z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Steps for using encrypted passwords

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

Perform the following steps to use encrypted LDAP bind passwords:
  1. Define a RACF® KEYSMSTR class profile by entering the following command, replacing the highlighted value with your own key:
    Example:
    RDEFINE KEYSMSTR LDAP.BINDPW.KEY SSIGNON(KEYENCRYPTED(0023528875DECFAC))
    In this example:
    • LDAP BIND passwords are masked by using a key saved in the KEYSMSTR class, LDAP.BINDPW.KEY.
    • The key is 0023528875DECFAC. (Replace this with your own key.)
    • KEYENCRYPTED is specified (rather than KEYMASKED) because ICSF is active. (If ICSF is not active, replace KEYENCRYPTED with KEYMASKED.)

    _______________________________________________________________

  2. Activate the KEYSMSTR class by entering the following command: 
    SETROPTS CLASSACT(KEYSMSTR)

    _______________________________________________________________

  3. If you intend to use the LDAPBIND class, for each LDAP directory, create a RACF LDAPBIND class profile by entering the following command:
    RDEFINE LDAPBIND MY.LDAP.SERVER1 
   PROXY(LDAPHOST(ldap://some.ldap.host:389) 
   BINDDN('CN=JOE USER,OU=POUGHKEEPSIE,O=IBM,C=US') BINDPW('MYPASS1')
    Replace the highlighted parameters as follows:
    1. Optionally, replace MY.LDAP.SERVER1 with the profile name you want to use.
    2. Replace ldap://some.ldap.host:389 with your LDAP server URL. You can specify the URL with or without the preceding string "ldap:" or "ldaps:".
    3. Replace CN=JOE USER,OU=POUGHKEEPSIE,O=IBM,C=US with the bind DN.
    4. Replace MYPASS1 with the bind password.
      Note: All bind DN qualifiers and the bind password are case-sensitive.

    _______________________________________________________________

  4. If you intend to use IRR.PROXY.DEFAULTS instead of the LDAPBIND class for encrypted LDAP bind passwords, issue the following command to create the profile: 
    RDEFINE FACILITY IRR.PROXY.DEFAULTS 
   PROXY(LDAPHOST(ldap://some.ldap.host:389) 
   BINDDN('CN=JOE USER,OU=POUGHKEEPSIE,O=IBM,C=US') BINDPW('MYPASS1')
    Replace the highlighted parameters as follows:
    1. Replace ldap://some.ldap.host:389 with your LDAP server URL. You can specify the URL with or without the preceding string "ldap:" or "ldaps:".
    2. Replace CN=JOE USER,OU=POUGHKEEPSIE,O=IBM,C=US with the bind DN.
    3. Replace MYPASS1 with the bind password.
      Note: All bind DN qualifiers and the bind password are case-sensitive.

    _______________________________________________________________

  5. Optionally, check your work by listing the segment with the RLIST command. If you are using the LDAPBIND class, issue the following command:
    RLIST LDAPBIND MY.LDAP.SERVER1 PROXY NORACF

    Replace MY.LDAP.SERVER1 with the profile name you used.

    Results: This command displays information like the following:
    CLASS        NAME
LDAPBIND     MY.LDAP.SERVER1

PROXY INFORMATION
LDAPHOST= LDAP://SOME.LDAP.HOST:389
BINDDN= CN=LDAP ADMINISTRATOR,OU=POUGHKEEPSIE,O=IBM,C=US
BINDPW= YES
    If you are using the IRR.PROXY.DEFAULTS profile of the FACILITY class, issue the following command: 
    RLIST FACILITY IRR.PROXY.DEFAULTS PROXY NORACF
    Results: This command displays information like the following:
    CLASS        NAME
FACILITY     IRR.PROXY.DEFAULTS

PROXY INFORMATION
LDAPHOST= LDAP://SOME.LDAP.HOST:389
BINDDN= CN=LDAP ADMINISTRATOR,OU=POUGHKEEPSIE,O=IBM,C=US
BINDPW= YES

    _______________________________________________________________

Parent topic: Using encrypted passwords for LDAP servers

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014