Configuring SDS for SSL connection with ISIM


Author(s): Adam Bulla | Created: 25 June 2022 | Last modified: 25 June 2022
Tested on: -

Configuring SDS for SSL connection with ISIM

Configure SDS for SSL

General information about this task can be found in these attached articles:

https://www.ibm.com/support/knowledgecenter/SSVJJU_6.3.0/com.ibm.IBMDS.doc/admin_gd173.htm#wq439

https://www.ibm.com/support/knowledgecenter/en/SS3Q78_8.0.1/com.ibm.IBMDS.doc_8.0.1/ds_ag_srv_adm_nist_configuringprotocols_server.html

Since these guides tend to be verbose, I've included a quick setup guide for reference.

  • Create a new keystore for SDS / Open the default kdb found at <LDAP_INSTALL_DIR>/etc
    • The format of the default keystore is a CMS kdb, the password by default is ssl_password, or WebAS
  • Create a certificate for the server (either self-signed, or signed by a trusted CA)
  • Note the following values, and make sure the certificate is added to the right store, and a CA cert is exported to a file.
    • Hostname / ip address of the server:
    • Port of the server:
    • Path to the .kdb file used:
    • Label of the certificate installed:
    • Password for the .kdb file:
    • Username for the LDAP server:
  • Copy the attached scripts (create them, if they are not attached) to the Security Directory Server host machine, preferably next to the tools mentioned for the commands. These tools should be found in the <SDS_Install_Directory>/bin folder.
  • Run the following command: idsldapmodify -h {{hostname}} -p {{port}} -D {{username}} -w ? -f 01-Enable_SDS_secureComm.ldif
    • Please note the three variables enclosed between < > symbols. These should be set according to your system.
    • Where the file contains the following:
dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslAuth
ibm-slapdSslAuth: serverAuth

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSecurity
ibm-slapdSecurity: SSLTLS

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslKeyDatabase
ibm-slapdSslKeyDatabase: {{path}}

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslCertificate
ibm-slapdSslCertificate: {{label}}

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslKeyDatabasepw
ibm-slapdSslKeyDatabasepw: {{password}}
  • If it is desired, a specific TLS version can be set up to be used for all transaction. For this, please refer to the next section

Disabling SSLv3 and directly setting TLS version

If using 6.3.1.8, 6.4 or 8.0.1 or higher

  • Run the following command: idsldapmodify -h {{hostname}} -p {{port}} -D {{username}} -w ? -f 02-EnableSDS_TLS_1.2.ldif
    • This command restricts the use of TLS types to those specified. Execute only a subset of these, according to which protocols are required.
    • The file should contain a subset of these commands.
dn: cn=SSL, cn=Configuration
changetype: modify
add: ibm-slapdSecurityProtocol
ibm-slapdSecurityProtocol: SSLV3

dn: cn=SSL, cn=Configuration
changetype: modify
add: ibm-slapdSecurityProtocol
ibm-slapdSecurityProtocol: TLS10

dn: cn=SSL, cn=Configuration
changetype: modify
add: ibm-slapdSecurityProtocol
ibm-slapdSecurityProtocol: TLS11

dn: cn=SSL, cn=Configuration
changetype: modify
add: ibm-slapdSecurityProtocol
ibm-slapdSecurityProtocol: TLS12

If using anything else, or there are additional considerations

Please refer to this resource: http://www-01.ibm.com/support/docview.wss?uid=swg21687611

Note the required fix pack levels for each major version, then proceed according to the tasks mentioned in the section for that major and fixpack level.

Adding specific ciphers for extended security

  • Run the following command: idsldapmodify -h {{hostname}} -p {{port}} -D {{username}} -w ? -f 03-EnableSDS_TLS_1.2_Ciphers.ldif
    • This adds a few recommended cipher types for the SDS to use.
    • For a full suite of supported cipher types, please refer to the link mentioned in the section before this.
    • The file contains the following:
dn: cn=SSL,cn=Configuration
changetype: modify
add: ibm-slapdSslCipherSpec
ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_256_CBC_SHA256

dn: cn=SSL,cn=Configuration
changetype: modify
add: ibm-slapdSslCipherSpec
ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

dn: cn=SSL,cn=Configuration
changetype: modify
add: ibm-slapdSslCipherSpec
ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

dn: cn=SSL,cn=Configuration
changetype: modify
add: ibm-slapdSslCipherSpec
ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Configuring ISIM to work with SDS through SSL

The necessary steps to accomplish this task can be found here:

https://www.ibm.com/support/knowledgecenter/en/SSRMWJ_6.0.0.19/com.ibm.isim.doc/installing/cpt/cpt_ic_ins_first_security_sslldap.htm

A quick summary of the tasks that has to be performed:

  • Import the SDS certificate CA to the WebSphere Truststore.
    • This truststore is the WebSphere built-in truststore, accessible through the admin console, Security / SSL Certificate and Key management / Key stores and certificates / <Correct_Node_trust_store>
    • The CA must be added either through importing the CA file on the admin console, or by retrieving the CA through the LDAPS port.
  • Modify the enRoleLDAPConnection.properties file in the <ISIM_Install_dir> / data folder.
    • Set the value java.naming.provider.url=ldaps://hostname:port
    • Set the value java.naming.security.protocol=ssl
  • At this point, ISIM should work with the Directory Server through a secured connection. If the Directory Server must only operate through SSL, there are additional configuration steps needed, because the utility tools for ISIM will not work.
    • These tasks involve the configuration of the ldapConfig, ldapModify, etc... utilities. These are configured through their .lax files.
    • For these tasks please refer to the attached article, which describes what modifications are required.