Installing IBM Security Directory Server with SSL

Posted on by

In this post, I will explain how to configure IBM Security Directory Server and adding SSL.

Defining a new IBM Security Directory Server instance

Adding user to handle IBM Security Directory Server instance

Before creating instance, add a new user to your server (assuming that /appli/p8sds exist):

/opt/ibm/ldap/V6.4/sbin/idsadduser -u p8sds -w password -l /appli/p8sds -g idsldap -q

This line add a new Unix user, “p8sds”, with “password” as user password, “/appli/p8sds” as user home directory, and adding this user into “idsldap” group. The -q option is only here to execute the command line in quiet mode.

Creating a new IBM Security Directory Server instance

Let proceed to instance creation:

/opt/ibm/ldap/V6.4/sbin/idsicrt -I p8sds -p 8389 -s 8636 -e mysecretkey! -g mysecretsalt -l /appli/p8sds -q

This line add a new IBM Security Directory Server instance, “p8sds” with un-secured port set to 8389 and secured port to 8636. This instance will be created into “/appli/p8sds” directory.

Initializing the IBM Security Directory Server instance

Initiating the instance using the following command line:

/opt/ibm/ldap/V6.4/sbin/idscfgdb -I p8sds -a p8sds -t p8sds -l /appli/p8sds -n -w password -q

Connecting to “p8sds” instance as “p8sds” user.

Adding an administrator to the new instance

The following command line will add the “cn=adminsds” local user with “password” as user password to the new IBM Security Directory Server instance:

/opt/ibm/ldap/V6.4/sbin/idsdnpw -I p8sds -u cn=adminsds -p password -q

Adding a new suffix

Finally, add a new suffix to the new IBM Security Directory Server instance:

/opt/ibm/ldap/V6.4/sbin/idscfgsuf -I p8sds -s "o=sample" -q

Adding SSL support to this IBM Security Directory Server instance

Generate a new SSL certificate

In this specific example, I will create a fully custom SSL certificate:

/usr/local/ibm/gsk8_64/bin/gsk8capicmd_64 -keydb -create -db serverkey.kdb -pw serverpwd -stash
/usr/local/ibm/gsk8_64/bin/gsk8capicmd_64 -cert -create -db serverkey.kdb -pw serverpwd -label serverlabel -dn "cn=LDAP_Server,o=sample" -default_cert yes
/usr/local/ibm/gsk8_64/bin/gsk8capicmd_64 -cert -extract -db serverkey.kdb -pw serverpwd -label serverlabel -target server.der -format binary

This lines will create the serverkey.kdb key database, using “serverpwd” as password, “serverlabel” as label and “cn=LDAP_Server,o=sample” as distinguished name.

Create the LDIF file related to IBM Security Directory Server

cat > ssl.ldif <<EOF
dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslAuth
ibm-slapdSslAuth: serverAuth

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSecurity
ibm-slapdSecurity: SSL

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslKeyDatabase
ibm-slapdSslKeyDatabase: /root/serverkey.kdb

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslCertificate
ibm-slapdSslCertificate: serverlabel

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslKeyDatabasepw
ibm-slapdSslKeyDatabasepw: serverpwd
EOF

This command will create a ldif file, using “serverkey.kdb” as key database, and the previously defined parameters as password and label.

Executing the LDIF file to IBM Security Directory Server

/opt/ibm/ldap/V6.4/bin/idsldapmodify -h localhost -p 8389 -D cn=adminsds -w password -i /root/ssl.ldif

Simply execute the LDIF file by specifying the server instance using the -h and -p options. The credentials must match the credentials defined in the idsdnpw command line.

