Siebel Security Guide > Security Adapter Authentication > Process of Installing and Configuring LDAP Client Software >

Generating a CMS Key Database Using IBM GSKit

This topic describes how to generate a Cryptographic Message Syntax (CMS) key database using the IBM GSKit. Before you attempt this task, make sure that you carry out the tasks described in Configuring the IBM GSKit.

This task is a step in Process of Installing and Configuring LDAP Client Software.

By enabling SSL for the Siebel LDAP security adapter, a secure connection is established between the Siebel application and its LDAP server. For information on enabling SSL for an LDAP server, see your third-party LDAP server administration documentation. This topic assumes that the LDAP server is already SSL-enabled—that is, it accepts SSL connections.

To enable SSL for the Siebel LDAP security adapter, a certificate database file must be installed on the Siebel Server computer where AOMs or other components run that must support LDAP authentication through the LDAP security adapter. The LDAP security adapter must connect to the LDAP server using a port that accepts SSL connections.

The Siebel LDAP security adapter is built on top of the IBM LDAP Client. The IBM LDAP Client requires that the certificate database file uses the CMS key database format. You can generate a CMS key database using IBM GSKit.

The rest of this topic provides detailed instructions for generating a CMS key database and enabling SSL for the Siebel LDAP security adapter.

Generating a CMS Key Database

The CMS key database must contain CA certificates of those Certificate Authorities that have issued server certificates to LDAP servers.

For example, assume that the Siebel Server is configured to authenticate against LDAP server LDAPserver1:392. The server certificate for this LDAP server is issued by the certificate server evlab1. Therefore, the CMS key database only has to contain a CA certificate for CERTserver1. It does not have to contain a server certificate for LDAPserver1. If the Siebel Server is configured to authenticate against another LDAP server that gets its server certificate from CERTserver1, you do not have to update the CMS key database.

After installing and configuring the IBM GSKit on your computer, use the following procedure to configure IBM GSKit to support CMS key databases, and to generate a CMS key database.

To configure IBM GSKit to support CMS key databases

1. Determine which CA issued the server certificate for your LDAP server and obtain this CA certificate.
2. Copy the CA certificate to the computer where you have installed IBM GSKit.
3. Create a new CMS key database using iKeyMan.
   1. Navigate to GSK_installation_directory/bin, where GSK_installation_directory is the directory where you installed both IBM GSKit and IBM GSKit.
   2. Enter the following command:

   gsk7ikm

   3. To create a new CMS key database, select New from the Key Database File menu.
   4. In the dialog box, specify the key database type as CMS, and specify the file name (using file extension .kdb) and specify the location where you intend to store your CMS key database. Click OK.

      NOTE:  The CMS key database must be located on a local drive, not on a network-attached storage device or other remote volume.

   5. In the Password Prompt dialog box, enter and confirm the password, and check the option Stash the password to a file. Click OK.

      You must select the Stash password to a file option for the Siebel LDAP security adapter to work correctly with SSL.The stash password option creates a file with the same name as the CMS key database, but with the extension .sth. The file is created at the same location as the CMS key database. For example, ldapkey.sth is created if your CMS key database is named ldapkey.kdb.

   6. Click OK to confirm the creation of the .sth file.

      The newly created CMS key database opens in the iKeyMan main window.

4. Add one or more CA certificates to the CMS key database created in the previous step.
   1. At the Signer Certificates prompt, click Add.
   2. In the dialog box named Add CA's certificate from a file, specify the data type, and specify the certificate file name and the location where you intend to store your file. Use the Browse button, as necessary, to specify the location of the CA certificate file. Click OK.
      • If the certificate was saved in Base64 format, specify the data type Base-64 encoded ASCII data.
      • If the certificate was saved in DER binary format, specify the data type DER binary data.
   3. Repeat the previous substep for each CA certificate you want to add into the CMS key database. Make sure that you select the correct data type.

NOTE:  For LDAP servers that have their server certificate issued from a new CA, just add the CA certificate to the CMS key database, instead of creating a new CMS key database for every LDAP server.

Enabling SSL for Siebel LDAP Security Adapter

Use the procedure below to configure SSL for the Siebel LDAP security adapter. For more information about LDAP security adapter configuration, see Process of Implementing LDAP or ADSI Security Adapter Authentication.

To enable SSL for the Siebel LDAP security adapter

1. Copy the ldapkey.kdb (the CMS key database) and ldapkey.sth files you just created in Generating a CMS Key Database to the Siebel Server computer where you will run the AOM components that support LDAP authentication.

   For example, you might copy these files to the directory \ssldb.

2. Modify the LDAP security adapter configuration. Configure the following parameters:
   • port = 636

     The SSL port is configurable for the LDAP server. Verify the actual port number the LDAP server is using for SSL.

   • ssldatabase = CMS_file_path

     Specify the absolute path to the CMS key database, such as d:\ssldb\ldapkey.kdb.

3. Restart the Siebel Server (if you are configuring LDAP on a Siebel Server).