设为首页 收藏本站
查看: 955|回复: 0

[经验分享] How to configure SSL +External connection for IBM TDS6.2 LDAP server

[复制链接]

尚未签到

发表于 2017-5-27 09:00:13 | 显示全部楼层 |阅读模式
Before you start to do those configuration, you should prepare some tools.

1.Tools
ikeyman from IBM.
XCA (version: 0.9.0)


2.Configuration Steps:
--------------------------------------------------------------------------
1. Following Operations are done in IKeyman.
1.1 Create a CMS KeyDatabase.
1.1.1 Open the C:\Program Files\ibm\gsk7\bin\gsk7ikm.exe, You can use it to generate server and client server request.
  Please note that you should set JAVA_HOME environment varaiable as c:\Program Files\IBM\LDAP\V6.2\java
1.1.2 Open-->Key Database File menu and click "New"
1.1.3 Select Key database type as "CMS" and File name as serverkey.kdb
1.1.4 Input the directory of Location which store the kdb file
1.1.5 Input the password to protect the KDB file, such as example2010go!
  Input the expired day as 999
  Check the checkbox of "Stash password to a file"  
1.2.New a server certificate request named server req.arm and a client certificate request named clientreq.arm.
1.2.1 Select Person Certificate Request tab and click the "New" button on the right
to generate server side request
(a)Key Label:servercert
(b)Common Name: computer name on which the TDS server installed
(c) Enter the name of a file in which to store the certificate request
it should provide full path, such as c:\TDS_SSL\request\serverreq.arm
(d) Let the other items as empty
1.2.2 Select Person Certificate Request tab and click the "New" button on the right
to generate client side request
(a)Key Label:clientcert
(b)Common Name: client, this user or person should exist on LDAP server,
For this example, such as cn=client,ou=example,o=sample
(c)Command name:client
Organization:Sample
Organization Unit: example
(d) Enter the name of a file in which to store the certificate request
it should provide full path, such as c:\TDS_SSL\request\clientreq.arm
(e) Let the other items as empty
1.2.3 Exit the IBM Key Manager  



2. Following Operations are done in XCA.
2.1 Create a CA in XCA.
2.1.1 Open XCA software
2.1.2 New database and save the dabase as test.xdb and input password to protect this db
, we can set this password as example2010go!
2.1.3 Click the button of "New Certificate" to Create CA
2.1.4 Move to Subject tab and filled the below values.
    Internal name: CAcert
    Generate a new Key: New key name: CAKey,1024 bit
    CommondName:Cacert
    Set the other items as empty.
2.1.5 Move to Extensions tab and select Type as Certification Authority


2.2 Import server clientreq.arm and serverreq.arm. And then ,sign them with the CA.
2.2.1 Go XCA and click the Certificate signing requests tab
2.2.2 Click the "Import" button on the right panel and select Serverreq.arm
2.2.3 Right single click the server certification request and click "sign" item
   and use Cacert CA to signing, then the user should select "[Default] HPPTS_server"
   on the Template for the new certificate.
2.2.4 Click the "Import" button on the right panel and select Clientreq.arm
2.2.5 Right single click the server certification request and click "sign" item
   and use Cacert CA to signing, then the user should select "[Default] HPPTS_Client"
   on the Template for the new certificate.


   
2.3 Export those certificates like CA, server certificate and client certificate, from XCA.
2.3.1 Go to "Certificates" tab,
2.3.2 Move the mouse on the CAcert and click the right button and select "export" item.
2.3.3 Enter the filename for the certificate as "CAcert.cer" and select export format as "DER".
2.3.4 Move the mouse to client certification and click right button and select "export-->File" item.
and enter the name as client.cer and select Export format as "DER"
2.3.5 Move the mouse to server certification and click right button and select "export-->File" item.
and enter the name as server.cer and select Export format as "DER"

3. Following Operations are done in IKeyman.
Open the Ikeyman and open the serverkey.kdb key database
3.1 Import the CA into the CMS KeyDatabase in Singer Ceritficates Tab,
3.1.1 Select Signer certificates tab and click the button of "Add" on the rigth panel.
   and select CAcert.cer.
3.1.2 Enter a label for the certificate as "CA".

