In this post, I will explain how to configure IBM Security Directory Server and adding SSL.<\/p>\n
<\/p>\n
Before creating instance, add a new user to your server (assuming that \/appli\/p8sds exist):<\/p>\n
\/opt\/ibm\/ldap\/V6.4\/sbin\/idsadduser\u00a0-u\u00a0p8sds\u00a0-w\u00a0password\u00a0-l\u00a0\/appli\/p8sds\u00a0-g\u00a0idsldap\u00a0-q<\/pre>\nThis line add a new Unix user, “p8sds”, with “password” as user password, “\/appli\/p8sds” as user home directory, and adding this user into “idsldap” group. The -q option is only here to execute the command line in quiet mode.<\/p>\n
Creating a new IBM Security Directory Server instance<\/h2>\n
Let proceed to instance creation:<\/p>\n
\/opt\/ibm\/ldap\/V6.4\/sbin\/idsicrt\u00a0-I\u00a0p8sds\u00a0-p\u00a08389\u00a0-s\u00a08636\u00a0-e\u00a0mysecretkey!\u00a0-g\u00a0mysecretsalt\u00a0-l\u00a0\/appli\/p8sds\u00a0-q<\/pre>\nThis line add a new IBM Security Directory Server instance, “p8sds” with un-secured port set to 8389 and secured port to 8636. This instance will be created into “\/appli\/p8sds” directory.<\/p>\n
Initializing the IBM Security Directory Server instance<\/h2>\n
Initiating the instance using the following command line:<\/p>\n
\/opt\/ibm\/ldap\/V6.4\/sbin\/idscfgdb\u00a0-I\u00a0p8sds\u00a0-a\u00a0p8sds\u00a0-t\u00a0p8sds\u00a0-l\u00a0\/appli\/p8sds\u00a0-n\u00a0-w\u00a0password\u00a0-q<\/pre>\nConnecting to “p8sds” instance as “p8sds” user.<\/p>\n
Adding an administrator to the new instance<\/h2>\n
The following command line will add the “cn=adminsds” local user with “password” as user password to the new IBM Security Directory Server instance:<\/p>\n
\/opt\/ibm\/ldap\/V6.4\/sbin\/idsdnpw\u00a0-I\u00a0p8sds\u00a0-u\u00a0cn=adminsds\u00a0-p\u00a0password\u00a0-q<\/pre>\nAdding a new suffix<\/h2>\n
Finally, add a new suffix to the new IBM Security Directory Server instance:<\/p>\n
\/opt\/ibm\/ldap\/V6.4\/sbin\/idscfgsuf\u00a0-I\u00a0p8sds\u00a0-s\u00a0\"o=sample\"\u00a0-q<\/pre>\nAdding SSL support to this IBM Security Directory Server instance<\/h1>\n
Generate a new SSL certificate<\/h2>\n
In this specific example, I will create a fully custom SSL certificate:<\/p>\n
\/usr\/local\/ibm\/gsk8_64\/bin\/gsk8capicmd_64\u00a0-keydb\u00a0-create\u00a0-db\u00a0serverkey.kdb\u00a0-pw\u00a0serverpwd\u00a0-stash\r\n\/usr\/local\/ibm\/gsk8_64\/bin\/gsk8capicmd_64\u00a0-cert\u00a0-create\u00a0-db\u00a0serverkey.kdb\u00a0-pw\u00a0serverpwd\u00a0-label\u00a0serverlabel\u00a0-dn\u00a0\"cn=LDAP_Server,o=sample\"\u00a0-default_cert\u00a0yes\r\n\/usr\/local\/ibm\/gsk8_64\/bin\/gsk8capicmd_64\u00a0-cert\u00a0-extract\u00a0-db\u00a0serverkey.kdb\u00a0-pw\u00a0serverpwd\u00a0-label\u00a0serverlabel\u00a0-target\u00a0server.der\u00a0-format\u00a0binary<\/pre>\nThis lines will create the serverkey.kdb key database, using “serverpwd” as password, “serverlabel” as label and “cn=LDAP_Server,o=sample” as distinguished name.<\/p>\n
Create the LDIF file related to IBM Security Directory Server<\/h2>\n
cat > ssl.ldif <<EOF\r\ndn: cn=SSL, cn=Configuration\r\nchangetype: modify\r\nreplace: ibm-slapdSslAuth\r\nibm-slapdSslAuth: serverAuth\r\n\r\ndn: cn=SSL, cn=Configuration\r\nchangetype: modify\r\nreplace: ibm-slapdSecurity\r\nibm-slapdSecurity: SSL\r\n\r\ndn: cn=SSL, cn=Configuration\r\nchangetype: modify\r\nreplace: ibm-slapdSslKeyDatabase\r\nibm-slapdSslKeyDatabase: \/root\/serverkey.kdb\r\n\r\ndn: cn=SSL, cn=Configuration\r\nchangetype: modify\r\nreplace: ibm-slapdSslCertificate\r\nibm-slapdSslCertificate: serverlabel\r\n\r\ndn: cn=SSL, cn=Configuration\r\nchangetype: modify\r\nreplace: ibm-slapdSslKeyDatabasepw\r\nibm-slapdSslKeyDatabasepw: serverpwd\r\nEOF<\/pre>\nThis command will create a ldif file, using “serverkey.kdb” as key database, and the previously defined parameters as password and label.<\/p>\n
