Enabling TLS 1.2 for Security Directory Server 6.4


Author(s): Tamas Bures | Created: 28 March 2018 | Last modified: 28 March 2018
Tested on: -

Enabling TLS 1.2 for Security Directory Server 6.4

1. Create CMS keystore

Issue the command below in the same line!

gsk8capicmd_64  \
  -keydb  \
  -create \
  -db keystore.kdb \
  -pw <keystore password> \
  -type cms -stash

2. Create self signed certificate

Issue the command below in the same line!

gsk8capicmd_64 \
  -cert \
  -create \
  -db keystore.kdb \
  -pw <keystore password> \
  -label <label name> \
  -dn "cn=serverXXX,o=sample" \
  -size <key size> \
  -sig_alg SHA512WithRSA \
  -expire <expiration in days> \
  -x509version 3

3. Check keystore file and certificate in it

Issue the command below in the same line!

gsk8capicmd_64 \
  -cert \
  -list \
  -db keystore.kdb \
  -pw <password>

Sample output:

Certificates found
* default, - personal, ! trusted, # secret key
-   <label name>

4. Export certificate

Issue the command below in the same line!

gsk8capicmd_64 \
  -cert \
  -extract \
  -db keystore.kdb \
  -pw <keystore password> \
  -label <label name> \
  -target certificate.arm \
  -format binary

5. Check certificate details

Issue the command below in the same line!

gsk8capicmd_64 \
  -cert \
  -details \
  -db keystore.kdb \
  -pw <keystore password> \
  -label <label name>

Example output:

Label : <label name>
Key Size : 4096
Version : X509 V3
Serial : 78d4872038e49cbc
Issuer : cn=serverXXX,o=sample
Subject : cn=serverXXX,o=sample
Not Before : March 26, 2018 9:39:35 AM GMT+02:00

