Security Guide for Siebel Business Applications > Security Adapter Authentication > Installing LDAP Client Software >
Generating a CMS File Using IBM GSK iKeyMan
By enabling SSL for the Siebel LDAP security adapter, a secure connection will be established between the Siebel application and its LDAP server.
How to enable SSL for a LDAP server is beyond the scope of this book. Refer to your third-party LDAP server administration documentation for that purpose. This section assumes that the LDAP server is already SSL-enabled—that is, it accepts SSL connections.
To enable SSL for the Siebel LDAP security adapter, a certificate database file must be installed on the Siebel Server machine where AOMs or other components run that must support LDAP authentication through the LDAP security adapter. The LDAP security adapter must connect to the LDAP server using a port that accepts SSL connections.
The Siebel LDAP security adapter is built on top of the IBM LDAP Client. The IBM LDAP Client requires that the certificate database file uses the CMS file format. You can generate a CMS file using IBM GSK iKeyMan.
The rest of this section provides detailed instructions for generating a CMS file and enabling SSL for the Siebel LDAP security adapter. Upon completion, you should be able to bring up Siebel Business Applications with LDAP authentication and you can expect that communications between Siebel Business Applications and LDAP server will be secure.
About Generating a CMS File
The CMS file should contain CA certificates of those Certificate Authorities that have issued server certificates to LDAP servers.
For example, assume that the Siebel Server is configured to authenticate against LDAP server evlabnet9:392. The server certificate for this LDAP server is issued by the certificate server evlab1. Therefore, the CMS file only needs to contain CA certificate for evlab1. It does not need to contain a server certificate for evlabnet9. If the Siebel Server is configured to authenticate against another LDAP server that gets its server certificate from evlab1, you do not have to update the CMS file.
Generating a CMS File
Use the procedure below to configure IBM GSK iKeyMan to support CMS key databases, and to generate a CMS file.
Before you configure IBM GSK iKeyMan, install the IBM LDAP Client and GSKit software, as described in previous platform-specific sections under this overall topic, Installing LDAP Client Software. You also need to install the patch located in the directory OS_platform\Server_Ancillary\IBM_LDAP_5.1_Client\enu where OS_platform describes. The patch is contained in a compressed file P510OS_platform-02H where OS_platform describes the platform as follows:
- W = Windows (P510W-02H.zip)
- S = Solaris (P510S-02H.tar.Z)
- H = HPUX (P510H-02H.tar)
- A = AIX (P510A-02H.tar.Z)
A readme file in the compressed file P510x-02H describes how to install this patch. This patch updates IBM GSK iKeyMan to a more recent version. Previous versions of IBM GSK iKeyMan contained expired CA certificates and could not create new CMS files.
To configure GSK iKeyMan to support CMS key databases
- Install IBM GSK iKeyMan on your machine. For details, see Installing and Configuring IBM GSK iKeyMan.
- Determine which CA issued the server certificate for your LDAP server and obtain this CA certificate.
- Copy the CA certificate to the machine where you have installed GSK iKeyMan.
- Create a new CMS file using iKeyMan.
- Navigate to GSK_installation_directory/bin, where GSK_installation_directory is the directory where you installed both IBM GSKit and GSK iKeyMan.
- Enter the following command:
- To create a new CMS file, select New from the Key Database File menu.
- In the dialog box, specify the key database type as CMS, and specify the file name (using file extension .kdb) and the location where you intend to store your CMS file. Click OK.
- In the Password Prompt dialog box, enter and confirm the password, and check the option Stash the password to a file. Click OK.
The stash password option creates a file with the same name as the CMS file, but with the extension .sth. The file is created at the same location as the CMS file. For example, ldapkey.sth is created if your CMS file is named ldapkey.kdb.
- If you are using the stash password option, click OK to confirm the creation of the .sth file.
The newly created CMS file opens in the iKeyMan main window.
- Add one or more CA certificates to the CMS file created in the previous step.
- At the Signer Certificates prompt, click Add.
- In the dialog box named Add CA's certificate from a file, specify the data type, and specify the certificate file name and the location where you intend to store your file. Use the Browse button, as necessary, to specify the location of the CA certificate file. Click OK.
- If the certificate was saved in Base64 format, specify the data type Base-64 encoded ASCII data.
- If the certificate was saved in DER binary format, specify the data type DER binary data.
- Repeat the previous substep for each CA certificate you want to add into the CMS file. Make sure that you select the correct data type.
NOTE: For LDAP servers that have their server certificate issued from a new CA, just add the CA certificate to the CMS file, instead of creating a new CMS file for every LDAP server.
Enabling SSL for Siebel LDAP Security Adapter
Use the procedure below to configure SSL for the Siebel LDAP security adapter. For more information about LDAP security adapter configuration, see these sections in this chapter:
To enable SSL for the Siebel LDAP security adapter
- Copy the ldapkey.kdb (the CMS file) and ldapkey.sth files you just created in the previous procedure to the Siebel Server machine where you will run AOM components that will support LDAP authentication.
For example, you might copy these files to the directory \ssldb.
- Modify the LDAP security adapter configuration. Configure the following parameters:
- port = 636
The SSL port is configurable for the LDAP server. Verify the actual port number the LDAP server is using for SSL.
- ssldatabase = CMS_file_path
Specify the absolute path to the CMS file, such as d:\ssldb\ldapkey.kdb.
- Restart the Siebel Server (if you are configuring LDAP on a Siebel Server).