Restart the IBM Security Directory Server instance

In order to use this new configuration, stop and start your IBM Security Directory Server instance:

/opt/ibm/ldap/V6.4/sbin/ibmslapd -I p8sds -k
/opt/ibm/ldap/V6.4/sbin/idsdiradm -I p8sds -k
/opt/ibm/ldap/V6.4/sbin/idsdiradm -I p8sds
/opt/ibm/ldap/V6.4/sbin/ibmslapd -n -I p8sds

Output from ibmslapd.log file

The following output must be present:

2018-12-05T21:35:35.346619+1:00 GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.so.
2018-12-05T21:35:35.346689+1:00 GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.so.
2018-12-05T21:35:35.347411+1:00 GLPCOM025I The audit plugin is successfully loaded from libldapaudit.so.
2018-12-05T21:35:35.363417+1:00 GLPCOM024I The extended Operation plugin is successfully loaded from libevent.so.
2018-12-05T21:35:35.363517+1:00 GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.so.
2018-12-05T21:35:35.363582+1:00 GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.so.
2018-12-05T21:35:35.364546+1:00 GLPCOM022I The database plugin is successfully loaded from libback-config.so.
2018-12-05T21:35:35.365405+1:00 GLPCOM024I The extended Operation plugin is successfully loaded from libevent.so.
2018-12-05T21:35:35.365483+1:00 GLPCOM024I The extended Operation plugin is successfully loaded from libtranext.so.
2018-12-05T21:35:35.365552+1:00 GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.so.
2018-12-05T21:35:35.365614+1:00 GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.so.
2018-12-05T21:35:35.384114+1:00 GLPCOM022I The database plugin is successfully loaded from libback-rdbm.so.
2018-12-05T21:35:35.384431+1:00 GLPCOM010I Replication plugin is successfully loaded from libldaprepl.so.
2018-12-05T21:35:35.384564+1:00 GLPSRV189I Virtual list view support is enabled.
2018-12-05T21:35:35.385121+1:00 GLPCOM021I The preoperation plugin is successfully loaded from libpta.so.
2018-12-05T21:35:35.385274+1:00 GLPSRV194I The Record Deleted Entries feature is disabled. Deleted entries are immediately removed from the database.
2018-12-05T21:35:35.385869+1:00 GLPSRV207I Group conflict resolution during replication is disabled.
2018-12-05T21:35:35.386043+1:00 GLPSRV221I Replication of security attributes feature is disabled.
2018-12-05T21:35:35.386151+1:00 GLPSRV200I Initializing primary database and its connections.
2018-12-05T21:35:37.150644+1:00 GLPRDB126I The directory server will not use DB2 selectivity.
2018-12-05T21:35:37.210514+1:00 GLPSRV015I Server configured to use 8636 as the secure port.
2018-12-05T21:35:37.211258+1:00 GLPCOM024I The extended Operation plugin is successfully loaded from libloga.so.
2018-12-05T21:35:37.211589+1:00 GLPCOM024I The extended Operation plugin is successfully loaded from libidsfget.so.
2018-12-05T21:35:37.217647+1:00 GLPSRV232I Pass-through authentication is disabled.
2018-12-05T21:35:37.217711+1:00 GLPSRV234I Pass-through support for compare operations is disabled.
2018-12-05T21:35:37.226632+1:00 GLPCOM003I Non-SSL port initialized to 8389.
2018-12-05T21:35:37.226696+1:00 GLPCOM004I SSL port initialized to 8636.
2018-12-05T21:35:38.090257+1:00 GLPRPL137I Restricted Access to the replication topology is set to false.
2018-12-05T21:35:38.243418+1:00 GLPCOM039I Suite B mode is disabled.
2018-12-05T21:35:38.243711+1:00 GLPSSL039I Secure communication using the SSLV3 protocol is enabled.
2018-12-05T21:35:38.243812+1:00 GLPSSL039I Secure communication using the TLS10 protocol is enabled.
2018-12-05T21:35:38.243895+1:00 GLPSSL039I Secure communication using the TLS11 protocol is enabled.
2018-12-05T21:35:38.243964+1:00 GLPSSL039I Secure communication using the TLS12 protocol is enabled.
2018-12-05T21:35:38.244022+1:00 GLPSRV047W Anonymous binds will be allowed.
2018-12-05T21:35:38.244048+1:00 GLPSRV047W Anonymous binds will be allowed.
2018-12-05T21:35:38.281004+1:00 GLPSRV009I 6.4.0.0      server started.
2018-12-05T21:35:38.281129+1:00 GLPRPL136I Replication conflict resolution mode is set to true.
2018-12-05T21:35:38.291400+1:00 GLPSRV048I Started 15 worker threads to handle client requests.
2018-12-05T21:35:38.291514+1:00 GLPSRV227I The effective value for IDS_MAX_SEARCH_FILTER_LEVEL is 400
2018-12-05T21:35:39.307336+1:00 GLPSRV212I The LDAP trace utility 'ldtrc' is disabled.
2018-12-05T21:35:39.307419+1:00 GLPSRV214I The LDAP Server is not recording binary trace.
2018-12-05T21:35:39.307465+1:00 GLPSRV216I The LDAP Server is not recording ascii trace.