Executing the LDIF file to IBM Security Directory Server<\/h2>\n
\/opt\/ibm\/ldap\/V6.4\/bin\/idsldapmodify -h localhost -p 8389 -D cn=adminsds -w password -i \/root\/ssl.ldif<\/pre>\nSimply execute the LDIF file by specifying the server instance using the -h and -p options. The credentials must match the credentials defined in the\u00a0idsdnpw command line.<\/p>\n
Restart the IBM Security Directory Server instance<\/h2>\n
In order to use this new configuration, stop and start your IBM Security Directory Server instance:<\/p>\n
\/opt\/ibm\/ldap\/V6.4\/sbin\/ibmslapd -I p8sds -k\r\n\/opt\/ibm\/ldap\/V6.4\/sbin\/idsdiradm -I p8sds -k\r\n\/opt\/ibm\/ldap\/V6.4\/sbin\/idsdiradm -I p8sds\r\n\/opt\/ibm\/ldap\/V6.4\/sbin\/ibmslapd -n -I p8sds\r\n<\/pre>\nOutput from ibmslapd.log file<\/h2>\n
The following output must be present:<\/p>\n
2018-12-05T21:35:35.346619+1:00 GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.so.\r\n2018-12-05T21:35:35.346689+1:00 GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.so.\r\n2018-12-05T21:35:35.347411+1:00 GLPCOM025I The audit plugin is successfully loaded from libldapaudit.so.\r\n2018-12-05T21:35:35.363417+1:00 GLPCOM024I The extended Operation plugin is successfully loaded from libevent.so.\r\n2018-12-05T21:35:35.363517+1:00 GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.so.\r\n2018-12-05T21:35:35.363582+1:00 GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.so.\r\n2018-12-05T21:35:35.364546+1:00 GLPCOM022I The database plugin is successfully loaded from libback-config.so.\r\n2018-12-05T21:35:35.365405+1:00 GLPCOM024I The extended Operation plugin is successfully loaded from libevent.so.\r\n2018-12-05T21:35:35.365483+1:00 GLPCOM024I The extended Operation plugin is successfully loaded from libtranext.so.\r\n2018-12-05T21:35:35.365552+1:00 GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.so.\r\n2018-12-05T21:35:35.365614+1:00 GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.so.\r\n2018-12-05T21:35:35.384114+1:00 GLPCOM022I The database plugin is successfully loaded from libback-rdbm.so.\r\n2018-12-05T21:35:35.384431+1:00 GLPCOM010I Replication plugin is successfully loaded from libldaprepl.so.\r\n2018-12-05T21:35:35.384564+1:00 GLPSRV189I Virtual list view support is enabled.\r\n2018-12-05T21:35:35.385121+1:00 GLPCOM021I The preoperation plugin is successfully loaded from libpta.so.\r\n2018-12-05T21:35:35.385274+1:00 GLPSRV194I The Record Deleted Entries feature is disabled. Deleted entries are immediately removed from the database.\r\n2018-12-05T21:35:35.385869+1:00 GLPSRV207I Group conflict resolution during replication is disabled.\r\n2018-12-05T21:35:35.386043+1:00 GLPSRV221I Replication of security attributes feature is disabled.\r\n2018-12-05T21:35:35.386151+1:00 GLPSRV200I Initializing primary database and its connections.\r\n2018-12-05T21:35:37.150644+1:00 GLPRDB126I The directory server will not use DB2 selectivity.\r\n2018-12-05T21:35:37.210514+1:00 GLPSRV015I Server configured to use 8636 as the secure port.\r\n2018-12-05T21:35:37.211258+1:00 GLPCOM024I The extended Operation plugin is successfully loaded from libloga.so.