polywogsys (polywogsys) wrote,
polywogsys
polywogsys

Enabling SSL Client Trust for TDI / IDI ... Simply

So you want to connect to that LDAP server via SSL, but don't know or can't make heads or tails of the IBM documentation? Here are a couple of easy steps that took me forever to figure out the right order and location.
First it's assumed that you have TDI V7.1.1 or higher. It's assumed that you're running the ibmditk on the same box as ibmdisrv. When you installed TDI, it asked to select a "Solutions" directory. Make sure you know where that is. If you don't know the default solutions directory go to the TDI_install_dir/bin and see "defaultSolDir.sh" for the contents. In my case it's: /opt/IBM/TDI/V7.1.1/bin/defaultSolDir.sh and the solutions directory is TDI_SOLDIR="/opt/IBM/TDI/solutions".

1) download the certificate from the LDAP (or whatever SSL) server you want to connect to. You can easily use a tool like Portecle to do an SSL connect to the server, and save the certificate as a PEM file. For our purposes "foo.pem".
2) start the ibmditk (TDI Console)
3) select "Keymanager"
3.1) open the solutions directory's jks file: /opt/IBM/TDI/solutions/serverapi/testadmin.jks
3.2) the password is "administrator"
3.3) select the dropdown to "signer certificate"
3.4) add the PEM certificate foo.pem
3.5) save the file with the same password, and click OK to overwrite.
4) In the TDI console under Servers, click "STOP Server", wait until it stops and Quit or Restart the TDI Console.
5) Start the TDI Console, and go to "Resources" -> "Connectors"
6) Add a connector for the SSL server you want to connect to. In our case an LDAP server on port 636 as SSL.
7) Fill out the appropriate information, and goto "Input Map" tab -> "Connect" on right.
8) DONE.

Now, I leave it up to the reader to then customize the jks file's password, location, etc. Warning... it's sticky to untangle internals client/server certs.
Tags: certs, ibm, identity manager, ssl, tdi
Subscribe

Recent Posts from This Journal

  • Cisco AnyConnect VPN w/ MFA for OpenSuSE

    So I tried to install Cisco AnyConnect client on my Linux box (OpenSuSE Leap 15.2). Unzipped anyconnect-linux64-4.8.03036 and descended into vpn…

  • Firefox Lost one More User to MegaBar

    So Firefox introduced the "MegaBar" a souped up version of a URLBar. It's horrible, distracting, and there're no way of turning it…

  • being way too rational...

    <<The lead spokesperson should be a scientist. Dr. Richard Besser, a former acting C.D.C. director and an E.I.S. alumnus, explained to me,…

  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 1 comment