Install and update IBM Security Directory Server V6.4 with operating system tools
Basic guide to install and configure IBM SDS V6.4 with operating system tools.
Author(s): Richard Lennert | Created: 16 December 2021 | Last modified: 16 December 2021
Tested on: IBM Security Directory Server V6.4 FP 24
Table of contents
Install and update IBM Security Directory Server V6.4↑
Note: IBM DB2 installation and instance creation is not included in this manual, the minimum required DB2 level for SDS: IBM DB2 10.5.0.4 but it is highly recommended to use the latest DB2 version supported by ISDS
All steps below must be executed as root user!
The steps below were performed on a 64 bit RHEL 8 machine to install IBM Security Directory Server V126.96.36.199, adjust to your OS and release accordingly
The benefit of this method is that you can install the latest version directly, skipping the base installation altogether. Take extra care however, these manual steps are more error prone than using Installation Manager
The following parameter values will be used in this guide
- DB2 instance owner username and password:
- ISDS instance name:
Ensure OS prerequisites are met↑
- Enable time synchronization using NTP
dnf install chrony systemctl enable --now chronyd
Add your NTP server(s) to the
# Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). server pool.ntp.org iburst
Then restart the chronyd service:
systemctl restart chronyd
- Disable SELinux
/etc/selinux/configmake sure the following parameter is set to disabled:
Then reboot the server.
Make sure the local firewall allows TCP ports 389 and 636 to receive incoming connections.
Make sure both nodes can resolve each other's and their own hostnames either using a DNS server or the local host file.
Install prerequisite packages Install the required packages with the following command:
dnf install ksh psmisc libnsl
Install ISDS packages↑
Extract the three parts of the latest fix package and the activation kit, each of them to a separate empty folder:
- ISDS Server (
- IBM GSKit (
- IBM JDK (
- Premium Feature Activation Package (
sds64-premium-feature-act-pkg.zip) - if you have it
Navigate to the
188.8.131.52-ISS-ISDS-LinuxX64-IF0024/licensefolder and run the following command:
1at the prompt to accept the license.
Navigate to folder
184.108.40.206-ISS-GSKIT-LinuxX64-FP0024/64in the extracted GSKit package and install the two RPMs in this order:
rpm -ivh gskcrypt64-220.127.116.11.linux.x86_64.rpm rpm -ivh gskssl64-18.104.22.168.linux.x86_64.rpm
- Navigate to the
22.214.171.124-ISS-ISDS-LinuxX64-IF0024/imagesfolder of the extracted ISDS fix package and install the following RPMs only, and in this order:
rpm -ivh idsldap-license64-6.4.0-24.x86_64.rpm rpm -ivh idsldap-cltbase64-6.4.0-24.x86_64.rpm rpm -ivh idsldap-clt64bit64-6.4.0-24.x86_64.rpm rpm -ivh idsldap-cltjava64-6.4.0-24.x86_64.rpm rpm -ivh idsldap-srvbase64bit64-6.4.0-24.x86_64.rpm rpm -ivh idsldap-srv64bit64-6.4.0-24.x86_64.rpm rpm -ivh idsldap-msg64-en-6.4.0-24.x86_64.rpm
- In the
sdsV6.4/entitlementfolder of the Premium Feature Activation Package install the RPM with the following command:
rpm -ivh --nodeps idsldap-ent64-6.4.0-0.x86_64.rpm
- Recursively copy the
javafolder from the extracted IBM JDK package to the
cp -r java /opt/IBM/ldap/V6.4/
- Verify that the
/opt/IBM/ldap/V6.4/etc/ldapdb.propertiesfile to points to your local DB2 installation folder (V126.96.36.199 in my case):
- Then add the idsldap and root users to the db2iadm1 group:
usermod idsldap -G db2iadm1 usermod root -G db2iadm1
Create ISDS instance↑
Make sure to use a secure random encryption seed and salt.
- Create the ISDS instance
/opt/ibm/ldap/V6.4/sbin/idsicrt -I idsldap -p 389 -s 636 -t ldapdb -e <encryption seed> -g <encryption salt>
This will provide the following output:
GLPWRP123I The program '/opt/ibm/ldap/V6.4/sbin/64/idsicrt' is used with the following arguments 'idsicrt -I idsldap -p 389 -s 636 -t ldapdb -e ***** -g *****'. You have chosen to perform the following actions: GLPICR020I A new directory server instance 'idsldap' will be created. GLPICR057I The directory server instance will be created at: '/home/idsldap'. GLPICR013I The directory server instance's port will be set to '389'. GLPICR014I The directory server instance's secure port will be set to '636'. GLPICR015I The directory instance's administration server port will be set to '3538'. GLPICR016I The directory instance's administration server secure port will be set to '3539'. GLPICR019I The description will be set to: 'IBM Security Directory Server Instance V6.4'. GLPICR021I Database instance 'ldapdb' will be configured. Do you want to.... (1) Continue with the above actions, or (2) Exit without making any changes:
Validate the proposed changes, if everything is in order choose option
- Configure the database for ISDS. Provide the password of the DB2 instance owner user (
ldapdb) with the -w option.
/opt/ibm/ldap/V6.4/sbin/idscfgdb -n -I idsldap -a ldapdb -t ldapdb -w P@ssw0rd -l /home/ldapdb
The following line should be at the end of the output if everything was successful:
GLPCDB003I Added database 'ldapdb' to directory server instance: 'idsldap'.
- Set the primary administrator DN and password:
/opt/ibm/ldap/V6.4/sbin/idsdnpw idsldap -u cn=root -p P@ssw0rd
This command will provide the following output:
GLPWRP123I The program '/opt/ibm/ldap/V6.4/sbin/64/idsdnpw' is used with the following arguments '-u cn=root -p ***** idsldap'. You have chosen to perform the following actions: GLPDPW004I The directory server administrator DN will be set. GLPDPW005I The directory server administrator password will be set. Do you want to.... (1) Continue with the above actions, or (2) Exit without making any changes:
- Next, create the top entry in the instance:
/opt/IBM/ldap/V6.4/sbin/idscfgsuf -I idsldap -s O=IBM,C=HU
This command will provide the following output:
GLPWRP123I The program '/opt/ibm/ldap/V6.4/sbin/64/idscfgsuf' is used with the following arguments '-I idsldap -s O=IBM,C=HU'. You have chosen to perform the following actions: GLPCSF007I Suffix 'O=IBM,C=HU' will be added to the configuration file of the directory server instance 'idsldap'. Do you want to.... (1) Continue with the above actions, or (2) Exit without making any changes:
Then start the instance:
/opt/IBM/ldap/V6.4/sbin/slapd -I idsldap
Create an LDIF file with the following content (
dn: O=IBM,C=HU o: IBM objectclass: organization
Then execute it against the directory instance:
/opt/IBM/ldap/V6.4/bin/idsldapadd -D cn=root -w P@ssw0rd -h localhost -p 389 -i createOrg.ldif
Now you have an empty ISDS instance running.