Not After : March 24, 2028 8:39:35 AM GMT+01:00

Public Key
    30 82 02 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01
    01 05 00 03 82 02 0F 00 30 82 02 0A 02 82 02 01
    00 CD 27 97 9E 3C F4 99 58 0C AF C1 27 82 B6 F6
    2E 10 94 D4 B1 08 45 CE B1 70 7B D0 5E E6 25 9B
    DF 69 DD 58 4A C3 B7 5C 3E 37 13 A4 54 40 A6 E8
    B5 EC 2A 21 49 A2 54 B5 AF 13 C2 64 26 26 A2 6A
    C2 43 9C 59 A7 33 E0 13 7C 63 EC 9F 56 38 A5 FF
    C2 F2 EB E3 0A E6 D5 8B A1 0A 14 AF D2 F1 11 60
    7A 09 9A 5D 27 21 32 F8 60 15 FE 6C 70 B4 A5 90
    CA FE E0 8A 7E 8D 1A FE E1 A0 0E 20 F1 73 F9 33
    CB C7 75 93 FB F5 AB 18 B6 0A B1 D6 5F 6D D3 28
    04 40 CB DD 47 DA 66 35 A1 1F 3A 73 4C DE A8 4C
    AE 14 EC E1 B7 AD 8A 3E 6C 8E 18 A8 FF 99 AD 68
    10 46 CE 26 F6 4A 85 43 46 83 D0 1C FD 68 4D 2B
    8E 51 74 B0 3D C4 2F F0 9A 12 31 DE 8C 40 4C 0A
    D8 DE 89 6C A3 55 05 41 84 5A E9 05 D8 6A 06 75
    FE 16 34 A3 09 12 A5 F3 31 10 3B 64 2E 8F E9 D6
    25 03 B1 13 12 60 81 B9 B7 1B B6 33 1C 1E CB C4
    CB F2 7F FE FD 7B 9F E7 A5 FF 3A C1 AF BE DF 92
    85 D0 EC AE D5 A5 2B 58 9F 39 82 B5 48 1C 46 C4
    E9 24 14 97 26 85 A0 B4 4D 90 80 BE C6 CB 73 55
    BC C5 BA 53 F9 CA 0E 99 99 58 F0 21 4D 1C 08 C4
    DC 27 A2 F9 D9 3C D7 85 7D 1B 31 BA E5 C6 A5 8B
    5A 10 E2 2E CF 5D 1C B7 F1 4B 99 29 BE 5B 5B AD
    DC F6 89 9C 18 1A 1B 56 F3 90 7F 55 D5 DF FE F0
    8C 69 3A 3D 90 0E D2 B9 96 5E 12 06 7A 3C 56 0B
    16 28 93 3E DF C6 65 94 27 20 DB 57 8A 75 03 A4
    10 8B 51 4E 90 EF C1 B0 3E C9 B1 F6 BE 1C 1D 34
    90 44 38 0F 25 BA D2 44 9E A8 21 6F 1A A2 A3 58
    EA E6 4E 5B 2F 74 16 A2 5E 23 5E F7 DE 4B F1 AA
    46 50 C1 BF D6 CC 5B 4B 1C D2 AE 0D 58 5D 62 4A
    FD 78 7F 14 0E 0D AF 72 C2 20 2F 44 7B 62 26 4D
    61 60 37 0E 4E CB EC 08 EA C6 17 78 8C 70 04 42
    D5 96 1F 0B 55 D4 F3 F3 39 F7 5E 67 51 03 DA EA
    0F 02 03 01 00 01
Public Key Type : RSA (1.2.840.113549.1.1.1)
Fingerprint : SHA1 :
    00 D8 A3 9E 1F D0 E6 3F 10 9D 58 D3 25 47 60 78
    F8 CE 99 95
Fingerprint : MD5 :
    EB BB BB 03 E0 EE FD 57 13 8C EF 1D 68 97 38 C4
Fingerprint : SHA256 :
    DF D9 99 08 15 08 F7 BE 60 87 1F D4 7C 1A 6C CC
    D6 AA 93 0B A1 09 3D 17 38 42 EC A4 9C 72 46 61
Extensions
    SubjectKeyIdentifier
      keyIdentifier:
    02 1E 14 83 7E 0B 0E 66 DA 04 97 7E 0A 78 DE FE
    2C F3 96 BD
    AuthorityKeyIdentifier
      keyIdentifier:
    02 1E 14 83 7E 0B 0E 66 DA 04 97 7E 0A 78 DE FE
    2C F3 96 BD
      authorityIdentifier:
      authorityCertSerialNumber:
Signature Algorithm : SHA512WithRSASignature (1.2.840.113549.1.1.13)
Value
    AC FB AA 48 0C 42 B2 88 66 B4 13 3A 87 A7 A4 5F
    26 11 7A 31 EB 8E 25 47 09 55 11 37 98 C8 AF 25
    01 C6 8D 42 7A 2D 2B DE E3 CA FC 16 F9 0C 87 7E
    B3 20 E9 91 C8 A8 71 A3 45 9D C5 08 03 7F AB 5B
    5F E2 A5 D9 05 03 07 4D DC AF 98 D4 E8 FE 7D 16
    67 63 6D 0A 9C 9E 60 E5 D2 D2 C1 B3 5D 79 1F 45
    9E 8F CA 92 22 88 45 84 06 07 8C CD 06 14 C4 B9
    43 42 89 DE F1 57 DE 3F FD 92 02 26 D2 6D DF A9
    3A 16 99 05 A5 D3 C9 7D 0E 49 D8 DE 53 51 34 85
    56 F8 5A 41 49 6F 74 7D 6D 0A D1 DE 27 91 1B B5
    78 C8 57 A9 42 BB BC 27 F0 AD D8 B3 A9 3D C2 41
    8D DE C8 9F 67 B0 05 94 94 E9 6A 51 8B 0F 44 03
    55 A1 57 A3 36 8F 14 0B B9 4C 65 F0 68 6B 95 93
    09 38 BC 3F C0 A3 94 D4 4C 2E BC 3A 0A 56 B4 91
    44 56 A3 F1 5B 19 1F 70 37 4A 08 68 E6 ED 85 D7
    F3 2E 21 51 8D 35 79 72 13 AE FE 87 DE 55 76 E6
    B7 4E 5F C9 4C 06 3D 51 ED FC 2A EE B1 F3 1B 45
    7E 83 71 C4 FD 9B 90 AD A5 DD 84 6F E9 9E C5 73
    3A 95 DA CB 49 14 FC C1 6A 3E 2E 0B 77 9C 9F 56
    91 43 D6 6F 45 DA B7 27 A3 92 A5 92 84 9D AF 32
    7D 1F 3C 03 E7 1A 79 85 57 B3 CF 65 CB 94 67 9A
    FC AF D5 E3 80 07 44 B1 CB 3A AC C4 0F A6 84 80
    C8 B4 C9 13 08 EC 09 16 F0 22 31 EF 9C 33 93 14
    AD 77 22 18 01 48 BB EA C6 12 36 35 2D ED 89 D4
    9A 45 EE 0B EE 84 13 C6 29 33 91 C7 DC D6 08 78
    CA 93 E5 83 25 80 F6 A1 F3 F4 FD 33 46 2F DA B9
    C7 E6 82 0F BD 0D 45 3C 9B 1B FC 0F C0 AE 5F 2C
    33 BE 26 47 92 C3 9E FB 9F 53 27 1A A5 35 F9 F2
    1C 0A BF B5 7B 8A AC 38 96 9E DD A7 BE B9 13 D0
    02 79 3F BE 6E 96 17 B8 58 4D 36 F7 FC 87 D8 79
    AD 83 1A 83 75 38 07 B2 37 8E C5 F1 9F 54 74 A4
    13 3C A1 78 8A 95 FD DC 76 07 5F 53 3F 12 75 7E
Trust Status : Enabled

