Key entry validation failed.

• You can ignore the warning below if it is shown when receiving a new signed cert into the .kdb – always
verify with –cert –list if the cert has been added successfully.
gsk8capicmd_64 -cert -receive -db server.kdb -stashed -file ldapcert_signed.arm -default_cert yes
CTGSK3034W The certificate request created for the certificate is not in the key database
Hints & Tips
• If you don’t restart the LDAP instance after enabling SSL then you might get the error below when
running ldapsearch over SSL:

idsldapsearch -Z -p <SSL port> –h <hostname> -D cn=root -w ? -K .kdb -P <.kdb password> -s base -b


o=sample objectclass=*
dap_simple_bind: Can't contact LDAP server

Attempted communication over SSL.

The extended error is 0.

• You can validate a certificate using below sample command – the result should be OK.
gsk8capicmd_64 -cert -validate -db server.kdb -stashed -label "LDAP CA certificate"
OK
Useful Links

• SDS 6.4 Setting up SSL


https://www.ibm.com/support/knowledgecenter/en/SSVJJU_6.4.0/com.ibm.IBMDS.doc_6.4/ds_ag_apndix_secure_conn_btw_ds_cclient.html

• Managing certificates with IBM GSKit


https://www.ibm.com/developerworks/library/se-gskit/

• GSKIT V8 User Guide


ftp://ftp.software.ibm.com/software/webserver/appserv/library/v80/GSK_CapiCmd_UserGuide.pdf

• Passport Advantage (full product downloads)


http://www.ibm.com/software/howtobuy/passportadvantage/index.html

• Directory Server Support Lifecycle


http://www.ibm.com/software/support/lifecycleapp/PLCSearch.wss?q=directory+server

• Subscribe to“My Notifications”


http://www-01.ibm.com/software/support/einfo.html
Thank you

Follow us: © Copyright IBM Corporation 2020. All rights reserved. The information contained in these
materials is provided for informational purposes only, and is provided AS IS without
warranty of any kind, express or implied. Any statement of direction represents IBM’s
current intent, is subject to change or withdrawal, and represent only goals and objectives.
securitylearningacademy.com IBM, the IBM logo, and ibm.com are trademarks of International Business Machines Corp.,
registered in many jurisdictions worldwide. Other product and service names might be
trademarks of IBM or other companies. A current list of IBM trademarks is available on the
ibm.biz/JoinIBMVIPRewards-Security Web at “Copyright and trademark information” at
http://www.ibm.com/legal/copytrade.shtml.
youtube/user/IBMSecuritySupport
All names and references for organizations and other business institutions used in this
@AskIBMSecurity deliverable’s scenarios are fictional. Any match with real organizations or institutions is
coincidental.
ibm.biz/IBMSecurityClientSuccess-LinkedIn Statement of Good Security Practices: IT system security involves protecting systems and
information through prevention, detection and response to improper access from within
securityintelligence.com and outside your enterprise. Improper access can result in information being altered,
destroyed, misappropriated or misused or can result in damage to or misuse of your
xforce.ibmcloud.com systems, including for use in attacks on others. No IT system or product should be
considered completely secure and no single product, service or security measure can be
ibm.com/security/community completely effective in preventing improper use or access. IBM systems, products and
services are designed to be part of a lawful, comprehensive security approach, which will
necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM does not warrant that any systems,
products or services are immune from, or will make your enterprise immune from, the
malicious or illegal conduct of any party.

You might also like