Configuring SDS for SSL connection with ISIM
Author(s): Adam Bulla | Created: 21 December 2024 | Last modified: 21 December 2024
Tested on: -
Table of contents
Configuring SDS for SSL connection with ISIM↑
Configure SDS for SSL↑
General information about this task can be found in these attached articles:
https://www.ibm.com/support/knowledgecenter/SSVJJU_6.3.0/com.ibm.IBMDS.doc/admin_gd173.htm#wq439
Since these guides tend to be verbose, I've included a quick setup guide for reference.
- Create a new keystore for SDS / Open the default kdb found at <LDAP_INSTALL_DIR>/etc
- The format of the default keystore is a CMS kdb, the password by default is ssl_password, or WebAS
- Create a certificate for the server (either self-signed, or signed by a trusted CA)
- Note the following values, and make sure the certificate is added to the right store, and a CA cert is exported to a file.
- Hostname / ip address of the server:
- Port of the server:
- Path to the .kdb file used:
- Label of the certificate installed:
- Password for the .kdb file:
- Username for the LDAP server:
- Copy the attached scripts (create them, if they are not attached) to the Security Directory Server host machine, preferably next to the tools mentioned for the commands. These tools should be found in the <SDS_Install_Directory>/bin folder.
- Run the following command:
idsldapmodify -h {{hostname}} -p {{port}} -D {{username}} -w ? -f 01-Enable_SDS_secureComm.ldif
- Please note the three variables enclosed between < > symbols. These should be set according to your system.
- Where the file contains the following:
dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslAuth
ibm-slapdSslAuth: serverAuth
dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSecurity
ibm-slapdSecurity: SSLTLS
dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslKeyDatabase
ibm-slapdSslKeyDatabase: {{path}}
dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslCertificate
ibm-slapdSslCertificate: {{label}}
dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslKeyDatabasepw
ibm-slapdSslKeyDatabasepw: {{password}}
- If it is desired, a specific TLS version can be set up to be used for all transaction. For this, please refer to the next section
Disabling SSLv3 and directly setting TLS version↑
If using 6.3.1.8, 6.4 or 8.0.1 or higher
- Run the following command:
idsldapmodify -h {{hostname}} -p {{port}} -D {{username}} -w ? -f 02-EnableSDS_TLS_1.2.ldif
- This command restricts the use of TLS types to those specified. Execute only a subset of these, according to which protocols are required.
- The file should contain a subset of these commands.
dn: cn=SSL, cn=Configuration
changetype: modify
add: ibm-slapdSecurityProtocol
ibm-slapdSecurityProtocol: SSLV3
dn: cn=SSL, cn=Configuration
changetype: modify
add: ibm-slapdSecurityProtocol
ibm-slapdSecurityProtocol: TLS10
dn: cn=SSL, cn=Configuration
changetype: modify
add: ibm-slapdSecurityProtocol
ibm-slapdSecurityProtocol: TLS11
dn: cn=SSL, cn=Configuration
changetype: modify
add: ibm-slapdSecurityProtocol
ibm-slapdSecurityProtocol: TLS12
If using anything else, or there are additional considerations
Please refer to this resource: http://www-01.ibm.com/support/docview.wss?uid=swg21687611
Note the required fix pack levels for each major version, then proceed according to the tasks mentioned in the section for that major and fixpack level.
Adding specific ciphers for extended security
- Run the following command:
idsldapmodify -h {{hostname}} -p {{port}} -D {{username}} -w ? -f 03-EnableSDS_TLS_1.2_Ciphers.ldif
- This adds a few recommended cipher types for the SDS to use.
- For a full suite of supported cipher types, please refer to the link mentioned in the section before this.
- The file contains the following:
dn: cn=SSL,cn=Configuration
changetype: modify
add: ibm-slapdSslCipherSpec
ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_256_CBC_SHA256
dn: cn=SSL,cn=Configuration
changetype: modify
add: ibm-slapdSslCipherSpec
ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
dn: cn=SSL,cn=Configuration
changetype: modify
add: ibm-slapdSslCipherSpec
ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
dn: cn=SSL,cn=Configuration
changetype: modify
add: ibm-slapdSslCipherSpec
ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Configuring ISIM to work with SDS through SSL↑
The necessary steps to accomplish this task can be found here:
A quick summary of the tasks that has to be performed:
- Import the SDS certificate CA to the WebSphere Truststore.
- This truststore is the WebSphere built-in truststore, accessible through the admin console, Security / SSL Certificate and Key management / Key stores and certificates / <Correct_Node_trust_store>
- The CA must be added either through importing the CA file on the admin console, or by retrieving the CA through the LDAPS port.
- Modify the enRoleLDAPConnection.properties file in the <ISIM_Install_dir> / data folder.
- Set the value
java.naming.provider.url=ldaps://hostname:port
- Set the value
java.naming.security.protocol=ssl
- Set the value
- At this point, ISIM should work with the Directory Server through a secured connection. If the Directory Server must only operate through SSL, there are additional configuration steps needed, because the utility tools for ISIM will not work.
- These tasks involve the configuration of the ldapConfig, ldapModify, etc... utilities. These are configured through their .lax files.
- For these tasks please refer to the attached article, which describes what modifications are required.