The gskcapicmd tool

Edit online

GSKCapiCmd is a tool that can be used to manage keys, certificates, and certificate requests within a CMS key database. GSKCapiCmd supports CMS and PKCS11 key databases.

If you are intending to manage key databases other than CMS or PKCS11, you must use the IBM® SDK Java™ Technology Edition tool, ikeyman. GSKCapiCmd can be used to manage all aspects of a CMS key database. GSKCapiCmd does not require IBM SDK Java Technology Edition to be installed on the system. For information about the GSKit tool GSKCapiCmd, see the GSK_CapiCmd_UserGuide.

Use the GSKCapiCmd tool to create the CMS key database to support server authentication or server client authentication between an LDAP server and a C-based LDAP client. In this example, server authentication and server client authentication between an LDAP server and a C-based LDAP client is performed by using the self-signed certificate.
Note: On 32-bit platforms use the gsk8capicmd utility, and on 64-bit platforms use the gsk8capicmd_64 utility.
Configuring server authentication by using the CMS key database
To set up server authentication between an LDAP server and C-based LDAP client, do the following tasks:
On the LDAP server system
serverkey.kdb
  1. Create a directory on your IBM Security Directory Server system where you want to create and store the key database file and change to the working directory.
  2. Create the CMS key database to be used by the IBM Security Directory Server. 
    gsk8capicmd -keydb -create -db serverkey.kdb -pw serverpwd -stash
    where, serverkey.kdb is the key database to be created and serverpwd is the password.
  3. Create a default self-signed certificate and add it to the serverkey.kdb key database. 
    gsk8capicmd -cert -create -db serverkey.kdb -pw serverpwd \
-label serverlabel -dn "cn=LDAP_Server,o=sample" -default_cert yes
    where, the -dn value is to uniquely identify the certificate.
  4. Extract the certificate from the key database to a file in the binary der format. In this example, the certificate is extracted to a file in binary der format.
    Note: You can also extract the certificate in the base64-encoded ASCII data (.arm).
    gsk8capicmd -cert -extract -db serverkey.kdb -pw serverpwd \
-label serverlabel -target server.der -format binary
  5. Configure the IBM Security Directory Server instance to use the certificate in the configuration file. 
    idsldapmodify -h server.in.ibm.com -p 389 -D cn=root -w root \
-i /home/dsrdbm01/serverauth.ldif
    where, the serverauth.ldif file contains the following format: 
    dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslAuth
ibm-slapdSslAuth: serverAuth

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSecurity
ibm-slapdSecurity: SSL

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslKeyDatabase
ibm-slapdSslKeyDatabase: /home/dsrdbm01/keys/serverkey.kdb

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslCertificate
ibm-slapdSslCertificate: serverlabel

