The gskcapicmd tool
GSKCapiCmd is a tool that can be used to manage keys, certificates, and certificate requests within a CMS key database. GSKCapiCmd supports CMS and PKCS11 key databases.
If you are intending to manage key databases other than CMS or PKCS11, you must use the IBM® SDK Java™ Technology Edition tool, ikeyman. GSKCapiCmd can be used to manage all aspects of a CMS key database. GSKCapiCmd does not require IBM SDK Java Technology Edition to be installed on the system. For information about the GSKit tool GSKCapiCmd, see the GSK_CapiCmd_UserGuide.
Use the GSKCapiCmd tool to create the CMS key database to support server
authentication or server client authentication between an LDAP server and a C-based LDAP client. In
this example, server authentication and server client authentication between an LDAP server and a
C-based LDAP client is performed by using the self-signed certificate.
Note: On 32-bit platforms use
the gsk8capicmd
utility, and on 64-bit platforms use the gsk8capicmd_64 utility.
- Configuring server authentication by using the CMS key database
- To set up server authentication between an LDAP server and C-based LDAP client, do the following
tasks:
- On the LDAP server system
- serverkey.kdb
- On the C-based LDAP client system
-
- On the LDAP client system, create a directory where you want to store the key database file and change the working directory.
- Create the CMS key database file to be used by the C-based LDAP client.
gsk8capicmd -keydb -create -db clientkey.kdb -pw clientpwd
- Import the extracted server certificate, server.der, from the server system to the client system.
- Add the extracted server certificate to the client's key database file.
gsk8capicmd -cert -add -db clientkey.kdb -pw clientpwd \ -label serverlabel -file server.der -format binary
- To verify the added certificate, run the following command.
gsk8capicmd -cert -list -db clientkey.kdb -pw clientpwd
idsldapsearch -Z -h server.in.ibm.com -p 636 -K /usr/client/clientkey.kdb \ -P clientpwd -s base -b "o=sample" objectclass=* o=sample objectclass=top objectclass=organization o=sample
- Configuring server client authentication by using the CMS key database
- To set up server client authentication between an LDAP server and C-based LDAP client, do the
following tasks:
- On the C-based LDAP client system
-
- Create a directory where you want to store the key database file and change the working directory.
- Create the CMS key database file to be used by the C-based LDAP client.
where, clientkey.kdb is the key database to be created and clientpwd is the password.gsk8capicmd -keydb -create -db clientkey.kdb -pw clientpwd
- Create a default self-signed certificate and add it to the
clientkey.kdb
key database.
where, the -dn value is used to uniquely identify the certificate.gsk8capicmd -cert -create -db clientkey.kdb -pw clientpwd -label \ clientlabel -dn "cn=LDAP_Client,o=sample" -default_cert yes
- Extract the certificate from the client's key database to a file in the binary der format. In
this example, the certificate is extracted to a file in binary der format. Note: You can also extract the certificate in the base64-encoded ASCII data (.arm).
gsk8capicmd -cert -extract -db clientkey.kdb -pw clientpwd -label \ clientlabel -target client.der -format binary
- Import the extracted server certificate, server.der, from the server system to the client system.
- Add the extracted server certificate to the client's key database file.
gsk8capicmd -cert -add -db clientkey.kdb -pw clientpwd \ -label serverlabel -file server.der -format binary
- On the LDAP server system
-
- Create a directory on your IBM Security Directory Server system where you want to create and store the key database file and change the working directory.
- Create the CMS key database to be used by the IBM Security
Directory Server.
where, serverkey.kdb is the key database to be created and serverpwd is the password.gsk8capicmd -keydb -create -db serverkey.kdb -pw serverpwd -stash
- Create a default self-signed certificate and add it to the
serverkey.kdb
key database.
where, the -dn value is used to uniquely identify the certificate.gsk8capicmd -cert -create -db serverkey.kdb -pw serverpwd -label \ serverlabel -dn "cn=LDAP_Server,o=sample" -default_cert yes
- Extract the certificate from the server's key database to a file in the binary der format. In
this example, the certificate is extracted to a file in binary der format. Note: You can also extract the certificate in the base64-encoded ASCII data (.arm).
gsk8capicmd -cert -extract -db serverkey.kdb -pw serverpwd \ -label serverlabel -target server.der -format binary
- Import the extracted client certificate,
client.der
, from the client system to the server system. - Add the extracted client certificate to the server's key database file.
gsk8capicmd -cert -add -db serverkey.kdb -pw serverpwd \ -label clientlabel -file client.der -format binary
- Configure the IBM Security Directory Server instance to
use the certificate in the configuration file.
where, the clientserverauth.ldif file contains the following format:idsldapmodify -h server.in.ibm.com -p 389 -D cn=root -w root \ -i /home/dsrdbm01/clientserverauth.ldif
dn: cn=SSL, cn=Configuration changetype: modify replace: ibm-slapdSslAuth ibm-slapdSslAuth: serverClientAuth dn: cn=SSL, cn=Configuration changetype: modify replace: ibm-slapdSecurity ibm-slapdSecurity: SSL dn: cn=SSL, cn=Configuration changetype: modify replace: ibm-slapdSslKeyDatabase ibm-slapdSslKeyDatabase: /home/dsrdbm01/cskeys/serverkey.kdb dn: cn=SSL, cn=Configuration changetype: modify replace: ibm-slapdSslCertificate ibm-slapdSslCertificate: serverlabel dn: cn=SSL, cn=Configuration changetype: modify replace: ibm-slapdSslKeyDatabasepw ibm-slapdSslKeyDatabasepw: serverpwd
- Stop the directory server instance and administration server.
ibmslapd -I dsrdbm01 -k ibmdiradm -I dsrdbm01 -k
- Start the directory server instance and administration server.
ibmslapd -I dsrdbm01 -n -t ibmdiradm -I dsrdbm01 -t
command of the following format on the client system.idsldapsearch
idsldapsearch -Z -h server.in.ibm.com -p 636 -K /usr/client/clientkey.kdb \ -P clientpwd -s base -b "o=sample" objectclass=* o=sample objectclass=top objectclass=organization o=sample