Establishing a secure connection with LDAP (optional)

You can optionally set up a secure connection between PKI Services and the LDAP server to prevent the bind password from flowing in the clear. The secure connection uses the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, provided by z/OS® Cryptographic Services System SSL services, to maintain an encrypted communications path between PKI Services and the LDAP server. For information about how to configure LDAP to use a secure connection, see the topic on using SSL/TLS protected communications in z/OS IBM Tivoli Directory Server Administration and Use for z/OS.

If you are using a secure connection with LDAP, the RACF® administrator needs to add a certificate to the PKI Services key ring for validating the LDAP server:
  • If the LDAP server you are using is using a self-signed certificate, add that self-signed certificate to the PKI Services key ring.
  • If the LDAP server is using a certificate signed by a certificate authority (CA), add the certificate for the CA to the PKI Services key ring, if it is not already there. Use whatever means the CA provides to obtain the CA's certificate.
For the name of the PKI Services key ring, see Table 1. The RACF administrator uses the RACF RACDCERT command to add a certificate to the key ring. For information about RACDCERT, see z/OS Security Server RACF Command Language Reference.
Parent topic: Tailoring the LDAP configuration for PKI Services