Install and update IBM Security Directory Server V6.4 with operating system tools

Basic guide to install and configure IBM SDS V6.4 with operating system tools.


Author(s): Richard Lakatos | Created: 16 December 2021 | Last modified: 16 December 2021
Tested on: IBM Security Directory Server V6.4 FP 24

Install and update IBM Security Directory Server V6.4

Note: IBM DB2 installation and instance creation is not included in this manual, the minimum required DB2 level for SDS: IBM DB2 10.5.0.4 but it is highly recommended to use the latest DB2 version supported by ISDS

All steps below must be executed as root user!

The steps below were performed on a 64 bit RHEL 8 machine to install IBM Security Directory Server V6.4.0.24, adjust to your OS and release accordingly

The benefit of this method is that you can install the latest version directly, skipping the base installation altogether. Take extra care however, these manual steps are more error prone than using Installation Manager

The following parameter values will be used in this guide

  • DB2 instance owner username and password: ldapdb / P@ssw0rd
  • ISDS instance name: idsldap

Ensure OS prerequisites are met

  1. Enable time synchronization using NTP
dnf install chrony
systemctl enable --now chronyd

Add your NTP server(s) to the /etc/chrony.conf file:

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server pool.ntp.org iburst

Then restart the chronyd service:

systemctl restart chronyd
  1. Disable SELinux In /etc/selinux/config make sure the following parameter is set to disabled:
SELINUX=disabled

Then reboot the server.

  1. Make sure the local firewall allows TCP ports 389 and 636 to receive incoming connections.

  2. Make sure both nodes can resolve each other's and their own hostnames either using a DNS server or the local host file.

  3. Install prerequisite packages Install the required packages with the following command:

dnf install ksh psmisc libnsl

Install ISDS packages

Extract the three parts of the latest fix package and the activation kit, each of them to a separate empty folder:

  • ISDS Server (6.4.0.24-ISS-ISDS-LinuxX64-IF0024.tar.gz)
  • IBM GSKit (8.0.55.24-ISS-GSKIT-LinuxX64-FP0024.tar.gz)
  • IBM JDK (8.0.6.30-ISS-JAVA-LinuxX64-FP0030.tar.gz)
  • Premium Feature Activation Package (sds64-premium-feature-act-pkg.zip) - if you have it
  1. Navigate to the 6.4.0.24-ISS-ISDS-LinuxX64-IF0024/license folder and run the following command:

    ./idsLicense

    Type 1 at the prompt to accept the license.

  2. Navigate to folder 8.0.55.24-ISS-GSKIT-LinuxX64-FP0024/64 in the extracted GSKit package and install the two RPMs in this order:

rpm -ivh gskcrypt64-8.0.55.24.linux.x86_64.rpm
rpm -ivh gskssl64-8.0.55.24.linux.x86_64.rpm
  1. Navigate to the 6.4.0.24-ISS-ISDS-LinuxX64-IF0024/images folder of the extracted ISDS fix package and install the following RPMs only, and in this order:
rpm -ivh idsldap-license64-6.4.0-24.x86_64.rpm
rpm -ivh idsldap-cltbase64-6.4.0-24.x86_64.rpm
rpm -ivh idsldap-clt64bit64-6.4.0-24.x86_64.rpm
rpm -ivh idsldap-cltjava64-6.4.0-24.x86_64.rpm
rpm -ivh idsldap-srvbase64bit64-6.4.0-24.x86_64.rpm
rpm -ivh idsldap-srv64bit64-6.4.0-24.x86_64.rpm
rpm -ivh idsldap-msg64-en-6.4.0-24.x86_64.rpm
  1. In the sdsV6.4/entitlement folder of the Premium Feature Activation Package install the RPM with the following command:
rpm -ivh --nodeps idsldap-ent64-6.4.0-0.x86_64.rpm
  1. Recursively copy the java folder from the extracted IBM JDK package to the /opt/IBM/ldap/V6.4/ folder:
cp -r java /opt/IBM/ldap/V6.4/
  1. Verify that the /opt/IBM/ldap/V6.4/etc/ldapdb.properties file to points to your local DB2 installation folder (V11.1.4.6 in my case):
currentDB2InstallPath=/opt/ibm/db2/V11.1 
currentDB2Version=11.1.4.6
  1. Then add the idsldap and root users to the db2iadm1 group:
usermod idsldap -G db2iadm1
usermod root -G db2iadm1

Create ISDS instance

Make sure to use a secure random encryption seed and salt.

