Setting Up TLS Security

Language:

Note - The PEM certificate files must be readable by everyone. Do not encrypt or limit read permissions on these files. Otherwise, tools such as ldaplist fail to function.

If you are using transport layer security (TLS), you must install the necessary PEM certificate files. In particular, all of the self-signed server certificate and CA certificate files that are used to validate the LDAP server and possibly client access to the server are required. For example, if you have the PEM CA certificate certdb.pem, you must ensure that this file is added and readable in the certificate path.

Note - If you are using TLS, install first the needed PEM certificate files described in this section before running ldapclient.

For information about how to create and manage PEM format certificates, see the section about configuring LDAP clients to use SSL in the “Managing SSL” chapter of the Administrator's Guide for the version of the Oracle Directory Server Enterprise Edition you are using. After configuration, these files must be stored in the location expected by the LDAP naming service client. The certificatePath attribute determines this location. By default, this location is in /var/ldap.

For example, after creating the necessary PEM certificate file, such as certdb.pem, copy that file to the default location as follows:

# cp certdb.pem /var/ldap

Next, give everyone read access.

# chmod 444 /var/ldap/certdb.pem

Note - More than one certificate file might reside in the certificate path. Additionally, any given PEM certificate file might contain multiple PEM format certificates that are concatenated together. Refer to your server documentation for further details. The certificate files must be stored on a local file system if you are using them for an LDAP naming service client.