Setting up Directory Server using startTLS (ldap TLS)

Answer

Note: startTLS and SSL are not inter-operable. Issuing a startTLS request (the -Y option) over an SSL port causes an operations error. startTLS operation works on non-SSL port only, by converting that single connection to secure connection.

To use startTLS you must have GSKit installed on your system. Before you can use startTLS you must first use GSKit to create the key database file and certificates. This procedure is same as how a server is prepared for SSL configuration.

A. Environment setup in this example:
Operating System: RHEL 6.3 x86_64
TDS Version: 6.3.0.19
Instance name: tlsinst
Running on port: 389

B. Creating key database and certificates on Server
B.1. Create a new folder with in the instance's home folder. Make the new folder owned by the instance user. Create the server key database which will contain server certificates and its keys (private & public):
# mkdir -p /home/tlsinst/keys
# chown tlsinst:idsldap /home/tlsinst/keys
# gsk8capicmd_64 -keydb -create -db serverkey.kdb -pw tiv0li -type cms -stash

Notes:
Above command created the following four files:
serverkey.kdb - stores keys and certificates
serverkey.crl - stores certificate revocation lists
serverkey.rdb - stores certificate requests
serverkey.sth - stores encrypted password

B.2. Create a self-signed certificate for the server
# gsk8capicmd_64 -cert -create -db serverkey.kdb -pw tiv0li -label `hostname` -dn "cn=`hostname -f`,o=com,c=in" -default_cert yes
Note:
By default, the life of the certificate is set to be 365 days from the date of creation. If you want it to be more than 1 year, then you can use the above command with the option "-expire" as follows:
# gsk8capicmd_64 -cert -create -db serverkey.kdb -pw tiv0li -label `hostname` -dn "cn=`hostname`.com.in" -default_cert yes -expire 3650
In this case, with "-expire 3650" option the certificate will be valid for 10 years.

B.2.1. Check the database (serverkey.kdb) for the certificate that you have just created
# gsk8capicmd_64 -cert -list -db serverkey.kdb -pw tiv0li
Certificates found
* default, - personal, ! trusted
*- tdsv63

B.3. Extract the certificate from the key database created above so that our clients can communicate with the ITDS server(s) in a secure manner.
# gsk8capicmd_64 -cert -extract -db serverkey.kdb -pw tiv0li -label tdsv63 -target serverkey.arm -format binary

B.3.1 The details of the certificate serverkey.arm can be viewed with the following command:
# gsk8capicmd_64 -cert -details -db serverkey.kdb -pw tiv0li -label tdsv63
Label : tdsv63
Key Size : 1024
Version : X509 V3
Serial : 54beb667f61ccc51
Issuer : CN=tdsv63.com.in,O=com,C=in
Subject : CN=tdsv63.com.in,O=com,C=in
Not Before : July 5, 2013 6:08:43 PM GMT+05:30
Not After : July 6, 2014 6:08:43 PM GMT+05:30
Public Key
30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01
05 00 03 81 8D 00 30 81 89 02 81 81 00 EF FE 06
8C 39 E2 4A F8 55 22 2A 7A E2 1F A5 38 E9 3B E6
01 8B 83 66 87 4C B4 09 31 57 53 C9 A4 87 92 84
AC 1D 96 DE 66 2E 06 1C FE BD 90 7C A0 AE CA 6B
32 5C 44 65 C6 AA 63 40 F8 43 9C CD 9D D5 CD C6
BA 9E 3A 72 FD B3 50 A2 DF 5B 59 3B 6C 41 30 79
39 BA C2 41 D6 CE C7 FB B1 F1 C7 70 76 85 E7 8A
56 0B 4B 45 9B 08 2B 55 1D 31 AD 01 7E 9F E8 59
D8 3F 18 C0 44 AB EB D0 E7 F4 6A DD DD 02 03 01
00 01
Public Key Type : RSA (1.2.840.113549.1.1.1)
Fingerprint : SHA1 :
56 D5 9D FD 11 DF CA 01 BB BD 0C AB 17 8A 23 14
59 BE 4A 01
Fingerprint : MD5 :
5A 2B 04 3A C8 12 E0 55 6C C7 4B 99 51 53 EB 73
Fingerprint : SHA256 :
37 3D 17 65 EB 7E 05 CD 39 77 72 4A A2 8F E2 7D
8D 66 03 69 15 B4 91 3B 25 FF 77 DF D9 0E 36 12
Signature Algorithm : SHA1WithRSASignature (1.2.840.113549.1.1.5)
Value
7C BE DA 31 79 E1 6F 3A BA 15 62 32 10 07 9F F6
B6 96 0D 89 17 DB 2C 91 51 34 57 AE 92 CA 44 B2
B5 F9 6F 93 E5 6B 18 A8 12 15 86 79 1F CE EF 29
37 F3 E5 B6 C8 92 B6 E5 FD 42 47 22 21 27 57 59
0B 98 4B F3 D2 5C CA 6B EA 01 4C 31 DA A6 A3 26
06 45 60 B5 20 61 BC E9 55 5B 0A FF A6 1B BA 11
62 3F 9E AB 65 AC 82 3C 2F 66 E9 84 63 C7 51 2E
DB F9 CB 1F 3D 7F 81 AB F2 D4 3F A3 80 C1 F6 FE
Trust Status : Enabled

