How to configure SSL +External connection for IBM TDS6.2 LDAP server

车皮

Before you start to do those configuration, you should prepare some tools.

1.Tools
ikeyman from IBM.
XCA (version: 0.9.0)


2.Configuration Steps:
--------------------------------------------------------------------------
1. Following Operations are done in IKeyman.
1.1 Create a CMS KeyDatabase.
1.1.1 Open the C:\Program Files\ibm\gsk7\bin\gsk7ikm.exe, You can use it to generate server and client server request.
  Please note that you should set JAVA_HOME environment varaiable as c:\Program Files\IBM\LDAP\V6.2\java
1.1.2 Open-->Key Database File menu and click "New"
1.1.3 Select Key database type as "CMS" and File name as serverkey.kdb
1.1.4 Input the directory of Location which store the kdb file
1.1.5 Input the password to protect the KDB file, such as example2010go!
  Input the expired day as 999
  Check the checkbox of "Stash password to a file"  
1.2.New a server certificate request named server req.arm and a client certificate request named clientreq.arm.
1.2.1 Select Person Certificate Request tab and click the "New" button on the right
to generate server side request
(a)Key Label:servercert
(b)Common Name: computer name on which the TDS server installed
(c) Enter the name of a file in which to store the certificate request
it should provide full path, such as c:\TDS_SSL\request\serverreq.arm
(d) Let the other items as empty
1.2.2 Select Person Certificate Request tab and click the "New" button on the right
to generate client side request
(a)Key Label:clientcert
(b)Common Name: client, this user or person should exist on LDAP server,
For this example, such as cn=client,ou=example,o=sample
(c)Command name:client
Organization:Sample
Organization Unit: example
(d) Enter the name of a file in which to store the certificate request
it should provide full path, such as c:\TDS_SSL\request\clientreq.arm
(e) Let the other items as empty
1.2.3 Exit the IBM Key Manager  



2. Following Operations are done in XCA.
2.1 Create a CA in XCA.
2.1.1 Open XCA software
2.1.2 New database and save the dabase as test.xdb and input password to protect this db
, we can set this password as example2010go!
2.1.3 Click the button of "New Certificate" to Create CA
2.1.4 Move to Subject tab and filled the below values.
    Internal name: CAcert
    Generate a new Key: New key name: CAKey,1024 bit
    CommondName:Cacert
    Set the other items as empty.
2.1.5 Move to Extensions tab and select Type as Certification Authority


2.2 Import server clientreq.arm and serverreq.arm. And then ,sign them with the CA.
2.2.1 Go XCA and click the Certificate signing requests tab
2.2.2 Click the "Import" button on the right panel and select Serverreq.arm
2.2.3 Right single click the server certification request and click "sign" item
   and use Cacert CA to signing, then the user should select "[Default] HPPTS_server"
   on the Template for the new certificate.
2.2.4 Click the "Import" button on the right panel and select Clientreq.arm
2.2.5 Right single click the server certification request and click "sign" item
   and use Cacert CA to signing, then the user should select "[Default] HPPTS_Client"
   on the Template for the new certificate.


   
2.3 Export those certificates like CA, server certificate and client certificate, from XCA.
2.3.1 Go to "Certificates" tab,
2.3.2 Move the mouse on the CAcert and click the right button and select "export" item.
2.3.3 Enter the filename for the certificate as "CAcert.cer" and select export format as "DER".
2.3.4 Move the mouse to client certification and click right button and select "export-->File" item.
and enter the name as client.cer and select Export format as "DER"
2.3.5 Move the mouse to server certification and click right button and select "export-->File" item.
and enter the name as server.cer and select Export format as "DER"

3. Following Operations are done in IKeyman.
Open the Ikeyman and open the serverkey.kdb key database
3.1 Import the CA into the CMS KeyDatabase in Singer Ceritficates Tab,
3.1.1 Select Signer certificates tab and click the button of "Add" on the rigth panel.
   and select CAcert.cer.
3.1.2 Enter a label for the certificate as "CA".

3.2 Import the server cerificate and client certifcate into the CMS KeyDatabase in Personal Ceritficates Tab.
3.2.1 Select Personal Certificates tab and click the "Receive" button on the left panel.
3.2.2 Select server.cer to be imported
3.2.3 Select Personal Certificates tab and click the "Receive" button on the left panel.
3.2.4 Select client.cer to be imported.
3.2.5 Prompt one windows "Do you want to set the key as the default key in the database" and click the "No".
3.3 Export client certificate in PKCS12 format from CMS KeyDatabase, then delete it from KeyDatabase.
3.3.1 Select clientcert after selecting "Person Certificates" tab.
3.3.2 Click the "Export/Import" button on the left panel.
3.3.3 Select Key file type as "PKCS12" and enter the File name as "client.p12".
and enter password to protect this key and I set this password as "example2012go!".
3.3.4 Select "clientcert" on the Personal Certificates tab and click the "Delete" button on the right panel
to delete this clientcert.
3.3.5 Close the IBM Key Management.

