Customize the Slapd Configuration File

After installation and post-installation activities, you must modify the slapd.conf configuration file. This file is divided into the following sections: global, backend options, and database-specific options. The file resides in the HFS installation directory. This section describes the following sections of the slapd.conf file:
cszscss
After installation and post-installation activities, you must modify the Slapd configuration file. This file is divided into the following sections: global, backend options and database-specific options. The file resides in the HFS installation directory. This section describes the following sections of the slapd.conf file:
  • Global options
    Specifies that all options that are specified before a
    backend
    or a
    database
    statement are sglobal options. Global options control how the CA LDAP Server behaves for all databases, what attributes and object classes are valid, and how authentication of user ID and passwords is performed. Specify these options once.
  • Database-specific options
    Specifies the database-specific sections. Specify options in each database section that are appropriate for that specific database.
Keywords are not case sensitive, but their values are. When you enter file names with directory structures, use the proper case.
Global Options
The following lists details all global options, including defaults. If you want to use the default value, you do not need to supply the option. All option keywords must start in column one of the configuration file.
  • allow <
    features
    >
    Specifies a set of features (separated by white space) to allow.
    Default
    : none
    Example:
    allow bind_anon_cred
    The valid values for <
    features
    > are:
    • bind_v2
      Allows acceptance of LDAPv2 bind requests. Note that slapd(8) does not truly implement LDAPv2 (RFC 1777), now Historic (RFC 3494).
    • bind_anon_cred
      Allows an anonymous bind when credentials are not empty (for example, when DN is empty).
    • bind_anon_dn
      Allows an unauthenticated (anonymous) bind when the distinguished name (DN) is not empty.
    • update_anon
      Allows unauthenticated (anonymous) update operations to be processed (subject to access controls and other administrative limits).
    • proxy_authz_anon
      Allows unauthenticated (anonymous) proxy authorization control to be processed (subject to access controls, authorization and other administrative limits).
    • none
      Specifies not to allow any features.
  • argsfile
    (optional) Specifies an output file where the STC startup parameters of the CA LDAP Server are written at startup. By default, they are not written anywhere.
    Example:
    argsfile /your_slapd_dir/slapd.args
  • authCertificateLabel
    Specifies the label of the certificate that identifies the CA LDAP Server to the remote CA DSI Server server designated in the authServer configuration option. This parameter is meaningful only if the authServer option specifies the ssl-required argument and the remote CA DSI Server server is configured to request a certificate from the CA LDAP Server. The default value for this option is the certificate designated in the TLSCertificateLabel option.
    Example:
    authCertificateLabel "my label"
    The value "my label" is the label that is assigned to the certificate when the certificate was connected to the keyring. If the value contains embedded blanks, enclose it in double quotes.
    The certificate that is designated by "my label" must have USAGE PERSONAL. In addition, the user ID of the CA LDAP Server must be the owner of the certificate.
    It is also possible to use a SITE certificate here. If you do, then the user ID for the CA LDAP Server must have CONTROL authority to the IRR.DIGTCERT.GENCERT resource in the FACILITY class.
  • authCodeset
    Specifies the name of an EBCDIC codeset. The CA LDAP Server converts the user ID and password from UTF-8 to this EBCDIC codeset before passing them to the external security manager for authentication.
    Default
    : IBM-1047
    Format:
    authCodeset csname
    The value csname must designate a single-byte EBCDIC code system. Possible values of this argument are documented in the IBM
    XL C/C++ Programming Guide
    . In the table, csname must be one of the values in the FromCode column. The value in the ToCode column is always UTF-8.
  • authID
    (optional) Specifies a single user ID that is cached in memory. This information is used to authenticate all binds for this user ID. Doing so reduces the amount of RACROUTE VERIFY calls that are issued to the external security manager (ESM). The user ID is not configured by default. See the authPW option.
    Example:
    authId adminid
    This keyword is deprecated and will be removed in a subsequent release.
  • authLocation
    (optional) Specifies where the bind DN and password are validated. For certificate logon this option must be set to OS390.
    Example:
    authLocation OS390
    Default:
    OS390
    The valid values are:
    • OS390
      Your external security manager validates the ID and password on the node where the CA LDAP Server is running. The LDAP Server determines the user ID to use by looking for cn=, acf2lid= or tssacid= as the first RDN in the DN. The rest of the DN is ignored.
