Configuring Directory Assistance for SSL

Modifying the IBM® Domino® Directory Assistance document is required when you use SSL to encrypt data transmitted between the IBM Domino and the LDAP servers.

About this task

Use this procedure if you want the authentication data that is sent during a web login to the Domino server sent to the LDAP server through a secured connection. For example, if you want the authentication data that is sent during a web login to the legacy admin pages on the IBM Sametime® Community Server sent to the LDAP server through a secured connection, complete this procedure.

Procedure

  1. From an IBM Notes® client, open the Directory Assistance database da.nsf.
    1. Click File > Database > Open.
    2. For the Server, select Local.
    3. Select the Directory Assistance database (da.nsf).
    4. Click Open.
  2. In the Directory Assistance database, double-click the Directory Assistance document for the LDAP server to open the document.
  3. Click Edit Directory Assistance.
  4. Next, click the Basics tab.
  5. In the Make this domain available to: field, select Notes Clients & Internet Authentication/Authorization.
  6. Now click the LDAP tab.
  7. Fill in the following fields
    OptionDescription
    Channel encryption Select SSL.
    Port Specify the same port that appears in the LDAP SSL port field of the LDAP Directory > Connectivity options in the Sametime Administration Tool

    This port is the one on which the LDAP server listens for SSL connections; the default is port 636.

    Accept expired SSL certificates Select Yes (the default setting) to accept a certificate from the LDAP directory server, even if the certificate has expired.

    For tighter security, select No to require the Sametime Community server to check certificate expiration dates. If the certificate presented by the LDAP server has expired, the connection is terminated.
    SSL protocol version Select the version number of the SSL protocol to use. The choices are:
    • V2.0 only - This setting allows only SSL 2.0 Connections.
    • V3.0 handshake - This setting attempts an SSL 3.0 connection. If this connection attempt fails but Sametime detects that SSL 2.0 is available on the LDAP server, Sametime attempts the connection using SSL 2.0.
    • V3.0 only - This setting allows only SSL 3.0 Connections.
    • V3.0 and V2.0 handshake - This setting attempts an SSL 3.0 connection, but starts with an SSL 2.0 handshake that displays relevant error messages. This setting is used to receive V2.0 error messages when trying to connect to the LDAP server. These error message might provide information about any compatibility problems found during the connection.
    • Negotiated - This setting allows SSL to determine the handshake and protocol version required.
    Verify server name with remote server's certificate Select Enabled (the default setting) to verify the server name with the remote server's certificate.

    If Enabled is selected, the Sametime Community server verifies the name of the LDAP server with the remote server's certificate. If the names do not match, the connection is terminated. For more relaxed security, select Disabled (the server name is not verified with the certificate).

  8. Click Save and Close to close the Directory Assistance document.
  9. Close the Directory Assistance database.

    For more information regarding setting up SSL on a Domino server, see the topic on Setting up SSL on a Domino server in the Domino wiki.