Using encrypted passwords for LDAP servers

PKI Services uses an LDAP directory to store certificates. LDAP requires authenticating (binding) to the directory. You can do this by using a distinguished name and passwords. Passwords for binding (to multiple LDAP directories) can be encrypted or in clear text. The UNIX programmer or LDAP programmer or both determine whether to use encrypted LDAP bind passwords. You store information about passwords in the PKI Services configuration file, pkiserv.conf.

If you do not need the bind password for the LDAP server to be encrypted, you specify the values for Server1, AuthName1, and AuthPwd1 in the pkiserv.conf configuration file. If you want the bind password for the LDAP server to be encrypted, you can use of either one of the following profiles:
  • A profile named IRR.PROXY.DEFAULTS in the FACILITY class (This profile stores default binding information. It is the profile where PKI Services looks when there is no binding information.)
  • A profile (you select the name) in the LDAPBIND class. (You can name this profile whatever you want if it matches the BindProfile1 value that is specified in the pkiserv.conf configuration file. (See Step 3.)

Before creating either of the preceding profiles, the RACF® administrator defines the LDAP.BINDPW.KEY profile in the KEYSMSTR class. This profile contains a SSIGNON segment, which holds either the masked or encrypted value for the key that encrypts passwords stored in the RACF database. Then the RACF administrator creates either of the preceding profiles with a PROXY segment that stores the binding information (the server name, bind distinguished name, and password).

Parent topic: RACF administration for PKI Services