Note: Steps 1, 2 and 3 mentioned above are mandatory. You may prefer your own naming conventions.

After completing the above 3 steps, you will have following files in /home/tlsinst/keys directory:

1. serverkey.arm
2. serverkey.crl
3. serverkey.kdb
4. serverkey.rdb
5. serverkey.sth

C. Enable ldap startTLS for your TDS Instance
C.1. Verify that your server is up and running:
[root@tdsv63 ~]# ps -ef | grep ibmslapd
tlsinst  29079     1  0 18:25 pts/0    00:00:00 /opt/ibm/ldap/V6.3/sbin/64/ibmslapd -I tlsinst -n

C.2. Modify your ldap server configuration to enable TLS as follows:
# idsldapmodify -D cn=root -w root -i enable_tls.ldif
Operation 0 modifying entry cn=SSL,cn=Configuration

Operation 1 modifying entry cn=SSL,cn=Configuration

Where file enable_tls.ldif reads:
dn: cn=SSL,cn=Configuration
changetype: modify
replace: ibm-slapdSslAuth
ibm-slapdSslAuth: serverAuth
-
replace: ibm-slapdSecurity
ibm-slapdSecurity: TLS
-
replace: ibm-slapdSSLKeyDatabase
ibm-slapdSSLKeyDatabase: /home/tlsinst/keys/serverkey.kdb
-
replace: ibm-slapdSslCertificate
ibm-slapdSslCertificate: tdsv63
-
replace: ibm-slapdSSLKeyDatabasePW
ibm-slapdSSLKeyDatabasePW: tiv0li
# If you need both ldap startTLS as well as SSL for your ldap server then set ibm-slapdSecurity value to SSLTLS

C.3. Restart the ibmslapd process as follows:
# ibmslapd -I tlsinst -k
GLPSRV176I Terminated directory server instance 'tlsinst' normally.
# ibmslapd -I tlsinst -n
GLPSRV041I Server starting.
.
.
.
GLPSRV180I Pass-through authentication is disabled.
GLPSRV221I Replication of security attributes feature is disabled.
GLPCOM003I Non-SSL port initialized to 389.


D. Creating key database and importing certificates on Client
# In the example below TDS provided idsldapsearch is used as ldap client.

D.1. On the ldap client system create the client key database in a folder /home/ldaptest/keys
# gsk8capicmd_64 -keydb -create -db clientkey.kdb -pw tiv0li -type cms -stash

D.2. Copy the certificate (serverkey.arm) from server to client.