\r\n2018-12-05T21:35:37.211589+1:00 GLPCOM024I The extended Operation plugin is successfully loaded from libidsfget.so.\r\n2018-12-05T21:35:37.217647+1:00 GLPSRV232I Pass-through authentication is disabled.\r\n2018-12-05T21:35:37.217711+1:00 GLPSRV234I Pass-through support for compare operations is disabled.\r\n2018-12-05T21:35:37.226632+1:00 GLPCOM003I Non-SSL port initialized to 8389.\r\n2018-12-05T21:35:37.226696+1:00 GLPCOM004I SSL port initialized to 8636.\r\n2018-12-05T21:35:38.090257+1:00 GLPRPL137I Restricted Access to the replication topology is set to false.\r\n2018-12-05T21:35:38.243418+1:00 GLPCOM039I Suite B mode is disabled.\r\n2018-12-05T21:35:38.243711+1:00 GLPSSL039I Secure communication using the SSLV3 protocol is enabled.\r\n2018-12-05T21:35:38.243812+1:00 GLPSSL039I Secure communication using the TLS10 protocol is enabled.\r\n2018-12-05T21:35:38.243895+1:00 GLPSSL039I Secure communication using the TLS11 protocol is enabled.\r\n2018-12-05T21:35:38.243964+1:00 GLPSSL039I Secure communication using the TLS12 protocol is enabled.\r\n2018-12-05T21:35:38.244022+1:00 GLPSRV047W Anonymous binds will be allowed.\r\n2018-12-05T21:35:38.244048+1:00 GLPSRV047W Anonymous binds will be allowed.\r\n2018-12-05T21:35:38.281004+1:00 GLPSRV009I 6.4.0.0 server started.\r\n2018-12-05T21:35:38.281129+1:00 GLPRPL136I Replication conflict resolution mode is set to true.\r\n2018-12-05T21:35:38.291400+1:00 GLPSRV048I Started 15 worker threads to handle client requests.\r\n2018-12-05T21:35:38.291514+1:00 GLPSRV227I The effective value for IDS_MAX_SEARCH_FILTER_LEVEL is 400\r\n2018-12-05T21:35:39.307336+1:00 GLPSRV212I The LDAP trace utility 'ldtrc' is disabled.\r\n2018-12-05T21:35:39.307419+1:00 GLPSRV214I The LDAP Server is not recording binary trace.\r\n2018-12-05T21:35:39.307465+1:00 GLPSRV216I The LDAP Server is not recording ascii trace.<\/pre>\nAs displayed, the “Non-SSL port initialized to 8389” ans “SSL port initialized to 8636”<\/p>\n
Testing it<\/h2>\n
Using netstat:<\/p>\n
[root@localhost ~]# netstat -pan | grep 8636\r\ntcp6 0 0 :::8636 :::* LISTEN 2003\/ibmslapd\r\n[root@localhost ~]# netstat -pan | grep 8389\r\ntcp6 0 0 :::8389 :::* LISTEN 2003\/ibmslapd<\/pre>\nUsing telnet (with some handshake error, cause no SSL certificate will be used in this command):<\/p>\n
[root@localhost ~]# telnet localhost 8389\r\nTrying ::1...\r\nConnected to localhost.\r\nEscape character is '^]'.\r\n^]\r\ntelnet> quit\r\nConnection closed.\r\n[root@localhost ~]# telnet localhost 8636\r\nTrying ::1...\r\nConnected to localhost.\r\nEscape character is '^]'.\r\nConnection closed by foreign host.<\/pre>\nUsing idsldapsearch (assuming that there is one domain and one user):<\/p>\n
[root@localhost ~]# \/opt\/ibm\/ldap\/V6.4\/bin\/idsldapsearch -h localhost -p 8389 -D cn=adminsds -w password -b o=sample cn=*\r\ncn=p8admin,o=sample\r\nuserPassword=password\r\nobjectclass=inetorgperson\r\nobjectclass=top\r\nobjectclass=organizationalperson\r\nobjectclass=person\r\nsn=p8admin\r\ncn=p8admin\r\nmail=p8admin@localdomain.com\r\n[root@localhost ~]# \/opt\/ibm\/ldap\/V6.4\/bin\/idsldapsearch -h localhost -p 8636 -K \/root\/serverkey.kdb -P serverpwd -N \"serverlabel\" -D cn=adminsds -w password -b o=sample cn=*\r\ncn=p8admin,o=sample\r\nuserPassword=password\r\nobjectclass=inetorgperson\r\nobjectclass=top\r\nobjectclass=organizationalperson\r\nobjectclass=person\r\nsn=p8admin\r\ncn=p8admin\r\nmail=p8admin@localdomain.com<\/pre>\nFor the SSL call, you will have to specify your key database (-K option), your certificate label (-N option) and your key database password (-P option).<\/p>\n