    • SYNTAX
      The syntax of the logon DN determines how validation is carried out. For example, if you specify a DN of cn=user, o=company, c=us, the validation is carried out by the database that services that DN. Like OS390, when the syntax is acf2lid=user, o=company, c=us, CA ACF2 for z/OS carries out the validation. If the syntax is tssacid=user, o=company, c=us, CA Top Secret for z/OS carries out the validation.
    • BACKEND
      Validation is carried out based on which back end handles requests for the DN passed. There is no override of the DN and is passed to the appropriately configured back end based on the suffix value.
  • authPW
    (optional) Specifies the password that is used for the authID option. The syntax is a relative or fully qualified file name. The file is generated using the authid command line utility.
    Example:
    authPw /
    ldap_install_directory
    /authid.pwd
    This keyword is deprecated and will be removed in a subsequent release.
  • authServer
    Specifies the IP address and port of a remote CA DSI Server server. This option configures the CA LDAP Server to perform all user ID/password authentications to a remote external security manager.
    The keyword ssl-required indicates that the communication between the CA LDAP Server and the remote CA DSI Server server is secured using Transport Layer Security. If this argument is omitted, the communication is not secured.
    Default
    : not secured
    Format:
    authServer [host_ip | host_name] host_port [ssl-required]
    Although the initial bind validation is performed on a remote system, the user ID and password must exist on the local system if local security information is accessed.
  • authSource
    Specifies which resource profile class name the IP address that is passed as the SOURCE value with the ID and password validation call to the z/OS external security manager.
    Default:
    SERVER
    The valid values are as follows:
    • CLIENT
      Indicates that the resource profile class name of the client application is passed on the RACROUTE call. For an IPv4 client, the exact resource profile class name is determined by the PortOfEntry4 option. For an IPv6 client that is mapped into a network security zone by a NETACCESS statement in the TCPIP PROFILE, the netaccess resource name in the SERVAUTH class is passed on the RACROUTE call. For an IPv6 client that is not mapped, no resource profile class name is passed on the RACROUTE call.
    • SERVER
      For an IPv4 client, the IPv4 address of CA LDAP Server is passed on the RACROUTE call as an 8-byte hexadecimal character string resource name in the TERMINAL class. For an IPv6 client, no resource profile class name is passed on the RACROUTE call.
      By default, the CA LDAP Server runs on every TCP/IP port that the LPAR has configured. Therefore, the server's IP address is 0.0.0.0. To pass the actual IP address of the LPAR on which the CA LDAP Server is running, configure the CA LDAP Server to start on a specific IP address. To change this option, see the hosturls option.
    • string
      Indicates the actual value of the string that is passed on the RACROUTE call. If the length of string is less than or equal to eight, the string is passed as a resource name in the TERMINAL class. If the length of string is greater than eight, the string is passed as a resource name in the SERVAUTH class.
  • authVerifyClient
    Specifies whether to verify the certificate of the CA DSI Server server.
    Default
    : off
    Format:
    authVerifyClient [ on | off ]
    If this option specifies that the CA LDAP Server is to verify the CA DSI Server server certificate, the following conditions must be met:
    • The certificate of the CA that signed the CA DSI Server server certificate must be present in the certificate store of the CA LDAP Server. See the TLSKeyringName option for how to define the certificate store.
    • The CA DSI Server server certificate must have a subjectAltName extension of type DNS with the value of the CA DSI Server server host name. This value must exactly match the value for host_name given in the authServer option, except for case.
  • codeset
    Specifies the name of an EBCDIC codeset. The CA LDAP Server converts the host fields from UTF-8 to this EBCDIC codeset before passing them to the external security manager.
    Default
    : IBM-1047
    Format:
    codeset csname
    The value
    csname
    must designate a single-byte EBCDIC code system. Possible values of this argument are documented in the IBM
    XL C/C++ Programming Guide
    . Based on the information in this guide,
    csname
    must be one of the values in the FromCode column. The value in the ToCode column is always UTF-8.
  • debug
    (optional) Specifies the amount of information that the server writes to the stderr file. You can specify a numeric or text value. The following tables detail valid values. The value is set to the bit-wise OR of all of the arguments on the configuration line.
    For a numeric value, each number is a decimal integer value. The value is taken as a bit string, with each bit corresponding to different trace information. Available log levels are listed in the following table.