D.3. Add the certificate (serverkey.arm) to the client key database (clientkey.kdb)
# gsk8capicmd_64 -cert -add -db clientkey.kdb -pw tiv0li -label "LDAP Server tdsv63 Cert" -file serverkey.arm

E. Testing REGULAR LDAP
tethereal is a command provided by wireshark package which is a network traffic analyzer or sniffer tool for unix or Linux like operating system.

Regular LDAP Search Command: (Run on client)
# idsldapsearch -h tdsv63.com.in -D cn=root -w root -s base -b cn=testuser1,o=com,c=in objectclass=*

Packet capture on interface eth0 (Run on server tdsv63.com.in)
# tethereal -n -x -i eth0 tcp port ldap
......
......
0000 00 00 00 00 00 00 00 00 00 00 00 00 86 dd 60 00 ..............`.
0010 00 00 00 c2 06 40 00 00 00 00 00 00 00 00 00 00 .....@..........
0020 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 01 01 85 93 c0 18 d3 6e 06 a1 94 ............n...
0040 a8 0d 80 18 01 00 00 ca 00 00 01 01 08 0a 01 6e ...............n
0050 36 bd 01 6e 36 bb 30 84 00 00 00 9c 02 01 02 64 6..n6.0........d
0060 84 00 00 00 93 04 14 63 6e 3d 70 72 61 62 69 72 .......cn=tstusr
0070 2c 6f 3d 69 62 6d 2c 63 3d 69 6e 30 84 00 00 00 ,o=com,c=in0....
0080 77 30 84 00 00 00 20 04 0b 6f 62 6a 65 63 74 63 w0.... ..objectc
0090 6c 61 73 73 31 84 00 00 00 0d 04 06 70 65 72 73 lass1.......pers
00a0 6f 6e 04 03 74 6f 70 30 84 00 00 00 12 04 02 63 on..top0.......c
00b0 6e 31 84 00 00 00 08 04 06 70 72 61 62 69 72 30 n1.......tstusr0
00c0 84 00 00 00 11 04 02 73 6e 31 84 00 00 00 07 04 .......sn1......
00d0 05 6d 65 68 65 72 30 84 00 00 00 1c 04 0c 75 73 .test10.......us
00e0 65 72 70 61 73 73 77 6f 72 64 31 84 00 00 00 08 erpassword1.....
00f0 04 06 70 6d 65 68 65 72 ..ptest1
......
......

F. Testing startTLS (ldap TLS):
startTLS LDAP Search Command:(Run on client)
 # idsldapsearch -h tdsv63.com.in -D cn=root -w root -Y -K /home/ldaptest/keys/serverkey.kdb -s base -b cn=tstusr,o=com,c=in objectclass=*

Packet capture on interface eth0 (Run on server tdsv63.com.in)
# tethereal -n -x -i eth0 tcp port ldap
......
......
0000 00 00 00 00 00 00 00 00 00 00 00 00 86 dd 60 00 ..............`.
0010 00 00 00 85 06 40 00 00 00 00 00 00 00 00 00 00 .....@..........
0020 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 01 93 c1 01 85 18 2e 69 24 4b 6a ............i$Kj
0040 60 f6 80 18 01 0a 00 8d 00 00 01 01 08 0a 01 6f `..............o
0050 c7 82 01 6f c7 82 17 03 01 00 60 dd 2f 07 b8 20 ...o......`./..
0060 a2 2f 94 5f 52 d6 51 01 f1 e0 bc eb 65 ab 3f e5 ./._R.Q.....e.?.
0070 f1 89 58 10 df 6c 08 52 c9 65 28 4c d8 ec 2d 93 ..X..l.R.e(L..-.
0080 32 6d 4d ef 44 d5 29 dd f8 ec 9b d8 bd 15 d8 71 2mM.D.)........q
0090 f1 4e 9c 77 d4 a9 12 22 59 35 ca e8 e9 48 73 64 .N.w..."Y5...Hsd
00a0 81 75 3c 47 3c a7 2f 05 20 82 b2 ab cc 4c ac 4b .u<G<./. ....L.K
00b0 cd 00 c6 59 82 46 5e 00 42 2e 2e ...Y.F^.B..
......
......