LDAP-UX Integration B.04.20 Release Notes (June 2009)
4. Install required patches listed above, if they have not been installed yet.
NOTE: Starting with the LDAP-UX product version B.03.20 or later, system reboot is not required
after installing the product. Although a reboot might be required depending on the patches that
are installed at the same time as this product
Configuring the LDAP-UX Client
If you attempt to enable SSL or TLS support with LDAP-UX, you must configure the LDAP
directory server to support SSL or TLS, and install the certificate of the server or the controlling
certificate authority in the security databases (/etc/opt/ldapux/cert8.db and
/etc/opt/ldapux/key3.db) on your client before you run the setup program. For SSL or
TLS setup details, refer to LDAP-UX Client Services Administrator’s Guide or LDAP-UX Client
Services with Microsoft Windows 2003/2003 R2/2008 Active Directory Administrator’s Guide.
If your browser does not generate cert7.db or cert8.db and key3.db security database files,
you must export the certificate (preferably the root certificate of the Certificate Authority that
signed the LDAP server’s certificate) from your certificate server as a Base64-Encoded certificate
and use the certutil utility to create the cert8.dband key3.db security database files.
Use the following steps to create the security database files:
1. Retrieve the Base64-Encoded certificate from the certificate server and save it.
2. If the /etc/opt/ldapux/cert8.db or /etc/opt/ldapux/key3.db database files do
not exist, use the certutil utility with the -N option to initialize a new database:
/opt/ldapux/contrib/bin/certutil -N -d /etc/opt/ldapux
3. Add the CA certificate or the LDAP server’s certificate to the security database:
• To use the certutil command to add a CA certificate to the database:
For example, the following command adds the CA certificate, my-ca-cert, to the
security database directory,/etc/opt/ldapux, with the Base64-Encoded certificate
request file, /tmp/mynew.cert:
/opt/ldapux/contrib/bin/certutil -A -n my-ca-cert -t \
"C,," -d /etc/opt/ldapux -a -i /tmp/mynew.cert
NOTE: The -t "C,," represents the minimum trust attributes that may be assigned
to the CA certificate for LDAP-UX to successfully use SSL to connect to the LDAP
directory server. If you have other applications that use the CA certificate for other
functions, then you may wish to assign additional trust flags. See
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html for additional information.
• To use the certutil command to add the LDAP server’s certificate to the security
database:
For example, the following command adds the LDAP server’s certificate,
my-server-cert, to the security database directory, /etc/opt/ldapux, with the
Base64-Encoded certificate request file, /tmp/mynew.cert.
/opt/ldapux/contrib/bin/certutil -A -n my-server-cert -t \
"P,," -d /etc/opt/ldapux -a -i /tmp/mynew.cert
NOTE: The -t "p,," represents the minimum trust attributes that may be assigned
to the LDAP server’s certificate for LDAP-UX to successfully use SSL to connect to the
LDAP directory server. See http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
for additional information.
If you want to use LDAP-UX with Microsoft Windows 2003 Active Directory with Services for
UNIX version 2.0 (SFU 2.0) , or to use Windows Active Directory Server 2003 R2 or 2008 with
Installing and Configuring the LDAP-UX Client Services 19