3.2 Import the server cerificate and client certifcate into the CMS KeyDatabase in Personal Ceritficates Tab.
3.2.1 Select Personal Certificates tab and click the "Receive" button on the left panel.
3.2.2 Select server.cer to be imported
3.2.3 Select Personal Certificates tab and click the "Receive" button on the left panel.
3.2.4 Select client.cer to be imported.
3.2.5 Prompt one windows "Do you want to set the key as the default key in the database" and click the "No".
3.3 Export client certificate in PKCS12 format from CMS KeyDatabase, then delete it from KeyDatabase.
3.3.1 Select clientcert after selecting "Person Certificates" tab.
3.3.2 Click the "Export/Import" button on the left panel.
3.3.3 Select Key file type as "PKCS12" and enter the File name as "client.p12".
and enter password to protect this key and I set this password as "example2012go!".
3.3.4 Select "clientcert" on the Personal Certificates tab and click the "Delete" button on the right panel
to delete this clientcert.
3.3.5 Close the IBM Key Management.

4. Following Operations are done at IBM TDS Web Administrator.
4.1 Export client.p12 once more on XCA.
4.1 Open XCA and new key database and named it as "test2.xdb".
4.2 Enter the password to protect the key database, I set password as "example2010go!".
4.3 Click the Certificates tab and click the button of "Import PKCS#12" button.
4.4 Import the key "client.p12".
4.5 Enter the password to decrypt the PKCS#12 file and enter the password as "example2012go!" which
was set by IBM key management while it exported the client key.
4.6 Click "Select All" button.
4.7 Expand the clientcert_ca and move to client item on the Certificates.
4.8 Right click the mouse and click "Export-->File".
4.9 Enter the file name for Certificate export as "clientcert.p12" and select Export format as PKCS#12.
4.10 Enter the password to encrypt the PKCS#12 file and I type the password as "adldap2012go!" and this password
will be used on adldap designer time to protect the client certificate.
4.2 Set Key Database file as the directory which contain the files related with CMS KeyDatabase.
4.2.1 Go to Directory administrator console.
4.2.2 Click "Server administration-->Manage Security Properties".
4.2.3 Move to "Setting" property, check "SSL" checkbox and "Client and Server authentication"
4.2.4 Move to "Key database" propety
    Enter "key database path and file name:" as "c:\testSSL\test1\serverkey.kdb" which was created by iKey manager.
    Enter "Key password" as the password which was used to protect the serverkey.kdb password, the value was "example2010go!".  
    Enter "Key Label" as servercert which was created on the server certificate request.


5. Restart the admin console and direcotry instance serivce.
5.2.1 Type the services.msc on the "Start-->run" input box on the windows operation system which installed TDS server.
5.2.2 Stop Directory instance service.
5.2.3 Stop TDS administrator Daemon service.
5.2.4 Start TDS administrator Daemon service.
5.2.5 Start Directory instance service.
Please note that the above order is very import and it is better that you can follow.
6. Generate CA Key Store.
6.1 Go window command console.
6.2 Enter the below command.
keytool -import -v -alias servercert -file c:\testSSL\test1\CAcert.cer
-Keystore c:\testSSL\test1\CAKeyStore.
6.3 Input the keystore password, such as keystore2012go!
6.4 Trust this ceritifcate: enter "y".
7. Open LDAP adapter instance and select SSL+ External.
Trusted Certificate Authorities: CAKeystore.
Client Identity:clientcert.p12.
Identify Password:adldap2012go!
----------------------------------------------------------------------------------
3.How to add entry,ACL for Entry and suffix for ADS.
3.1 Add suffix
If you have not done so already, click Server administration in the Web
Administration navigation area and then click Manage server properties in the
expanded list. Next, click the Suffixes tab.
3.1.1. Enter the Suffix DN, for example, c=Italy. The maximum is 1000 characters for
a suffix.
3.1.2. Click Add.
3.1.3. Repeat this process for as many suffixes as you want to add.
3.1.4. When you are finished, click Apply to save your changes without exiting, or
click OK to apply your changes and exit, or click Cancel to exit this panel
without making any changes.
3.1.5. Manage Entry: add o=sample,ou=example,cn=qatest


