Configuring a Directory Server with security protocols and ciphers

Edit online

Configure a Directory Server with the required protocols to meet the security requirements of your LDAP environment.

Before you begin

Create the key database file and certificate for secure communications.

For more information, see the Key database, Certificate, and Certificate request chapters in the GSKit tool GSKCapiCmd user guide GSK_CapiCmd_UserGuide

Set the required permissions (rwx) on the key database file, certificate, and file path for the Directory Server instance owner.

About this task

You can configure a Directory Server to accept secure connections with the SSL and TLS protocols or the Start TLS extended operation.

You can configure a Directory Server with more than one protocol by adding the ibm-slapdSecurityProtocol attribute multiple times with the required value.

Procedure

  1. Log in as the instance owner.
  2. To configure a Directory Server for secure communications, run the idsldapmodify command. 
    idsldapmodify -h server.com -p port -D adminDN -w adminPWD -i config_file.ldif
    The config_file.ldif file contains the following entries:
    dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslAuth
ibm-slapdSslAuth: serverClientAuth

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSecurity
ibm-slapdSecurity: SSLTLS

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslKeyDatabase
ibm-slapdSslKeyDatabase: /home/dsrdbm01/keys/serverkey.kdb

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslCertificate
ibm-slapdSslCertificate: serverlabel

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslKeyDatabasepw
ibm-slapdSslKeyDatabasepw: keyfilePWD
  3. Configure the Directory Server with the required protocols.
    • To set the TLS 1.2 protocol, run the idsldapmodify command in the following format:
        idsldapmodify -h host_name -p port -D adminDN -w adminPWD 
  dn: cn=SSL, cn=Configuration 
  changetype: modify 
  add: ibm-slapdSecurityProtocol 
  ibm-slapdSecurityProtocol: TLS12
    • To set the SSLv3, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 protocols, run the idsldapmodify command in the following format:
        idsldapmodify -h host_name -p port -D adminDN -w adminPWD 
  dn: cn=SSL, cn=Configuration 
  changetype: modify 
  add: ibm-slapdSecurityProtocol 
  ibm-slapdSecurityProtocol: SSLV3
  -
  add: ibm-slapdSecurityProtocol 
  ibm-slapdSecurityProtocol: TLS10
  -
  add: ibm-slapdSecurityProtocol 
  ibm-slapdSecurityProtocol: TLS11
  -
  add: ibm-slapdSecurityProtocol 
  ibm-slapdSecurityProtocol: TLS12
  -
  add: ibm-slapdSecurityProtocol 
  ibm-slapdSecurityProtocol: TLS13
  4. To add the supported ciphers for the TLS 1.2 protocol, run the idsldapmodify command in the following format: 
    idsldapmodify -p port -D adminDN -w adminPWD -i TLS12cipher_file.ldif
    The TLS12cipher_file.ldif file contains the following entries:
    dn: cn=SSL,cn=Configuration
changetype: modify
add: ibm-slapdSslCipherSpec
ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_256_CBC_SHA256
-
add: ibm-slapdSslCipherSpec
ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
-
add: ibm-slapdSslCipherSpec
ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-
add: ibm-slapdSslCipherSpec
ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  5. Restart the Directory Server and Administration Server. 
    ibmslapd -I dsrdbm01 -k
ibmdiradm -I dsrdbm01 -k
ibmslapd -I dsrdbm01 -n
ibmdiradm -I dsrdbm01

Examples

Example 1:
To verify the secure communication protocols that a directory server supports, run the ldapsearch command for the root DSE result. In the search result, check the ibm-slapdSecurityProtocol attribute value.
idsldapsearch -p port -s base -b "" objectclass=* ibm-slapdSecurityProtocol

ibm-slapdSecurityProtocol=SSLV3,TLS10,TLS11,TLS12,TLS13
To verify the secure communication protocols that an administration server supports, run the ldapsearch command for the root DSE result. In the search result, check the admindaemon-securityprotocol attribute value.
idsldapsearch -p admin_port -s base -b "" objectclass=* admindaemon-securityprotocol

admindaemon-securityprotocol=SSLV3,TLS10,TLS11,TLS12,TLS13
If more than one secure communication protocols are set on a server, the ibm-slapdSecurityProtocol and admindaemon-securityprotocol attributes show the comma-separated protocols.
Example 2:
To verify the ciphers that a server supports for secure communications when ibm-slapdSecurityProtocol is set with SSLV3,TLS10,TLS11, run the ldapsearch command for the root DSE result. In the search result, check the ibm-sslciphers attribute value. 
idsldapsearch -p port -s base -b "" objectclass=* ibm-sslciphers

ibm-sslciphers=352F04050A090306
To verify the ciphers that an Administration Server supports for secure communications when ibm-slapdSecurityProtocol is set with SSLV3,TLS10,TLS11, run the ldapsearch command for the root DSE result. In the search result, check the admindaemon-sslciphers attribute value.
idsldapsearch -p adm_port -D adminDN -w adminPWD -s base -b "" \
objectclass=* admindaemon-sslciphers

admindaemon-sslciphers=352F04050A090306
In the output, the ibm-sslciphers and admindaemon-sslciphers attributes contain the hexadecimal values of all the ciphers in the configuration file for the SSLv3, TLS 1.0, and TLS 1.1 protocols. The SSLv3, TLS 1.0, and TLS 1.1 ciphers are shown by concatenating the hexadecimal values of the ciphers.
The ibm-sslciphers and admindaemon-sslciphers attributes are shown when the ibm-slapdSecurity attribute is set to SSL, SSLOnly, or SSLTLS. If the ibm-slapdSecurity attribute is set to TLS, the ibm-sslciphers and admindaemon-sslciphers attributes are not shown in the search result.
Example 3:
To verify the ciphers that a server supports for secure communications when ibm-slapdSecurityProtocol is set with TLS12, run the ldapsearch command for the root DSE result. In the search result, check the values of the ibm-tlsciphers attribute. 
idsldapsearch -p port -s base -b "" objectclass=* ibm-tlsciphers

ibm-tlsciphers=TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH
_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
To verify the ciphers that an Administration Server supports for secure communications when ibm-slapdSecurityProtocol is set with TLS12, run the ldapsearch command for the root DSE result. In the search result, check the values of the admindaemon-tlsciphers attribute. 
idsldapsearch -p adm_port -D adminDN -w adminPWD -s base -b "" \
objectclass=* admindaemon-tlsciphers

admindaemon-tlsciphers=TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH
     _AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
The ibm-tlsciphers and admindaemon-tlsciphers attributes in the output shows the ciphers for the TLS 1.2 protocol. The TLS 1.2 ciphers are shown as the comma-separated string.
Note: The ibm-tlsciphers and admindaemon-tlsciphers attributes are shown when the ibm-slapdSecurity attribute value is set to SSL, SSLOnly, or SSLTLS in the configuration file. When the ibm-slapdSecurity attribute is set to TLS, the attributes with cipher values are not shown in the search result.