    Default
    : n/a
    Examples:
    debug 5 
    debug ACL, Stats
Text
Hex Value
Decimal Value
Type of Traced Information
ANY
-1
N/A
All levels of tracing
TRACE
0x00000001
1
Entrance/Exit to functions
PACKETS
0x00000002
2
Packet dumps
ARGS
0x00000004
4
Arguments to routines
CONNS
0x00000008
8
Connection information
BER
0x00000010
16
BER structures
FILTER
0x00000020
32
Filter information
CONFIG
0x00000040
64
Configuration; including dynamic schema information
ACL
0x00000080
128
Access control list
STATS
0x00000100
256
Timings
STATS2
0x00000200
512
Cipher Suites; Conversions
PARSE
0x00000800
2048
LDIF and attribute/Entry parsing
CACHE
0x00001000
4096
Caching
SYNC
0x00004000
16384
Unused
ENTRY
0x00010000
65536
Debug statements from within add_entry_value()
CS
0x00020000
131072
Debugging of the callable services; includes commands sent to an ESM with the return code
BUFS
0x00040000
262144
Buffer and cache maintenance
MUTEX
0x00080000
524288
mutex lock/unlock/init/delete
DB2
0x00100000
1048576
Interface to DB2/CMGR DB2 interface
POLICY
0x00200000
2097152
Interface to SQLITE/CMGR Policy File interface
CALLBACK
0x00400000
4194304
Interface to SQLITE Callback tracing
  • disableAttrNameValidation
    (optional) Specifies the CA LDAP Server to accept any attribute name. By default, the CA LDAP Server only accepts valid LDAP protocol version 3 named attributes.
    Example
    : disableAttrNameValidation
    Note:
    Valid version 3 naming consists of attributes that start with a leading character and the rest is alphanumeric or a dash.
  • disallow <
    features
    >
    Specify a set of features (separated by white space) to disallow.
    Default
    : none
    This parameter ORs the values. Specify multiple parameters by entering one per line or multiple on the same line.
    Example:
    disallow bind_anon disallow bind_simple
    or
    disallow bind_anon bind_simple
    The valid values for <
    features
    > are:
    • bind_anon
      Disables acceptance of anonymous bind requests. Note that this setting does not prohibit anonymous directory access (See "require authc").
    • bind_simple
      Disables simple (bind) authentication.
    • tls_2_anon
      Disables forcing session to anonymous status (see also tls_authc) upon StartTLS operation receipt.
    • tls_authc
      Disallows the StartTLS operation if authenticated (see also tls_2_anon).
    • proxy_authz_non_critical
      Disables acceptance of the proxied authorization control (RFC4370) when criticality is FALSE.
    • dontusecopy_non_critical
      Disables acceptance of the dontUseCopy control (a work in progress) when criticality is FALSE.
  • enableMultiFactor
    (optional) Prohibits reuse of single use tokens by the CA LDAP Server. By default, the CA LDAP Server issues RACROUTE VERIFY calls to create ACEE’s when needed. The console F LDAP151,STATUS output displays the configuration value as “Enable MulFactor Yes” or Enable MulFactor No”.
    Default
    : Not enabled.
    Example
    : enableMultiFactor
  • enableVerify
    (optional) Specifies whether the CA LDAP Server will perform a set of RACROUTE VERIFY CREATE and DELETE calls instead of RACROUTE VERIFYX during the LDAP bind operation. VERIFYX calls normally perform better, depending on how the ESM is configured and if the ESM is configured to update statistics for every login.
    Default
    : disabled
    Example:
    enableVerify
  • hosturls
    (optional) Specifies the URLs (IP and port) for the CA LDAP Server is to listen on.
    Default
    : ldap://:389.
    Example:
    hosturls ldap://your_ip:port hosturls ldap://your_ip:port ldaps://your_ip:ssl_port
    In a TCP/IP v6 environment, the IP address includes colons. For the CA LDAP Server to distinguish between the IP and the port, put the IP address value inside square brackets.
    Example:
    hosturls ldap://[2001::9:6B00:11A:A29E]:389
  • idletimeout
    (optional) Specifies the maximum amount of idle time, in seconds, for an LDAP connect before the CA LDAP Server proactively closes the connection.
    Range:
    0 to 32767
    Default
    : 0 (disabled)
    Example
    : idletimeout 300
  • include
    (optional) Specifies other text files that contain configuration parameters. You can code multiple include statements so that you can logically separate the configuration file as appropriate. All files that are included behave as if the options were configured inline.
