Bookshelf Home | Contents | Index | PDF |
Security Guide for Siebel Business Applications > Security Adapter Authentication > Installing LDAP Client Software > Generating a CMS File Using IBM GSK iKeyManBy enabling SSL for the Siebel LDAP security adapter, a secure connection will be established between the Siebel application and its LDAP server. How to enable SSL for a LDAP server is beyond the scope of this book. Refer to your third-party LDAP server administration documentation for that purpose. This section assumes that the LDAP server is already SSL-enabled—that is, it accepts SSL connections. To enable SSL for the Siebel LDAP security adapter, a certificate database file must be installed on the Siebel Server machine where AOMs or other components run that must support LDAP authentication through the LDAP security adapter. The LDAP security adapter must connect to the LDAP server using a port that accepts SSL connections. The Siebel LDAP security adapter is built on top of the IBM LDAP Client. The IBM LDAP Client requires that the certificate database file uses the CMS file format. You can generate a CMS file using IBM GSK iKeyMan. The rest of this section provides detailed instructions for generating a CMS file and enabling SSL for the Siebel LDAP security adapter. Upon completion, you should be able to bring up Siebel Business Applications with LDAP authentication and you can expect that communications between Siebel Business Applications and LDAP server will be secure. About Generating a CMS FileThe CMS file should contain CA certificates of those Certificate Authorities that have issued server certificates to LDAP servers. For example, assume that the Siebel Server is configured to authenticate against LDAP server evlabnet9:392. The server certificate for this LDAP server is issued by the certificate server evlab1. Therefore, the CMS file only needs to contain CA certificate for evlab1. It does not need to contain a server certificate for evlabnet9. If the Siebel Server is configured to authenticate against another LDAP server that gets its server certificate from evlab1, you do not have to update the CMS file. Generating a CMS FileUse the procedure below to configure IBM GSK iKeyMan to support CMS key databases, and to generate a CMS file. Before you configure IBM GSK iKeyMan, install the IBM LDAP Client and GSKit software, as described in previous platform-specific sections under this overall topic, Installing LDAP Client Software. You also need to install the patch located in the directory OS_platform\Server_Ancillary\IBM_LDAP_5.1_Client\enu where OS_platform describes. The patch is contained in a compressed file P510OS_platform-02H where OS_platform describes the platform as follows:
A readme file in the compressed file P510x-02H describes how to install this patch. This patch updates IBM GSK iKeyMan to a more recent version. Previous versions of IBM GSK iKeyMan contained expired CA certificates and could not create new CMS files. To configure GSK iKeyMan to support CMS key databases
NOTE: For LDAP servers that have their server certificate issued from a new CA, just add the CA certificate to the CMS file, instead of creating a new CMS file for every LDAP server. Enabling SSL for Siebel LDAP Security AdapterUse the procedure below to configure SSL for the Siebel LDAP security adapter. For more information about LDAP security adapter configuration, see these sections in this chapter:
To enable SSL for the Siebel LDAP security adapter
|
Security Guide for Siebel Business Applications |