Steps for installing and configuring LDAP

You need to perform this task only if you are setting up prerequisite products for PKI Services for the first time.

Although it can be configured otherwise, typical PKI Services usage requires access to an LDAP directory server. Install the LDAP directory server separately from PKI Services. After the installation is complete, LDAP needs to be configured for PKI Services. The directory stores issued certificates and certification revocation lists. The z/OS® LDAP server provided by IBM® Tivoli® Directory Server for z/OS is preferred but not required. The remainder of this topic assumes you are using the IBM Tivoli Directory Server for z/OS LDAP server.

Note: The default name of the LDAP server configuration file is ds.conf.

You can use a non-z/OS LDAP server if it can support the object classes and attributes that PKI Services uses. For information about using a non-z/OS LDAP server, see LDAP directory server requirements.

Before you begin

  1. You need LDAP programming skills to complete this procedure.
  2. For more information, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS.

Procedure

Perform the following steps to install and configure LDAP to work with PKI Services:
  1. Use the following table to decide what you need to do:
    If … Then… Notes
    You do not have LDAP installed and configured … Follow the instructions in the Administration section of z/OS IBM Tivoli Directory Server Administration and Use for z/OS.  
    You have LDAP installed and configured but not for the TDBM or LDBM backend … You need to migrate to the TDBM or LDBM backend. See z/OS IBM Tivoli Directory Server Administration and Use for z/OS for details about how to do this. --
    You have LDAP installed and configured for the TDBM or LDBM backend … Go to the next step. --

    You can now perform the steps for the decision you have made.

    _______________________________________________________________

  2. Record the entries and values from the LDAP configuration step in the following table. (Your team needs this information when setting up PKI Services.)
    Table 1. LDAP information you need to record
    LDAP information Explanation Value
    Distinguished name This is the distinguished name to use for LDAP binding. A distinguished name is the unique name of a data entry that identifies its position in the hierarchical structure of the directory. A distinguished name consists of the relative distinguished name (RDN) concatenated with the names of its ancestor entries. For example, an entry for Tim Jones could have an RDN of CN=Tim Jones and a DN of:
    CN=Tim Jones,O=IBM,C=US
    Any RDN type supported by the LDAP server can be used.
    The distinguished name can be a RACF®-style distinguished name. For information about RACF-style distinguished names, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS. For example, an entry for RACF user ID timjones is:
    RACFID=timjones,PROFILETYPE=user,O=racfdb,C=us
    		  
    Distinguished name password This is the password that is defined for the distinguished name above, for use by PKI to bind to the LDAP server. RACF passwords can be case-sensitive, so make sure that the password specified for a RACF-style distinguished name in the pkiserv.conf file or in the LDAPBIND profile matches the RACF password exactly.  
    LDAP fully qualified domain name and port This is the domain name on which the LDAP server is listening. For example, for ldap.widgets.com:389, the fully qualified domain name is ldap.widgets.com and the port is 389. See Table 1 for a definition of fully qualified domain name.  
    Suffix A suffix in LDAP is the top-level name of the subtree. For example, for the following distinguished name:
    OU=your-CA’s-friendly-name,O=your-organization,
     C=your-country-abbreviation
    the suffix could be either "O=your company,C=your-country-abbreviation" or "C=your-country-abbreviation"
    The suffix value is specified after the suffix keyword in the LDAP server configuration file:
    suffix "O=your-company,C=your-country-abbreviation"
    Note: If you have more than one suffix, record the suffix you intend to use as the root for storing the PKI Services CA certificate.
    		  

    _______________________________________________________________

  3. The topics that follow require the LDAP server to be running. Follow the instructions in the topic about running the LDAP server in z/OS IBM Tivoli Directory Server Administration and Use for z/OS.

    _______________________________________________________________

Parent topic: Installing and configuring LDAP