    Default
    : n/a
    Example:
    include /your_slapd_dir/core.schema include /your_slapd_dir/cosine.schema
  • lastmod
    Specifies if the database automatically maintains the modify date/time stamp at the object level. This setting only applies to the DB2 back end. The values are on or off.
    Default
    : on
    Example:
    lastmod off
  • logfile
    Controls where the debug log messages are written when starting the CA LDAP Server from z/OS UNIX System Services as a daemon. The path can be a relative or fully qualified path.
    Default
    : n/a
    Example:
    logfile /
    ldap_install_directory
    /ldap-trace.log
  • loglevel
    (optional) Specifies the amount of information that the server writes to the syslog daemon. You can specify a numeric or text value. The loglevel is set to the bit-wise OR of all of the arguments on the configuration line.
    Each
    number
    is a decimal integer value. The loglevel is taken as a bit string, with each bit corresponding to different trace information. The LOG_LOCAL4 facility is the default syslog. To change this value, see Customize the STC Procedure.
    Default
    : n/a
    Example
    :
    loglevel 5
    or
    loglevel ACL, STATS
    The values for loglevel and debug options are the same. For valid loglevel options, see the debug option in this list.
  • moduleload
    Specifies which database back-ends are loaded. Depending on which database you are using, code a moduleload parameter for each. The valid back-ends available are back_caacf2_utf, back_catss_utf, back_ldap, and back_cadb2_utf, back_cmgr_utf, and back_racf_utf. This configuration option is global and
    must
    be configured before any database sections.
    Example:
    moduleload back_cmgr_utf.dll
  • pidfile
    (optional) Specifies an output file where the process ID (PID) of the CA LDAP Server is written at startup.
    Default
    : n/a
    Example:
    pidfile /your_slapd_dir/slapd.pid
  • PortOfEntry4
    (optional) Specifies the resource profile class name to pass to the z/OS external security manager during authentication processing for an IPv4 client.
    Default:
    TERMINAL.
    The valid values are:
    • TERMINAL
      The IPv4 client address is always passed as an 8-byte hexadecimal character string resource name in the TERMINAL class.
    • SERVAUTH
      The netaccess resource name in the SERVAUTH class is passed if the IPv4 client address is mapped into a network security zone by a NETACCESS statement in the TCPIP PROFILE. If the client address is not mapped, the TERMINAL class resource name is passed.
  • ptktappl
    Specifies the application ID (APPLID) that is passed on the RACROUTE VERIFY call. The ESM uses this value to identify the encryption key during PassTickets generation and authentication. The application ID used for the PassTickets generation must be the same as the ID that is used for authentication. When using CA LDAP Server with CA Chorus, set this option to the same value with which CA Chorus is configured. This configuration is important when using IBM PassTickets to authenticate users at a host.
    Default:
    CALDAP
    Example:
    ptktappl CALDAP
  • ptktReqrId
    (Optional) Specifies a server-level user ID that is cached in memory. This user ID is used to authenticate the server for all post-bind operations, allowing the server to request a passticket on behalf of a client logon.
    Example:
    ptktReqrId passgen
  • ptktReqrPwFile
    (Optional) Specifies the relative or fully qualified name of the encrypted password file that corresponds to the slapd.conf ptktReqrId option. The file is generated using the authid command line utility.
    Example:
    ptktReqrPwFile ./authid.pwd
    Example:
    ptktReqrPwFile /
    ldap_install_directory
    /authid.pwd
    For detailed information, see PassTicket Configuration.
  • readonly
    (optional) Indicates whether the database can be updated. Make this option the server default value by configuring it before any database section. Make this option the default value for a single database by configuring it within a database section. The valid values are on or off.
    Default
    : off
    Example:
    readonly on
  • referral
    (Optional) Specifies the location to send clients when none of the configured databases hold the data requested.
    Default
    : No default.
    Example:
    referral ldap://other_ldap_server:port
    In a TCP/IP v6 environment, the IP address includes colons. For the CA LDAP Server to distinguish between the IP and the port, put the IP address value inside square brackets.
    Example:
    referral ldap://[2001::9:6B00:11A:A29E]:389
  • require
    (Optional) Specifies the requirements for incoming connections to the CA LDAP Server.
    Valid Values:
    • authc
      Requires authentication prior to directory operations.
    • LDAPv3
      Requires the session to be using LDAP Version 3.
