Installation and Upgrade Guides › Directory Configuration Guide › Critical Path inJoin Directory Server › Configure SSL

Configure SSL

To configure SSL

1. Install the SSL version of IDS. The CD is entitled "InJoin Directory Server Secure Sockets Layer Option for Microsoft Windows NT."

   Note: Despite the name, Solaris support is included.

   To check on whether or not you have the SSL-enabled version installed:

   1. Go to the DSA directory (c:\ids\icon\dsa1).
   2. Run the command odsadmin.
   3. Bind to the directory by typing "bman", then the password.
   4. Type m_read_lkey.

      You should see the following, including "SSL enabled":

      admin>m_read_lkey

      read:

      read result:

      Entry information:

      Name: root

      Attribute type = licenceKey

      Maximum number of entries: 20000

      Demonstration expiry time: 06 August 2002

      Instance: 8192

      Options:

        Shadowing enabled

        Enterprise iCon enabled

        SSL enabled

      Result = OK

2. Go to the SSL directory of iDS (c:\ids\icon\dsa1\ssl). Create a file containing a random key (such as ds43jr58vndn3). The new file name is used in Step 3. (The example uses the name "random.")
3. Generate a CSR (Certificate Signing Request) file containing one line with a string made up of random characters and numbers. For example:

   "odscertreq -rnd random -str 1024 -alg rsa -enc pem -prv pkfile.p8 -pass password -req test.req -dn cn=server.icarus.com"

   In this example:

   • random is the name of the file that we created in Step 2.
   • pkfile.p8 is the name of the file that will be generated containing the private key.
   • password is the password.
   • test.req is the name of the generated CSR file.
   • server.icarus.com is the dn of the server.
4. Pass the text in test.req to a Certificate Authority to obtain a server certificate. The CA will generate the server certificate. Save this in a file (our example uses the name servercert.crt).
5. Obtain the root certificate from the CA in text format, and save it in a file (our example uses rootcert.crt).
6. Use the odscertconv command to create an identity file for the SSL/IDS configuration:

   odscertconv -certificate servercert.crt -certificate rootcert.crt
   -pkcs8 pkfile.p8 "password" toPEM -pkcs12 cert.p12 "firewall"
   

   servercert.crt

   Contains the server certificate generated by the CA

   rootcert.crt

   Contains the root certificate from the CA

   pkfile.p8

   Represents the private key file

   password

   Represents the password

   cert.p12

   Specifies the name of the identity file that will be generated by odscertconv

7. Using iCon, go to the DSA, click on "Comms", then "LDAP", then "LDAP Security".
8. Enter an SLL port (636) and a name for the PKCS12 identity ("test").
9. For the identity file name, enter the name of the identity file created in Step 7 ("cert.p12"). Also, enter the password ("password") used in the same step for the PKCS#12 Password field.
10. Click Apply, and restart the DSA.