Previous Topic: Novell eDirectoryNext Topic: The CA Software Delivery Integration

Configuring the Broker and ServerBroker and Server CommunicationStart the Server (UNIX, Linux, and zLinux)Options for LDAP Attribute NamesIBM Directory

IBM Directory

CA Harvest SCM works with IBM Tivoli Directory Server 5.2.

The GSKIT 7.0 toolkit bundled with the IBM Tivoli Directory Server must be installed to enable your system to generate certificate requests and self-signed root certificates. See the IBM Tivoli Directory Server documentation for the prerequisites and installation instructions for GSKIT.

Important! When you use the GSKIT 7.0 toolkit bundled with IBM Tivoli Directory Server 5.2, you may experience problems generating the certificate requests. To enable your system to generate certificate requests successfully, you may need to install the GSKIT 7.0.1.16 update patch.

For IBM Directory, you may need to configure your Java runtime environment and to create a self-signed root certificate. Sample procedures for performing both tasks follows.

Configuring the Java runtime environment is a prerequisite for creating the self-signed root certificate.

Follow these steps:

  1. Verify that you have Java Runtime Environment installed.
  2. Update the $JAVA_HOME/lib/security/java.security file to add IBM CMS security provider in the first position. For example: 
    Security.provider.1=com.ibm.spi.IBMCMSProvider

    Security.provider.2=com.ibm.crypto.provider.IBMJCE
  3. If applicable for your system, make any other required modifications to your Java runtime environment.

    Note: For detailed information, see the IBM Tivoli Directory Server documentation.

Creating the self-signed root certificate file enhances security for authenticating and protecting users' logon credentials.

Follow these steps:

  1. Start the IBM Key Management utility.
  2. Click Key Database File, New to create a server key database (.kdb file).

    The New dialog appears.

  3. Verify that the key database type option is set to CMS.
  4. Specify the filename and complete path for the key file and click OK to close the dialog.

    If you do not see the CMS option in the drop-down list, see the Important Note at the beginning of this section (IBM Directory) and verify that you have completed the steps in the previous section, Configure the Java Runtime Environment.

  5. Click OK.

    The Password Prompt dialog appears.

  6. Enter a password and set a password expiration time. For example, set an expiration time of 1000 days.
  7. Click OK to complete the request.
  8. In the main window, click Create, New Self-Signed Certificate. Provide the following information.
    Key label

    Defines a descriptive label for the certificate.

    Key version

    (Optional) Specifies the version of the key, typically X509 V3.

    Common name

    (Optional) Defines the common name of the LDAP server computer. This value is typically the computer's fully qualified domain name.

    Organization

    Defines your organization name.

    Validity

    (Optional) Defines the duration for which the certificate is valid.

  9. Click OK.

    The request is created.

  10. Select the new certificate's entry in the Personal Certificate list and click Extract Certificate.

    The Extract Certificate to a File dialog appears.

  11. Select Base64‑encoded ASCII data from the Data type list.
  12. Enter a file name with an .arm extension and the complete path to which the root certificate is to be exported.
  13. Click OK.

    The root certificate is exported.

    Note: The self-signed certificate, rootcert.arm, can be used by the LDAP clients, the product's broker and remote agent, to communicate with the IBM Tivoli Directory Server in the Transport Layer Security mode.