    Default:
    authc
    Example:
    require authc
  • schemacheck
    (Optional) Indicates whether to use object class definitions to validate the attributes that are passed on ADD and MODIFY operations.
    Valid Values:
    on or off
    Default
    : on
    Example:
    schemacheck on
  • security
    <factors>
    Specifies the security level that is required for the various access methods to all CA LDAP data from both secure and non-secure CA LDAP ports. Before configuring this setting, you must configure CA LDAP for encryption. For more information, see Set Up Certificate Logon.
    Default
    : No factors applied.
    Format:
    tls=
    x
    and
    update_tls=
    x
    To secure access to all CA LDAP operations, you must configure both
    tls
    and
    update_tls
    .
    tls
    controls security access for logon and search operations.
    update_tls
    controls security access to update operations.
    For
    tls=x
    ,
    x
    specifies the TLS security strength factor that is required for performing logon and search operations.
    For
    update_tls=x
    ,
    x
    specifies the TLS security strength factor that is required for performing update operations.
    • A value of 0 means TLS security is not required.
    • A value of 1 or greater means some level of TLS security is required to perform the specified operation. The value corresponds to the TLS encryption key length. The higher the value, the stronger the required encryption.
    Examples:
    • In this example, security is required for applications to perform any CA LDAP operations, but any encryption level can be used:
      security tls=1 update_tls=1
    • In this example, security is required for applications to perform logon and search operations with any encryption level, but update operations require an encryption level of 256 or higher:
      security tls=1 update_tls=256
    • In this example, security with an encryption level of 256 or higher is required for applications to perform all operations:
      security tls=256 update_tls=256
  • sizelimit {<
    integer
    >|unlimited}
    (optional) Specifies the maximum number of objects that are returned to the requesting application from a search operation. Make this option the server default value by configuring it before any database section. Make this option the default value for a single database by configuring it within a database section. If both a server value and database value are supplied, the database value overrides the server value. Specify that you do not want results from the server by entering 0. Specify no limit by using unlimited or -1.
    Previous releases have used 0 to mean unlimited. In this release, 0 means "do not return any data."
    Limits:
    0 to 2147483647
    Default:
    500
    You can also use a second format:
    sizelimit size[.{soft|hard|unchecked}]=<integer> [...].
    For more information about this format and limits, see the Open LDAP documentation.
  • sockbuf_max_incoming
    Controls the packet size that is accepted for add/modify/delete/search operations. This option lets you control the max packet size in bytes. This option can be used to prevent denial of service attacks.
    Default
    : 262,144
    Example:
    sockbuf_max_incoming 123456
  • sockbuf_max_incoming_auth
    Controls the packet size that is accepted for authentication (bind) operations. This option lets you control the max packet size in bytes. This option can be used to prevent denial of service attacks.
    Default
    : 1,677,216
    Example:
    sockbuf_max_incoming_auth 123456
  • timelimit
    (optional) Specifies the maximum amount of time, in seconds, a search request runs before timing out. Make this option the server default value by configuring it before any database section. Make this option the default value for a single database by configuring it within a database section.
    Limits:
    0 to 32767.
    Default
    : 3600
    Example:
    timelimit 1800
    Note:
    This option is not currently enabled in the back_caacf2_utf or back_catss_utf backends.
  • threads
    number
    (optional) Specifies the maximum number of worker threads that the server starts. The server starts worker threads in response to requests that are received.
    Limits:
    Number
    must be a positive integer
    Default
    : 32
    Example:
    threads 100
  • TLSCertificateLabel {
    label
    }
    (optional) Specifies the label of the certificate to use from the certificate store that is specified by TLSKeyringName. If you specify no value, the default certificate in the certificate store is used.
    Default
    : n/a
    Example:
    TLSCertificateLabel label_here
    The value label is the label that is assigned to the certificate when the certificate was connected to the keyring. If the value contains embedded blanks, it must be enclosed in double quotes. The certificate that is designated by label_here must have USAGE PERSONAL. In addition, the user ID of the CA LDAP Server must be the owner of the certificate.
    You can also use a SITE certificate here. If you do so, the user ID for the CA LDAP Server must have CONTROL authority to the IRR.DIGTCERT.GENCERT resource in the FACILITY class.