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslKeyDatabasepw
ibm-slapdSslKeyDatabasepw: serverpwd
  6. Stop the directory server instance and administration server. 
    ibmslapd -I dsrdbm01 -k
ibmdiradm -I dsrdbm01 -k
  7. Start the directory server instance and administration server. 
    ibmslapd -I dsrdbm01 -n -t
ibmdiradm -I dsrdbm01 -t
On the C-based LDAP client system
  1. On the LDAP client system, create a directory where you want to store the key database file and change the working directory.
  2. Create the CMS key database file to be used by the C-based LDAP client. 
    gsk8capicmd -keydb -create -db clientkey.kdb -pw clientpwd
  3. Import the extracted server certificate, server.der, from the server system to the client system.
  4. Add the extracted server certificate to the client's key database file. 
    gsk8capicmd -cert -add -db clientkey.kdb -pw clientpwd \
 -label serverlabel -file server.der -format binary
  5. To verify the added certificate, run the following command. 
    gsk8capicmd -cert -list -db clientkey.kdb -pw clientpwd
To verify the SSL communication between the LDAP client and LDAP server, run an idsldapsearch command of the following format: 
idsldapsearch -Z -h server.in.ibm.com -p 636 -K /usr/client/clientkey.kdb \
-P clientpwd -s base -b "o=sample" objectclass=*
o=sample
objectclass=top
objectclass=organization
o=sample
Configuring server client authentication by using the CMS key database
To set up server client authentication between an LDAP server and C-based LDAP client, do the following tasks:
On the C-based LDAP client system
  1. Create a directory where you want to store the key database file and change the working directory.
  2. Create the CMS key database file to be used by the C-based LDAP client. 
    gsk8capicmd -keydb -create -db clientkey.kdb -pw clientpwd
    where, clientkey.kdb is the key database to be created and clientpwd is the password.
  3. Create a default self-signed certificate and add it to the clientkey.kdb key database. 
    gsk8capicmd -cert -create -db clientkey.kdb -pw clientpwd -label \
 clientlabel -dn "cn=LDAP_Client,o=sample" -default_cert yes
    where, the -dn value is used to uniquely identify the certificate.
  4. Extract the certificate from the client's key database to a file in the binary der format. In this example, the certificate is extracted to a file in binary der format.
    Note: You can also extract the certificate in the base64-encoded ASCII data (.arm).
    gsk8capicmd -cert -extract -db clientkey.kdb -pw clientpwd -label \
clientlabel -target client.der -format binary
  5. Import the extracted server certificate, server.der, from the server system to the client system.
  6. Add the extracted server certificate to the client's key database file. 
    gsk8capicmd -cert -add -db clientkey.kdb -pw clientpwd \
 -label serverlabel -file server.der -format binary
On the LDAP server system
  1. Create a directory on your IBM Security Directory Server system where you want to create and store the key database file and change the working directory.
  2. Create the CMS key database to be used by the IBM Security Directory Server. 
    gsk8capicmd -keydb -create -db serverkey.kdb -pw serverpwd -stash
    where, serverkey.kdb is the key database to be created and serverpwd is the password.
  3. Create a default self-signed certificate and add it to the serverkey.kdb key database. 
    gsk8capicmd -cert -create -db serverkey.kdb -pw serverpwd -label \
serverlabel -dn "cn=LDAP_Server,o=sample" -default_cert yes
    where, the -dn value is used to uniquely identify the certificate.
  4. Extract the certificate from the server's key database to a file in the binary der format. In this example, the certificate is extracted to a file in binary der format.
    Note: You can also extract the certificate in the base64-encoded ASCII data (.arm).
    gsk8capicmd -cert -extract -db serverkey.kdb -pw serverpwd \
 -label serverlabel -target server.der -format binary
  5. Import the extracted client certificate, client.der, from the client system to the server system.
  6. Add the extracted client certificate to the server's key database file. 
    gsk8capicmd -cert -add -db serverkey.kdb -pw serverpwd \
 -label clientlabel -file client.der -format binary
  7. Configure the IBM Security Directory Server instance to use the certificate in the configuration file. 
    idsldapmodify -h server.in.ibm.com -p 389 -D cn=root -w root \
-i /home/dsrdbm01/clientserverauth.ldif
    where, the clientserverauth.ldif file contains the following format: 
    dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslAuth
ibm-slapdSslAuth: serverClientAuth

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSecurity
ibm-slapdSecurity: SSL

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslKeyDatabase
ibm-slapdSslKeyDatabase: /home/dsrdbm01/cskeys/serverkey.kdb

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslCertificate
ibm-slapdSslCertificate: serverlabel

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslKeyDatabasepw
ibm-slapdSslKeyDatabasepw: serverpwd
  8. Stop the directory server instance and administration server. 
    ibmslapd -I dsrdbm01 -k
ibmdiradm -I dsrdbm01 -k
  9. Start the directory server instance and administration server. 
    ibmslapd -I dsrdbm01 -n -t
ibmdiradm -I dsrdbm01 -t
To verify the SSL communication between the client and server, run an 
idsldapsearch
command of the following format on the client system. 
idsldapsearch -Z -h server.in.ibm.com -p 636 -K /usr/client/clientkey.kdb \
 -P clientpwd -s base -b "o=sample" objectclass=*
o=sample
objectclass=top
objectclass=organization
o=sample