3.2 Editing access control lists for an entry
To edit the access control lists (ACLs) for an entry:
3.2.1. If you have not done so already, expand the Directory management category in
the navigation area .
3.2.2. Click Manage entries.
3.2.3. Expand the various subtrees and select the entry, such as o=sample, that you want to work on.
3.2.4. Expand the Select Action drop-down menu.
3.2.5. Select Edit ACL.
3.2.6. Click Go.
3.3 Click on Owners tab to add an owner to add an owner for the entry
3.3.1. Select the Owners tab.
? Select the Propagate owners check box to allow descendants without an
explicitly defined owner to inherit from this entry. If the check box is not
selected, descendant entries without an explicitly defined owner will inherit
owner from a parent of this entry that has this option enabled.
? Specify the Subject DN. Type the (DN) Distinguished name of the entity that
you are granting owner access on the selected entry, for example, cn=qatest,ou=example,o=sample.
? Select the Subject type of DN. For example, select access-id if the DN is a
user.
3.3.2. Click Add.
3.3.3. Repeat the process for any additional owners that you want to create.
3.3.4. When you are finished, click OK to save your changes and exit to the Manage
entries panel.复制搜索




复制搜索
复制搜索
复制搜索

运维网声明 1、欢迎大家加入本站运维交流群:群②:261659950 群⑤:202807635 群⑦870801961 群⑧679858003
2、本站所有主题由该帖子作者发表,该帖子作者与运维网享有帖子相关版权
3、所有作品的著作权均归原作者享有,请您和我们一样尊重他人的著作权等合法权益。如果您对作品感到满意,请购买正版
4、禁止制作、复制、发布和传播具有反动、淫秽、色情、暴力、凶杀等内容的信息,一经发现立即删除。若您因此触犯法律,一切后果自负,我们对此不承担任何责任
5、所有资源均系网友上传或者通过网络收集,我们仅提供一个展示、介绍、观摩学习的平台,我们不对其内容的准确性、可靠性、正当性、安全性、合法性等负责,亦不承担任何法律责任
6、所有作品仅供您个人学习、研究或欣赏,不得用于商业或者其他用途,否则,一切后果均由您自己承担,我们对此不承担任何法律责任
7、如涉及侵犯版权等问题,请您及时通知我们,我们将立即采取措施予以解决
8、联系人Email:admin@iyunv.com 网址:www.yunweiku.com

所有资源均系网友上传或者通过网络收集,我们仅提供一个展示、介绍、观摩学习的平台,我们不对其承担任何法律责任,如涉及侵犯版权等问题,请您及时通知我们,我们将立即处理,联系人Email:kefu@iyunv.com,QQ:1061981298 本贴地址:https://www.yunweiku.com/thread-381549-1-1.html 上篇帖子: IBM 下篇帖子: IBM 中国研究院 Offer 之感言——能力是一种态度
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

扫码加入运维网微信交流群X

扫码加入运维网微信交流群

扫描二维码加入运维网微信交流群,最新一手资源尽在官方微信交流群!快快加入我们吧...

扫描微信二维码查看详情

客服E-mail:kefu@iyunv.com 客服QQ:1061981298


QQ群⑦:运维网交流群⑦ QQ群⑧:运维网交流群⑧ k8s群:运维网kubernetes交流群


提醒:禁止发布任何违反国家法律、法规的言论与图片等内容;本站内容均来自个人观点与网络等信息,非本站认同之观点.


本站大部分资源是网友从网上搜集分享而来,其版权均归原作者及其网站所有,我们尊重他人的合法权益,如有内容侵犯您的合法权益,请及时与我们联系进行核实删除!



合作伙伴: 青云cloud

快速回复 返回顶部 返回列表