  • TLSCipherSuite <
    cipher-suite-spec
    >
    Specifies a list of TLS cipher suites in order of preference. Each cipher-string modifies the list by adding or removing cipher suites. A cipher suite is a named combination of authentication, encryption, and MAC algorithms that are used to negotiate the security setting for a network connection using the TLS or SSL network protocol.
    The cipher suite names that we provide in this topic are only a sample of all the available cipher suite names. The cipher suites that are available to you are based on the IBM System SSL component that your site uses. We provide these samples to help you understand how to configure the cipher suites using the CA LDAP Server. Once configured in slapd.conf, the CA LDAP Server passes the cipher suite values through to IBM System SSL. For a full list of cipher suite names, see the IBM documentation for your level of z/OS.
    Format:
    The value is a string consisting of one or more cipher-strings separated by colons.
    Default:
    The list of cipher suites is empty.
    Each cipher-string can be the string “@STRENGTH”, or it can be a keyword string that adds or removes cipher suites from the list of cipher suites.
    • The string “@STRENGTH” is a means of ordering the list: The strongest cipher suite comes first, followed by all other cipher suites in decreasing order of strength.
    • A keyword string consists of one or more cipher-keywords. Separate Keywords by pluses, and optionally precede them by an action-character. Each cipher-keyword selects one or more cipher suites. The cipher suites that the cipher-string selects are the combination of the cipher suites that each cipher-keyword selects. The action-character then determines how the cipher-string modifies the list of cipher suites.
    The action-characters are as follows:
    • Exclamation point (!)
      Specifies that the cipher suites selected by this cipher-string are removed permanently from the list of cipher suites. You cannot add the removed cipher suites again by later cipher-strings.
    • Minus sign (-)
      Specifies that the cipher suites selected by this cipher-string are removed from the list of cipher suites. You can add some or all of the cipher suites removed again by later cipher-strings.
    • Omitted
      Specifies that the cipher suites selected by this cipher-string are added to the list of cipher suites. You can remove some or all of the cipher suites added again by later cipher-strings. This action cannot add any cipher suite that a preceding cipher-string has disabled.
    The cipher-keywords are as follows:
    • DEFAULT, ALL
      Selects the default list of cipher suites. For a list of the default cipher suites, see the first example below.
    • RSA
      Selects all cipher suites using RSA keys.
    • DH
      Selects all cipher suites using Diffie-Hellman keys.
    • DSS
      Selects all cipher suites using DSS certificates for server authentication.
    • kEDH
      Selects all cipher suites using ephemeral Diffie-Hellman keys for key exchange.
    • kDHd
      Selects all cipher suites using fixed Diffie-Hellman keys signed with a DSS certificate.
    • kDHr
      Selects all cipher suites using fixed Diffie-Hellman keys signed with an RSA certificate.
    • aRSA
      Selects all cipher suites using RSA certificates for server authentication.
    • aDSS
      Selects all cipher suites using DSS certificates for server authentication.
    • AES
      Selects all cipher suites using AES for data encryption.
    • 3DES
      Selects all cipher suites using triple DES for data encryption.
    • DES
      Selects all cipher suites using DES for data encryption.
    • RC4
      Selects all cipher suites using RC4 for data encryption.
    • RC2
      Selects all cipher suites using RC2 for data encryption.
    • MD5
      Selects all cipher suites using MD5 for message digest.
    • SHA, SHA1
      Selects all cipher suites using SHA1 for message digest.
    • FIPS
      Selects all cipher suites that are FIPS-compliant.
    • EXPORT
      Selects all cipher suites that use “export” strength data encryption. These are cipher suites that use no more than 56-bit keys.
    • LOW
      Selects all cipher suites that use “low” strength data encryption. These are cipher suites that use no more than 64-bit keys.
    • MEDIUM
      Selects all cipher suites that use “medium” strength data encryption. These are some of the cipher suites with 128-bit keys.
    • HIGH
      Selects all cipher suites that use “high” strength data encryption. These are some of the cipher suites with 128-bit keys and all cipher suites with more than 128-bit keys.
    • Name of a cipher suite
      Selects the named cipher suite.
      For a complete description of the cipher suites, consult the referenced RFCs.
    The following list gives cipher suites from the TLS v1.0 specification in RFC2646.