Use the SSL connection with IBM WebSphere<\/h2>\n
Using WebSphere console<\/h3>\n
In the IBM WebSphere admin console, go into the following configuration page :<\/p>\n
Security > Global SSL certificate and key management > SSL configurations > Your item name (as NodeDefaultSSLSettings) > Key stores and certificates > NodeDefaultTrustStore > Signer certificates.<\/p>\n
In this page, click the “Add” button to add a new certificate, with the following informations:<\/p>\n
\n
- Alias : the certificate display name you want in the WebSphere console ;<\/li>\n
- File name : the absolute path to access your certificat (in my case, this path is related to “server.der” file) ;<\/li>\n
- Data type : Binary DER data<\/li>\n<\/ul>\n
Restart your WebSphere instance.<\/p>\n
Using jython script (not tested yet)<\/h3>\n
AdminTask.addSignerCertificate('[-keyStoreName NodeDefaultTrustStore -certificateAlias default -certificateFilePath <file path> -base64Encoded false]')<\/pre>\nThen restart your WebSphere instance.<\/p>\n
Testing it<\/h3>\n
Go into the Security > Global Security > Configure… (in the Available realm definitions part) > LDAP Test Query.<\/p>\n
In this page, configure the endpoints as expected (host, port, base distinguisehd name, bind distinguished name, bind password), check the “SSL enabled” checkbox (keep the “Centrally managed” option checked), set the “Search filter string” to “cn=*” then click “Test Query”.<\/p>\n
The output will look like this :<\/p>\n
LdapSearch Input Parameters\r\nhostName=localhost\r\nportNumber=8636\r\nsslEnabled=true\r\nsslAlias=\r\nbaseDN=o=sample\r\nbindDN=cn=P8Admin,o=sample\r\nbindPwd=*****\r\nsearchFilter=cn=*\r\nsearchLimit=20\r\nreferral=ignore\r\nsearchScope=sub\r\n\r\nLdapSearch Results\r\ncn=p8admin\r\nmail=p8admin@localdomain.com\r\nobjectclass=inetorgperson\r\nobjectclass=top\r\nobjectclass=organizationalperson\r\nobjectclass=person\r\nsn=p8admin<\/pre>\n<\/p>\n","protected":false},"excerpt":{"rendered":"
In this post, I will explain how to configure IBM Security Directory Server and adding SSL.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,11],"tags":[],"class_list":["post-175","post","type-post","status-publish","format-standard","hentry","category-ibm-security-directory-server","category-ssl"],"_links":{"self":[{"href":"https:\/\/blog.xoupix.fr\/index.php\/wp-json\/wp\/v2\/posts\/175","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.xoupix.fr\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.xoupix.fr\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.xoupix.fr\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.xoupix.fr\/index.php\/wp-json\/wp\/v2\/comments?post=175"}],"version-history":[{"count":10,"href":"https:\/\/blog.xoupix.fr\/index.php\/wp-json\/wp\/v2\/posts\/175\/revisions"}],"predecessor-version":[{"id":185,"href":"https:\/\/blog.xoupix.fr\/index.php\/wp-json\/wp\/v2\/posts\/175\/revisions\/185"}],"wp:attachment":[{"href":"https:\/\/blog.xoupix.fr\/index.php\/wp-json\/wp\/v2\/media?parent=175"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.xoupix.fr\/index.php\/wp-json\/wp\/v2\/categories?post=175"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.xoupix.fr\/index.php\/wp-json\/wp\/v2\/tags?post=175"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}