4. Following Operations are done at IBM TDS Web Administrator.
4.1 Export client.p12 once more on XCA.
4.1 Open XCA and new key database and named it as "test2.xdb".
4.2 Enter the password to protect the key database, I set password as "example2010go!".
4.3 Click the Certificates tab and click the button of "Import PKCS#12" button.
4.4 Import the key "client.p12".
4.5 Enter the password to decrypt the PKCS#12 file and enter the password as "example2012go!" which
was set by IBM key management while it exported the client key.
4.6 Click "Select All" button.
4.7 Expand the clientcert_ca and move to client item on the Certificates.
4.8 Right click the mouse and click "Export-->File".
4.9 Enter the file name for Certificate export as "clientcert.p12" and select Export format as PKCS#12.
4.10 Enter the password to encrypt the PKCS#12 file and I type the password as "adldap2012go!" and this password
will be used on adldap designer time to protect the client certificate.
4.2 Set Key Database file as the directory which contain the files related with CMS KeyDatabase.
4.2.1 Go to Directory administrator console.
4.2.2 Click "Server administration-->Manage Security Properties".
4.2.3 Move to "Setting" property, check "SSL" checkbox and "Client and Server authentication"
4.2.4 Move to "Key database" propety
    Enter "key database path and file name:" as "c:\testSSL\test1\serverkey.kdb" which was created by iKey manager.
    Enter "Key password" as the password which was used to protect the serverkey.kdb password, the value was "example2010go!".  
    Enter "Key Label" as servercert which was created on the server certificate request.


5. Restart the admin console and direcotry instance serivce.
5.2.1 Type the services.msc on the "Start-->run" input box on the windows operation system which installed TDS server.
5.2.2 Stop Directory instance service.
5.2.3 Stop TDS administrator Daemon service.
5.2.4 Start TDS administrator Daemon service.
5.2.5 Start Directory instance service.
Please note that the above order is very import and it is better that you can follow.
6. Generate CA Key Store.
6.1 Go window command console.
6.2 Enter the below command.
keytool -import -v -alias servercert -file c:\testSSL\test1\CAcert.cer
-Keystore c:\testSSL\test1\CAKeyStore.
6.3 Input the keystore password, such as keystore2012go!
6.4 Trust this ceritifcate: enter "y".
7. Open LDAP adapter instance and select SSL+ External.
Trusted Certificate Authorities: CAKeystore.
Client Identity:clientcert.p12.
Identify Password:adldap2012go!
----------------------------------------------------------------------------------
3.How to add entry,ACL for Entry and suffix for ADS.
3.1 Add suffix
If you have not done so already, click Server administration in the Web
Administration navigation area and then click Manage server properties in the
expanded list. Next, click the Suffixes tab.
3.1.1. Enter the Suffix DN, for example, c=Italy. The maximum is 1000 characters for
a suffix.
3.1.2. Click Add.
3.1.3. Repeat this process for as many suffixes as you want to add.
3.1.4. When you are finished, click Apply to save your changes without exiting, or
click OK to apply your changes and exit, or click Cancel to exit this panel
without making any changes.
3.1.5. Manage Entry: add o=sample,ou=example,cn=qatest


3.2 Editing access control lists for an entry
To edit the access control lists (ACLs) for an entry:
3.2.1. If you have not done so already, expand the Directory management category in
the navigation area .
3.2.2. Click Manage entries.
3.2.3. Expand the various subtrees and select the entry, such as o=sample, that you want to work on.
3.2.4. Expand the Select Action drop-down menu.
3.2.5. Select Edit ACL.
3.2.6. Click Go.
3.3 Click on Owners tab to add an owner to add an owner for the entry
3.3.1. Select the Owners tab.
? Select the Propagate owners check box to allow descendants without an
explicitly defined owner to inherit from this entry. If the check box is not
selected, descendant entries without an explicitly defined owner will inherit
owner from a parent of this entry that has this option enabled.
? Specify the Subject DN. Type the (DN) Distinguished name of the entity that
you are granting owner access on the selected entry, for example, cn=qatest,ou=example,o=sample.
? Select the Subject type of DN. For example, select access-id if the DN is a
user.
3.3.2. Click Add.
3.3.3. Repeat the process for any additional owners that you want to create.
3.3.4. When you are finished, click OK to save your changes and exit to the Manage
entries panel.复制搜索




复制搜索
复制搜索
复制搜索