z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Establishing a secure connection with LDAP (optional)

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

You can optionally set up a secure connection between PKI Services and the LDAP server to prevent the bind password from flowing in the clear. The secure connection uses the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, provided by z/OS® Cryptographic Services System SSL services, to maintain an encrypted communications path between PKI Services and the LDAP server. For information on how to configure LDAP to use a secure connection, see the topic on using SSL/TLS protected communications in z/OS IBM Tivoli Directory Server Administration and Use for z/OS.

If you are using a secure connection with LDAP, the RACF® administrator needs to add a certificate to the PKI Services key ring for validating the LDAP server:
  • If the LDAP server you are using is using a self-signed certificate, add that self-signed certificate to the PKI Services key ring.
  • If the LDAP server is using a certificate signed by a certificate authority (CA), add the certificate for the CA to the PKI Services key ring, if it is not already there. Use whatever means the CA provides to obtain the CA's certificate.
For the name of the PKI Services key ring, see Table 1. The RACF administrator uses the RACF RACDCERT command to add a certificate to the key ring. For information about RACDCERT, see z/OS Security Server RACF Command Language Reference.
Parent topic: Tailoring the LDAP configuration for PKI Services

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014