  1. Create the ISDS instance
/opt/ibm/ldap/V6.4/sbin/idsicrt -I idsldap -p 389 -s 636 -t ldapdb -e <encryption seed> -g <encryption salt>

This will provide the following output:

GLPWRP123I The program '/opt/ibm/ldap/V6.4/sbin/64/idsicrt' is used with the following arguments 'idsicrt -I idsldap -p 389 -s 636 -t ldapdb -e ***** -g *****'.
You have chosen to perform the following actions:

GLPICR020I A new directory server instance 'idsldap' will be created.
GLPICR057I The directory server instance will be created at: '/home/idsldap'.
GLPICR013I The directory server instance's port will be set to '389'.
GLPICR014I The directory server instance's secure port will be set to '636'.
GLPICR015I The directory instance's administration server port will be set to '3538'.
GLPICR016I The directory instance's administration server secure port will be set to '3539'.
GLPICR019I The description will be set to: 'IBM Security Directory Server Instance V6.4'.
GLPICR021I Database instance 'ldapdb' will be configured.

Do you want to....
 (1) Continue with the above actions, or
 (2) Exit without making any changes:

Validate the proposed changes, if everything is in order choose option 1.

  1. Configure the database for ISDS. Provide the password of the DB2 instance owner user (ldapdb) with the -w option.
/opt/ibm/ldap/V6.4/sbin/idscfgdb -n -I idsldap -a ldapdb -t ldapdb -w P@ssw0rd -l /home/ldapdb

The following line should be at the end of the output if everything was successful:

GLPCDB003I Added database 'ldapdb' to directory server instance: 'idsldap'.
  1. Set the primary administrator DN and password:
/opt/ibm/ldap/V6.4/sbin/idsdnpw idsldap -u cn=root -p P@ssw0rd

This command will provide the following output:

GLPWRP123I The program '/opt/ibm/ldap/V6.4/sbin/64/idsdnpw' is used with the following arguments '-u cn=root -p ***** idsldap'.
You have chosen to perform the following actions:

GLPDPW004I The directory server administrator DN will be set.
GLPDPW005I The directory server administrator password will be set.

Do you want to....
 (1) Continue with the above actions, or
 (2) Exit without making any changes:

Choose option 1.

  1. Next, create the top entry in the instance:
/opt/IBM/ldap/V6.4/sbin/idscfgsuf -I idsldap -s O=IBM,C=HU

This command will provide the following output:

GLPWRP123I The program '/opt/ibm/ldap/V6.4/sbin/64/idscfgsuf' is used with the following arguments '-I idsldap -s O=IBM,C=HU'.
You have chosen to perform the following actions:

GLPCSF007I Suffix 'O=IBM,C=HU' will be added to the configuration file of the directory server instance 'idsldap'.

Do you want to....
 (1) Continue with the above actions, or
 (2) Exit without making any changes:

Choose option 1.

Then start the instance:

/opt/IBM/ldap/V6.4/sbin/slapd -I idsldap

Create an LDIF file with the following content (createOrg.ldif):

dn: O=IBM,C=HU
o: IBM
objectclass: organization

Then execute it against the directory instance:

/opt/IBM/ldap/V6.4/bin/idsldapadd -D cn=root -w P@ssw0rd -h localhost -p 389 -i createOrg.ldif

Now you have an empty ISDS instance running.