Previous Topic: Enable LDAP Tracing in IDS

Next Topic: Sample User Directory Settings--Critical Path InJoin Directory Server

Configure an SSL Connection

You can configure an SSL connection.

To configure SSL

  1. Install the SSL version of IDS.

    Note: The CD is entitled "InJoin Directory Server Secure Sockets Layer Option for Microsoft Windows NT". Despite the name, Solaris support is included.

  2. (Optional) Check on whether you have the SSL-enabled version installed:
    1. Go to the DSA directory: c:\ids\icon\dsa1.
    2. Run the command odsadmin.
    3. Bind to the directory by typing "bman", then the password.
    4. Type m_read_lkey.
    5. Verify that the following is displayed:

      admin>m_read_lkey

      read:

      read result:

      Entry information:

      Name: root

      Attribute type = licenseKey

      Maximum number of entries: 20000

      Demonstration expiry time: 06 August 2002

      Instance: 8192

      Options:

        Shadowing enabled

        Enterprise iCon enabled

        SSL enabled

      Result = OK

  3. Go to the SSL directory of IDS: c:\ids\icon\dsa1\ssl, create a file containing a random key (such as ds43jr58vndn3), and use the file name in the next step.
  4. Create a Certificate Signing Request (CSR) file containing one line made up of a string of random characters and numbers.

    Example:

    "odscertreq -rnd random -str 1024 -alg rsa -enc pem -prv pkfile.p8 -pass password -req test.req -dn cn=server.icarus.com"

  5. Pass the text in test.req to a Certificate Authority (CA).

    The CA creates a server certificate.

  6. Save the server certificate in a file (such as servercert.crt).
  7. Obtain the root certificate from the CA in text format and save it in a file (such as rootcert.crt).
  8. Run the following command:
    odscertconv -certificate servercert.crt -certificate rootcert.crt -pkcs8 pkfile.p8
    password toPEM -pkcs12 cert.p12 firewall
    

    An identity file is created for the SSL/IDS configuration.

  9. Go to the DSA, click Comms, LDAP, LDAP Security using iCon.
  10. Enter an SLL port (such as 636) and a name for the PKCS12 identity (such as test).
  11. Enter the name of the identity file created that you created.

    Example: cert.p12

  12. Enter the password that you used when you created the identity file.

    Example: password

  13. Click Apply, and restart the DSA.

    Note: If the Policy Server is operating in FIPS mode and the directory connection is to use a secure SSL connection when communicating with the Policy Server, the certificates used by the Policy Server and the directory store must be FIPS compliant.


Copyright © 2010 CA. All rights reserved. Email CA about this topic