Configure a Directory Server with the required protocols
to meet the security requirements of your LDAP environment.
Before you begin
Create the key database file and certificate for secure
communications.
For more information, see the Key database, Certificate, and Certificate request
chapters in the GSKit tool
GSKCapiCmd user guide GSK_CapiCmd_UserGuide
Set
the required permissions (rwx
) on the key database
file, certificate, and file path for the Directory Server instance
owner.
About this task
You can configure a Directory Server to accept secure
connections with the SSL
and TLS
protocols
or the Start TLS
extended operation.
You can
configure a Directory Server with more than one protocol by adding
the ibm-slapdSecurityProtocol
attribute multiple
times with the required value.
Procedure
- Log in as the instance owner.
- To configure a Directory Server for secure communications,
run the idsldapmodify command.
idsldapmodify -h server.com -p port -D adminDN -w adminPWD -i config_file.ldif
The config_file.ldif file contains the
following entries:
dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslAuth
ibm-slapdSslAuth: serverClientAuth
dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSecurity
ibm-slapdSecurity: SSLTLS
dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslKeyDatabase
ibm-slapdSslKeyDatabase: /home/dsrdbm01/keys/serverkey.kdb
dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslCertificate
ibm-slapdSslCertificate: serverlabel
dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslKeyDatabasepw
ibm-slapdSslKeyDatabasepw: keyfilePWD
- Configure the Directory Server with the required protocols.
- To set the
TLS 1.2
protocol, run the idsldapmodify command
in the following format: idsldapmodify -h host_name -p port -D adminDN -w adminPWD
dn: cn=SSL, cn=Configuration
changetype: modify
add: ibm-slapdSecurityProtocol
ibm-slapdSecurityProtocol: TLS12
- To set the
SSLv3
, TLS 1.0
, TLS
1.1
, TLS 1.2
, and TLS 1.3
protocols, run the idsldapmodify command
in the following format: idsldapmodify -h host_name -p port -D adminDN -w adminPWD
dn: cn=SSL, cn=Configuration
changetype: modify
add: ibm-slapdSecurityProtocol
ibm-slapdSecurityProtocol: SSLV3
-
add: ibm-slapdSecurityProtocol
ibm-slapdSecurityProtocol: TLS10
-
add: ibm-slapdSecurityProtocol
ibm-slapdSecurityProtocol: TLS11
-
add: ibm-slapdSecurityProtocol
ibm-slapdSecurityProtocol: TLS12
-
add: ibm-slapdSecurityProtocol
ibm-slapdSecurityProtocol: TLS13
- To add the supported ciphers for the
TLS 1.2
protocol,
run the idsldapmodify command in the following
format: idsldapmodify -p port -D adminDN -w adminPWD -i TLS12cipher_file.ldif
The TLS12cipher_file.ldif file
contains the following entries:
dn: cn=SSL,cn=Configuration
changetype: modify
add: ibm-slapdSslCipherSpec
ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_256_CBC_SHA256
-
add: ibm-slapdSslCipherSpec
ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
-
add: ibm-slapdSslCipherSpec
ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-
add: ibm-slapdSslCipherSpec
ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- Restart the Directory Server and Administration Server.
ibmslapd -I dsrdbm01 -k
ibmdiradm -I dsrdbm01 -k
ibmslapd -I dsrdbm01 -n
ibmdiradm -I dsrdbm01
Examples
- Example 1:
- To verify the secure communication protocols that a directory
server supports, run the ldapsearch command for
the root DSE result. In the search result, check the
ibm-slapdSecurityProtocol
attribute
value.
idsldapsearch -p port -s base -b "" objectclass=* ibm-slapdSecurityProtocol
ibm-slapdSecurityProtocol=SSLV3,TLS10,TLS11,TLS12,TLS13
- To verify the secure communication protocols that an administration
server supports, run the ldapsearch command for
the root DSE result. In the search result, check the
admindaemon-securityprotocol
attribute
value.
idsldapsearch -p admin_port -s base -b "" objectclass=* admindaemon-securityprotocol
admindaemon-securityprotocol=SSLV3,TLS10,TLS11,TLS12,TLS13
- If more than one secure communication protocols are set on a server,
the
ibm-slapdSecurityProtocol
and admindaemon-securityprotocol
attributes
show the comma-separated protocols.
- Example 2:
- To verify the ciphers that a server supports for secure communications
when
ibm-slapdSecurityProtocol
is set with SSLV3,TLS10,TLS11
,
run the ldapsearch command for the root DSE result.
In the search result, check the ibm-sslciphers
attribute
value. idsldapsearch -p port -s base -b "" objectclass=* ibm-sslciphers
ibm-sslciphers=352F04050A090306
- To verify the ciphers that an Administration Server supports for
secure communications when
ibm-slapdSecurityProtocol
is
set with SSLV3,TLS10,TLS11
, run the ldapsearch command
for the root DSE result. In the search result, check the admindaemon-sslciphers
attribute
value.idsldapsearch -p adm_port -D adminDN -w adminPWD -s base -b "" \
objectclass=* admindaemon-sslciphers
admindaemon-sslciphers=352F04050A090306
- In the output, the
ibm-sslciphers
and admindaemon-sslciphers
attributes
contain the hexadecimal values of all the ciphers in the configuration
file for the SSLv3
, TLS 1.0
, and TLS
1.1
protocols. The SSLv3
, TLS 1.0
,
and TLS 1.1
ciphers are shown by concatenating the
hexadecimal values of the ciphers.
- The
ibm-sslciphers
and admindaemon-sslciphers
attributes
are shown when the ibm-slapdSecurity
attribute is
set to SSL
, SSLOnly
, or SSLTLS
.
If the ibm-slapdSecurity
attribute is set to TLS
,
the ibm-sslciphers
and admindaemon-sslciphers
attributes
are not shown in the search result.
- Example 3:
- To verify the ciphers that a server supports for secure communications
when
ibm-slapdSecurityProtocol
is set with TLS12
,
run the ldapsearch command for the root DSE result.
In the search result, check the values of the ibm-tlsciphers
attribute. idsldapsearch -p port -s base -b "" objectclass=* ibm-tlsciphers
ibm-tlsciphers=TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH
_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- To verify the ciphers that an Administration Server supports for
secure communications when
ibm-slapdSecurityProtocol
is
set with TLS12
, run the ldapsearch command
for the root DSE result. In the search result, check the values of
the admindaemon-tlsciphers
attribute. idsldapsearch -p adm_port -D adminDN -w adminPWD -s base -b "" \
objectclass=* admindaemon-tlsciphers
admindaemon-tlsciphers=TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH
_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- The
ibm-tlsciphers
and admindaemon-tlsciphers
attributes
in the output shows the ciphers for the TLS 1.2
protocol.
The TLS 1.2
ciphers are shown as the comma-separated
string.Note: The ibm-tlsciphers
and admindaemon-tlsciphers
attributes
are shown when the ibm-slapdSecurity
attribute value
is set to SSL
, SSLOnly
, or SSLTLS
in
the configuration file. When the ibm-slapdSecurity
attribute
is set to TLS
, the attributes with cipher values
are not shown in the search result.