Enabling SSL and Transport Layer Security on the Directory Server

Use this information to enable SSL and Transport Layer Security on the Directory Server.

If you have Digital Certificate Manager installed on your system, you can use Secure Sockets Layer (SSL) security to protect access to your Directory Server. Before enabling SSL on the directory server, you might find it helpful to read the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) with the Directory Server topic.

To enable SSL on your LDAP server, do the following:

  1. Associate a certificate with a Directory Server instance
    1. Start IBM Digital Certificate Manager.
      See Start Digital Certificate Manager in the Digital Certificate Manager topic for more information.
    2. If you need to obtain or create certificates, or otherwise set up or change your certificate system, do so now.
      See Digital Certificate Manager for information about setting up a certificate system. The following applications are associated with Directory Server:
      Directory Server instance applications
      Every Directory Server instance has a corresponding application ID, QIBM_DIRECTORY_SERVER_INSTANCENAME. For example, the application ID of the default instance is QIBM_DIRECTORY_SERVER_QUSRDIR.
      Note: The Directory Server application “IBM Tivoli Directory Server” with ID QIBM_GLD_DIRECTORY_SERVER is no longer bound to any Directory Server instance.
      Directory Server publishing application
      The Directory Server publishing application identifies the certificate used by publishing.
      Directory Server client application
      The Directory Server client application identifies the default certificate used by applications using the LDAP client ILE APIs.
    3. Click the Select a Certificate Store button.
    4. Select *SYSTEM.
      Click Continue.
    5. Enter the appropriate password for *SYSTEM certificate store.
      Click Continue.
    6. When the left navigational menu reloads, expand Manage Applications.
    7. Click Update Certificate Assignment.
    8. On the next screen, select Server application.
      Click Continue.
    9. Select your Directory Server instance application.
      By default, the Directory Server instance applications do not have Application descriptions, so the application IDs are shown in the Application column of the application table. For example, the default instance is shown as “QIBM_DIRECTORY_SERVER_QUSRDIR”.
    10. Click Update Certificate Assignment to assign a certificate to the Directory Server .
      Note: If you choose a certificate from a Certificate Authority (CA) whose CA certificate is not in your client's key database, you must add it to establish its identity to clients and to use SSL. Finish this procedure before beginning that one.
    11. Select a certificate from the list to assign to the server.
    12. Click Assign New Certificate.
    13. DCM reloads to the Update Certificate Assignment page with a confirmation message.
      When you are finished setting up the certificates for the Directory Server, click Validate to validate your settings.
    14. Restart your Directory Server instance for the changes to take effect.
  2. Optional: Associate a certificate for the Directory Server publishing.
    If you also want to enable publishing from the system to a Directory Server through an SSL connection, you might want to also associate a certificate with the Directory Server publishing. This identifies the default certificate and trusted CAs for applications using the LDAP ILE APIs that do not specify their own application ID or an alternate key database.
    1. Start IBM Digital Certificate Manager.
    2. Click the Select a Certificate Store button.
    3. Select *SYSTEM.
      Click Continue.
    4. Enter the appropriate password for *SYSTEM certificate store.
      Click Continue.
    5. When the left navigational menu reloads, expand Manage Applications.
    6. Click Update certificate assignment.
    7. On the next screen, select Client application.
      Click Continue.
    8. Select the Directory Server publishing.
    9. Click Update Certificate Assignment to assign a certificate to the Directory Server publishing that will establish its identity.
    10. Select a certificate from the list to assign to the server.
    11. Click Assign new certificate.
    12. DCM reloads to the Update Certificate Assignment page with a confirmation message.
      Note: These steps assume that you are already publishing information to the Directory Server with a non-SSL connection. See Publishing information to the Directory Server for complete information about setting up publishing.
  3. Optional: Associate a certificate for the Directory Server client.
    If you have other applications that use SSL connections to a Directory Server, you must also associate a certificate with the Directory Server client.
    1. Start IBM Digital Certificate Manager.
    2. Click the Select a Certificate Store button.
    3. Select *SYSTEM.
      Click Continue.
    4. Enter the appropriate password for *SYSTEM certificate store.
      Click Continue.
    5. When the left navigational menu reloads, expand Manage Applications.
    6. Click Update certificate assignment.
    7. On the next screen, select Client application.
      Click Continue.
    8. Select the Directory Server client.
    9. Click Update Certificate Assignment to assign a certificate to the Directory Server client that will establish its identity.
    10. Select a certificate from the list to assign to the server.
    11. Click Assign New Certificate.
    12. DCM reloads to the Update Certificate Assignment page with a confirmation message.

After SSL is enabled, you can change the port that your Directory Server instance uses for secured connections from .

  1. In , expand Network > Servers > TCP/IP Servers.
  2. Right-click IBM Tivoli Directory Server for IBM i and select Manage Instances.
  3. Right-click your Directory Server instance and select Properties.
  4. On the Network tab, specify the port number that you want to make secure.

    Notice that the Secure check box is checked. This indicates that an application can start an SSL or TLS connection over the secure port. It also indicates that an application can issue a StartTLS operation to allow a TLS connection over a port that is not secure. Alternatively, you can start TLS by using the -Y option from a client command-line utility. If you are using the command line, the ibm-slapdSecurity attribute must be equal to TLS or SSLTLS.