As displayed, the “Non-SSL port initialized to 8389” ans “SSL port initialized to 8636”

Testing it

Using netstat:

[root@localhost ~]# netstat -pan | grep 8636
tcp6       0      0 :::8636                 :::*                    LISTEN      2003/ibmslapd
[root@localhost ~]# netstat -pan | grep 8389
tcp6       0      0 :::8389                 :::*                    LISTEN      2003/ibmslapd

Using telnet (with some handshake error, cause no SSL certificate will be used in this command):

[root@localhost ~]# telnet localhost 8389
Trying ::1...
Connected to localhost.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
[root@localhost ~]# telnet localhost 8636
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

Using idsldapsearch (assuming that there is one domain and one user):

[root@localhost ~]# /opt/ibm/ldap/V6.4/bin/idsldapsearch -h localhost -p 8389 -D cn=adminsds -w password -b o=sample cn=*
cn=p8admin,o=sample
userPassword=password
objectclass=inetorgperson
objectclass=top
objectclass=organizationalperson
objectclass=person
sn=p8admin
cn=p8admin
mail=p8admin@localdomain.com
[root@localhost ~]# /opt/ibm/ldap/V6.4/bin/idsldapsearch -h localhost -p 8636 -K /root/serverkey.kdb -P serverpwd -N "serverlabel" -D cn=adminsds -w password -b o=sample cn=*
cn=p8admin,o=sample
userPassword=password
objectclass=inetorgperson
objectclass=top
objectclass=organizationalperson
objectclass=person
sn=p8admin
cn=p8admin
mail=p8admin@localdomain.com

For the SSL call, you will have to specify your key database (-K option), your certificate label (-N option) and your key database password (-P option).

Use the SSL connection with IBM WebSphere

Using WebSphere console

In the IBM WebSphere admin console, go into the following configuration page :

Security > Global SSL certificate and key management > SSL configurations > Your item name (as NodeDefaultSSLSettings) > Key stores and certificates > NodeDefaultTrustStore > Signer certificates.

In this page, click the “Add” button to add a new certificate, with the following informations:

  • Alias : the certificate display name you want in the WebSphere console ;
  • File name : the absolute path to access your certificat (in my case, this path is related to “server.der” file) ;
  • Data type : Binary DER data

Restart your WebSphere instance.

Using jython script (not tested yet)

AdminTask.addSignerCertificate('[-keyStoreName NodeDefaultTrustStore -certificateAlias default -certificateFilePath <file path> -base64Encoded false]')

Then restart your WebSphere instance.

Testing it

Go into the Security > Global Security > Configure… (in the Available realm definitions part) > LDAP Test Query.

In this page, configure the endpoints as expected (host, port, base distinguisehd name, bind distinguished name, bind password), check the “SSL enabled” checkbox (keep the “Centrally managed” option checked), set the “Search filter string” to “cn=*” then click “Test Query”.

The output will look like this :

LdapSearch Input Parameters
hostName=localhost
portNumber=8636
sslEnabled=true
sslAlias=
baseDN=o=sample
bindDN=cn=P8Admin,o=sample
bindPwd=*****
searchFilter=cn=*
searchLimit=20
referral=ignore
searchScope=sub

LdapSearch Results
cn=p8admin
mail=p8admin@localdomain.com
objectclass=inetorgperson
objectclass=top
objectclass=organizationalperson
objectclass=person
sn=p8admin

 

Please follow and like us:
fb-share-icon
Tweet
fb-share-icon

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.