Steps for installing and configuring LDAP
You need to perform this task only if you are setting up prerequisite products for PKI Services for the first time.
Although it can be configured otherwise, typical PKI Services usage requires access to an LDAP directory server. Install the LDAP directory server separately from PKI Services. After the installation is complete, LDAP needs to be configured for PKI Services. The directory stores issued certificates and certification revocation lists. The z/OS® LDAP server provided by IBM® Tivoli® Directory Server for z/OS is preferred but not required. The remainder of this topic assumes you are using the IBM Tivoli Directory Server for z/OS LDAP server.
Note: The default name of the LDAP server configuration file is ds.conf.
You can use a non-z/OS LDAP server if it can support the object classes and attributes that PKI Services uses. For information about using a non-z/OS LDAP server, see LDAP directory server requirements.
Before you begin
- You need LDAP programming skills to complete this procedure.
- For more information, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS.
Procedure
- Use the following table to decide what you need to do:
If … Then… Notes You do not have LDAP installed and configured … Follow the instructions in the Administration section of z/OS IBM Tivoli Directory Server Administration and Use for z/OS. You have LDAP installed and configured but not for the TDBM or LDBM backend … You need to migrate to the TDBM or LDBM backend. See z/OS IBM Tivoli Directory Server Administration and Use for z/OS for details about how to do this. -- You have LDAP installed and configured for the TDBM or LDBM backend … Go to the next step. -- You can now perform the steps for the decision you have made.
_______________________________________________________________
- Record the entries and values from the LDAP configuration step
in the following table. (Your team needs this information when setting
up PKI Services.)
Table 1. LDAP information you need to record LDAP information Explanation Value Distinguished name This is the distinguished name to use for LDAP binding. A distinguished name is the unique name of a data entry that identifies its position in the hierarchical structure of the directory. A distinguished name consists of the relative distinguished name (RDN) concatenated with the names of its ancestor entries. For example, an entry for Tim Jones could have an RDN of CN=Tim Jones and a DN of:
Any RDN type supported by the LDAP server can be used.CN=Tim Jones,O=IBM,C=US
The distinguished name can be a RACF®-style distinguished name. For information about RACF-style distinguished names, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS. For example, an entry for RACF user ID timjones is:RACFID=timjones,PROFILETYPE=user,O=racfdb,C=us
Distinguished name password This is the password that is defined for the distinguished name above, for use by PKI to bind to the LDAP server. RACF passwords can be case-sensitive, so make sure that the password specified for a RACF-style distinguished name in the pkiserv.conf file or in the LDAPBIND profile matches the RACF password exactly. LDAP fully qualified domain name and port This is the domain name on which the LDAP server is listening. For example, for ldap.widgets.com:389, the fully qualified domain name is ldap.widgets.com and the port is 389. See Table 1 for a definition of fully qualified domain name. Suffix A suffix in LDAP is the top-level name of the subtree. For example, for the following distinguished name:
the suffix could be either "O=your company,C=your-country-abbreviation" or "C=your-country-abbreviation"OU=your-CA’s-friendly-name,O=your-organization, C=your-country-abbreviation
The suffix value is specified after the suffix keyword in the LDAP server configuration file:suffix "O=your-company,C=your-country-abbreviation"
Note: If you have more than one suffix, record the suffix you intend to use as the root for storing the PKI Services CA certificate._______________________________________________________________
- The topics that follow require the LDAP server to be running.
Follow the instructions in the topic about running the LDAP server
in z/OS IBM Tivoli Directory Server Administration and Use for z/OS.
_______________________________________________________________