Verify that your server is up and running:

ps -ef |grep ibmslapd

Example output:

isamldap 13412     1  0 Mar13 ?        00:01:38 /opt/ibm/ldap/V6.4/sbin/64/ibmslapd -I <instance name> -t -n

Enable SSL communication

IBM SDS storesits configuration in the instance data directory under <instance_home>/etc directory. IBM suggests not modifying these files directly, instead use the commands to manipulate the configuration. This avoids any mistypes, syntax errors and invalid configuration states.

  1. Create an LDIF file with the following content (i.e. Enable_SDS_secureComm.ldif):

     dn: cn=SSL, cn=Configuration
     changetype: modify
     replace: ibm-slapdSslAuth
     ibm-slapdSslAuth: serverAuth
    
     dn: cn=SSL, cn=Configuration
     changetype: modify
     replace: ibm-slapdSecurity
     ibm-slapdSecurity: SSLTLS
    
     dn: cn=SSL, cn=Configuration
     changetype: modify
     replace: ibm-slapdSslKeyDatabase
     ibm-slapdSslKeyDatabase: <path to keystore>/keystore.kdb
    
     dn: cn=SSL, cn=Configuration
     changetype: modify
     replace: ibm-slapdSslCertificate
     ibm-slapdSslCertificate: <label name>
    
     dn: cn=SSL, cn=Configuration
     changetype: modify
     replace: ibm-slapdSslKeyDatabasepw
     ibm-slapdSslKeyDatabasepw: <keystore pwd>
    
  2. To execute the LDIF file, use the following command:

     idsldapmodify -h <host> -p <port> -D <user> -w ? -f Enable_SDS_secureComm.ldif

Enable TLS 1.2

  1. Create an LDIF file with the following content (i.e. Enable_SDS_TLS_1.2.ldif):

     dn: cn=SSL, cn=Configuration
     changetype: modify
     add: ibm-slapdSecurityProtocol
     ibm-slapdSecurityProtocol: TLS12
  2. To execute the LDIF file, use the following command:

     idsldapmodify -h <host> -p <port> -D <user> -w ? -f Enable_SDS_TLS_1.2.ldif

Enable TLS 1.2 ciphers

  1. Create an LDIF file with the following content (i.e. Enable_SDS_TLS_1.2_Ciphers.ldif):

     dn: cn=SSL,cn=Configuration
     changetype: modify
     add: ibm-slapdSslCipherSpec
     ibm-slapdSslCipherSpec: TLS_RSA_WITH_AES_256_CBC_SHA256
     -
     add: ibm-slapdSslCipherSpec
     ibm-slapdSslCipherSpec: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
     -
     add: ibm-slapdSslCipherSpec
     ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
     -
     add: ibm-slapdSslCipherSpec
     ibm-slapdSslCipherSpec: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  2. To execute the LDIF file, use the following command:

     idsldapmodify -h <host> -p <port> -D <user> -w ? -f Enable_SDS_TLS_1.2_Ciphers.ldif

Restart server instances (admin server and SDS instance)

ibmslapd -I isamldap -k
ibmslapd -I isamldap -n

Verify the secure communication protocols

idsldapsearch -p <port> -s base -b "" objectclass=* ibm-slapdSecurityProtocol

Example output:

ibm-slapdSecurityProtocol=TLS12

Verify security connection from configuration

idsldapsearch -h <host> -p <port> -s base -b "" objectclass=* security

Example output:

security=tls

Verify that SDS instance is listening on the configured secure port

netstat -na |grep <secure port> (ie.: 636)

Example output:

Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN