Antecedentes y definiciones

This section discusses the AIX 5L LDAP client configuration to use SSL to secure the connection to the server. For more information about why you would use SSL please refer to 3.1.8, “Using SSL to secure LDAP connection” on page 59.

Each of the three scenarios covered in this book has a section discussing the steps to configure SSL in that scenario:

򐂰 For more information about SSL in the Sun ONE Directory scenario refer to 5.6, “SSL configuration” on page 178.

򐂰 For more information about using SSL in an IBM Tivoli Directory Server environment refer to 6.3.3, “Step 3: Creating a key database to use with SSL clients” on page 195.

򐂰 For more information about SSL in the Microsoft Active Directory scenario refer to 8.2.4, “Configuring LDAP to use SSL” on page 247.

Software installation requirements

In order to use SSL with the AIX 5L LDAP client, you must install the SSL-enabled LDAP client packages certificates. Below we list the required packages SSL supports for the AIX 5L LDAP client:

򐂰 ldap.max_crypto_client

򐂰 gsksa.rte

򐂰 gskta.rte

For more information about installing the required packages refer to 4.2.1, “AIX 5L LDAP client software installation” on page 105.

Configuring LDAP client to work with server-side certificates

To get AIX 5L to work with an SSL-enabled server the client must have the ability to verify the correctness of the certificate of the server. Therefore the client must have the CA certificate installed in his key ring and it must be flagged as a trusted certificate.

The examples in this section only cover the command-line tool. A detailed explanation of the usage of the GUI can be found in 5.6, “SSL configuration” on page 178.

For more information about IBM Global Security Toolkit, please visit the following location for the product documentation:

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itame2.doc _5.1/ss7aumst.htm

Generating a key database

To generate a key database, the command line tool gsk7cmd will be used with the following parameters:

-keydb This defines the type of operation.

-create The action is to create a new key database.

-db filename This is the file name of the key database (key.kdb).

-pw password This specifies the password to encrypt the key ring file (its0g00d).

-type type This defines the type of the key database (CMS).

The command will return without any response. To verify that the file is there and usable, list the CA certificates that are included by default with the following command:

gsk7cmd -cert -list CA -db <key ring> -pw <password>

This step is shown in Example 4-5.

Example 4-5 Creating a key ring file

# gsk7cmd -keydb -create -db /etc/security/ldap/key.kdb -pw its0g00d -type cms

# gsk7cmd -cert -list CA -db /etc/security/ldap/key.kdb -pw its0g00d Certificates in database: /home/root/key.kdb

Entrust.net Global Secure Server Certification Authority Entrust.net Global Client Certification Authority Entrust.net Client Certification Authority Entrust.net Certification Authority (2048) Entrust.net Secure Server Certification Authority VeriSign Class 3 Public Primary Certification Authority VeriSign Class 2 Public Primary Certification Authority VeriSign Class 1 Public Primary Certification Authority VeriSign Class 4 Public Primary Certification Authority - G2 VeriSign Class 3 Public Primary Certification Authority - G2 VeriSign Class 2 Public Primary Certification Authority - G2 VeriSign Class 1 Public Primary Certification Authority - G2 VeriSign Class 4 Public Primary Certification Authority - G3 VeriSign Class 3 Public Primary Certification Authority - G3 VeriSign Class 2 Public Primary Certification Authority - G3 VeriSign Class 1 Public Primary Certification Authority - G3 Thawte Personal Premium CA

Thawte Personal Freemail CA Thawte Personal Basic CA Thawte Premium Server CA Thawte Server CA

RSA Secure Server Certification Authority

#

Adding a CA certificate to the key database

In order to add the CA’s certificate to the key database, GSKit requires that all human-readable text be removed from the certificate file. The final certificate file should only contain the cipher text between the begin and end certificate markers.

򐂰 -cert

This specifies to perform a certificate operation.

򐂰 -add

This specifies to add something.

򐂰 -db <filename>

This is the file name of the key ring file (key.kdb).

򐂰 -file <filename>

This is the file containing the CA certificate (cacert.pem).

򐂰 -format <ascii | binary>

This is the format of the CA certificate. Here the ASCII format is used.

򐂰 -label <label>

This specifies a label that is used for that certificate (example.com CA Certificate).

򐂰 -pw <password>

This specifies the password for the key ring (its0g00d).

򐂰 -trust <enable | disable>

This specifies whether the certificate should be trusted. Enable must be used here to get a working key ring file (enable).

This command will also return with no output. To verify the CA certificate use the following commands (as shown in Example 4-6):

gsk7cmd -cert -list CA -db <key ring> -pw <password>

gsk7cmd -cert -details -showOID -db <key ring> -pw <password> -label <LABEL>

Example 4-6 Adding a CA certificate to a key database

# gsk7cmd -cert -add -db /etc/security/ldap/key.kdb -file cacert.pem -format ascii -label "Example.com CA Certificate" -pw its0g00d -trust enable

# gsk7cmd -cert -list CA -db /etc/security/ldap/key.kdb -pw its0g00d Certificates in database: /home/root/key.kdb

Example.com CA Certificate

Entrust.net Global Secure Server Certification Authority .

. .

RSA Secure Server Certification Authority

# gsk7cmd -cert -details -showOID -db /home/root/key.kdb -pw its0g00d -label

"Example.com CA Certificate"

Key Label: Example.com CA Certificate TBS Certificate

Version: X509 V3 Serial Number: 00 Issuer

Country or region Type: 2.5.4.6 Value: us State/Province Type: 2.5.4.8

. . .

Enable SSL in ldap.cfg

In the ldap.cfg file the configuration for the use of SSL and for the key database file must be made.

The configuration for ldap.cfg can be done by the following options of mksecldap:

-k SSLkeypath Specifies the file name with the complete path for the key ring file.

-w SSLkeypasswd Specifies the password for the key ring file.

-n serverport Specifies the server port to use. This is optional. The default is 636 for SSL.

The options affecting the SSL configuration are listed in Table 4-2 on page 109.

The configuration and the resulting part of the ldap.cfg file are shown in Example 4-7.

Example 4-7 SSL configuration

# mksecldap -c -h bs01b02 -a "cn=admin" -p its0g00d -d dc=example,dc=com -k /etc/security/ldap/key.kdb -w its0g00d

# cat /etc/security/ldap/ldap.cfg ...

useSSL:yes

ldapsslkeyf:/etc/security/ldap/key.kdb

ldapsslkeypwd:{DES}78FDE8A9C458261715 F78C82555B9903247B1 9637669A0 ldapport:389

ldapsslport:636 ...

Configuring LDAP client to work with client-side certificates

Up to now only the client is able to verify the identity of the server. This is the normal implementation and the most widely used.

For certain applications it might be necessary for the server to be able to verify the identity of the client. Therefore we can deploy a client-side certificate that allows the server to verify the identity of the client.

Note: There is no change necessary on the LDAP client itself. The only difference is that the key ring has a key and a certificate that can be used.

To do this we have to:

1. Create a public/private key pair and a certificate signing request.

2. Get the certificate signed by our CA (not explained here).

3. Import our certificate and set it as the default certificate.

Create a public/private key pair and a certificate signing request To create the key pair and the certificate signing request, gsk7cmd with the following parameters is used:

-certreq This specifies to perform a certificate request operation.

-create This specifies to create a new certificate signing request.

-db <filename> This is the file name of the key ring file (key.kdb).

-pw <password> This specifies the password for the key ring (its0g00d).

-file <filename> This is the file containing the CA certificate (cacert.pem).

-label <label> This specifies a label that is used for the certificate signing request now and for the certificate later (bs01b13).

-dn <DN> This specifies the distinguished name for the certificate and the request ("C=us, ST=TX, L=Austin,

O=example.com, CN=bs01b13").

-size <key size> This specifies the size of the key to use (1024).

-file <filename> This specifies the file name to store the output for the certificate request (bs01b13.req).

This command does not produce usable output on the command line. To verify whether the command was successful, the following commands can be issued:

gsk7cmd -certreq -list -db <filename> -pw <password>

gsk7cmd -certreq -details -label <label> -db <filename> -pw <password>

Also, the output file can be examined. The output of these two commands is shown in Example 4-8.

Example 4-8 Creating a certificate signing request

# gsk7cmd -certreq -create -db key.kdb -pw its0g00d -label "bs01b13" -dn

"C=us, ST=TX, L=Austin, O=example.com, CN=bs01b13" -size 1024 -file bs01b13.req gsk7cmd -certreq -list -db key.kdb -pw its0g00d

Certificate requests in database: key.kdb bs01b13

# gsk7cmd -certreq -details -label "bs01b13" -db key.kdb -pw its0g00d Label: bs01b13

Key Size: 1024 Subject: bs01b13 example.com Austin, TX, us

Fingerprint: 2A:F9:68:2F:ED:57:AA:76:13:2A:0D:27:07:22:3F:BD Signature Algorithm: 1.2.840.113549.1.1.4

#

Afterwards the certification request in the file has to be sent to a CA for signing.

The CA will return a certificate that can be imported to the key ring.

Import our certificate and set it as default certificate

The certificate that the CA returned has to be in a format without additional text.

The import will be done with the gsk7cmd with the following parameters:

򐂰 -cert

This specifies to perform a certificate operation.

򐂰 -receive

This specifies that a certificate for a existing key will be received.

򐂰 -db <filename>

This is the file name of the key ring file (key.kdb).

򐂰 -pw <password>

This specifies the password for the key ring (its0g00d).

򐂰 -file <filename>

This is the file containing the CA certificate (cacert.pem).

򐂰 -format <ascii | binary>

This is the format of the file in which our certificate is stored. Here the ASCII format is used.

򐂰 -default_cert <yes | no>

This specifies whether the certificate and the key especially should be used as the default. Yes must be used here to get a working key ring file for LDAP client.

This command does not produce usable output on the command line to verify whether the command was successful. The following commands can be issued:

gsk7cmd -cert -getdefault -db <filename> -pw <password>

The result and therefore the information from the certificate are shown in Example 4-9.

Example 4-9 Importing a certificate to the key database

# gsk7cmd -cert -receive -file bs01b13.cert -db key.kdb -pw its0g00d -format ascii -default_cert yes

# gsk7cmd -cert -getdefault -db key.kdb -pw its0g00d

Label: bs01b13 Key Size: 1024 Version: X509 V3 Serial Number: 06 Issued By: CA example.com Austin, TX, us Subject: bs01b13 example.com Austin, TX, us

Valid From: Monday, October 3, 2005 5:07:41 PM CDT To: Tuesday, October 3, 2006 5:07:41 PM CDT

Fingerprint: 5D:D3:35:74:5C:38:96:A4:D1:D5:26:03:A1:AF:2A:97:BC:79:6B:20 Signature Algorithm: 1.2.840.113549.1.1.4

Trust Status: enabled

The installation of the client certificate is now complete.

In document Estudio de viabilidad de una empresa virtual en México (página 46-51)