TLS Cipher Suite Names
Cipher Keywords
TLS_NULL_WITH_NULL_NULL
NULL
TLS_RSA_WITH_NULL_MD5
NULL, MD5
TLS_RSA_WITH_NULL_SHA
NULL, SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
EXP, RC4, MD5
TLS_RSA_WITH_RC4_128_MD5
RC4, MD5
TLS_RSA_WITH_RC4_128_SHA
RC4, SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
EXP, RC2, CBC, MD5
TLS_RSA_WITH_DES_CBC_SHA
DES, CBC, SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
DES, CBC3, SHA
TLS_DH_DSS_WITH_DES_CBC_SHA
DH, DSS, DES, CBC, SHA
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
DH, DSS, DES, CBC3, SHA
TLS_DH_RSA_WITH_DES_CBC_SHA
DH, RSA, DES, CBC, SHA
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
DH, DSS, DES, CBC3, SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
EDH, DSS, DES, CBC, SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
EDH, DSS, DES, CBC3, SHA
TLS_DHE_RSA_WITH_DES_CBC_SHA
EDH, RSA, DES, CBC, SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
EDH, RSA, DES, CBC3, SHA
The following list gives cipher suites that were added to the TLS specification by RFC3268.
TLS Cipher Suite Names
Cipher Keywords
TLS_RSA_WITH_AES_128_CBC_SHA
AES128, SHA
TLS_RSA_WITH_AES_256_CBC_SHA
AES256, SHA
TLS_DH_DSS_WITH_AES_128_CBC_SHA
DH, DSS, AES128, SHA
TLS_DH_DSS_WITH_AES_256_CBC_SHA
DH, DSS, AES256, SHA
TLS_DH_RSA_WITH_AES_128_CBC_SHA
DH, RSA, AES128, SHA
TLS_DH_RSA_WITH_AES_256_CBC_SHA
DH, RSA, AES256, SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
DHE, DSS, AES128, SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
DHE, DSS, AES256, SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
DHE, RSA, AES128, SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
DHE, RSA, AES256, SHA
The following list contains cipher suites added to the TLS specification by RFC4492. These are all of the cipher suites that use Elliptic Curve encryption. These cipher suites are only available on a z/OS 1.13 system or higher.
TLS Cipher Suite Names
Cipher Keywords
TLS_ECDH_ECDSA_WITH_NULL_SHA
ECDH, ECDSA, NULL, SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
ECDH, ECDSA, RC4, SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
ECDH, ECDSA, DES, CBC3, SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
ECDH, ECDSA, AES128, SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
ECDH, ECDSA, AES256, SHA
TLS_ECDHE_ECDSA_WITH_NULL_SHA
ECDHE, ECDSA, NULL, SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
ECDHE, ECDSA, RC4, SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
ECDHE, ECDSA, DES, CBC3, SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
ECDHE, ECDSA, AES128, SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
ECDHE, ECDSA, AES256, SHA
TLS_ECDH_RSA_WITH_NULL_SHA
ECDH, RSA, NULL, SHA
TLS_ECDH_RSA_WITH_RC4_128_SHA
ECDH, RSA, RC4, SHA
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
ECDH, RSA, DES, CBC3, SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
ECDH, RSA, AES128, SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
ECDH, RSA, AES256, SHA
TLS_ECDHE_RSA_WITH_NULL_SHA
ECDHE, RSA, NULL, SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
ECDHE, RSA, RC4, SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
ECDHE, RSA, DES, CBC3, SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDHE, RSA, AES128, SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
ECDHE, RSA, AES256, SHA
Additional cipher suites were added to the TLS specification by RFC5289A. These cipher suites are available only on TLS 1.2 or higher. For more information about cipher names and codes, see the appendix about cipher suite definitions in the IBM z/OS Cryptographic Services System Secure Sockets Layer Programming documentation.
If you omit the TLSCipherSuite option, the cipher suite list is the list of cipher suites selected by the DEFAULT cipher-keyword.
Examples:
The following are examples of cipher specifications and their meanings.
  • DEFAULT
    Include default cipher suites. This gives the list RC4-SHA, RC4-MD5, AES256-SHA, DH-DSS-AES256-SHA, DH-RSA-AES256-SHA, DHE-DSS-AES256-SHA, DHE-RSA-AES256-SHA, AES128-SHA, DH-DSS-AES128-SHA, DH-RSA-AES128-SHA, DHE-DSS-AES128-SHA, DHE-RSA-AES128-SHA, DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, DH-RSA-DES-CBC3-SHA, DH-DSS-DES-CBC3-SHA, DES-CBC-SHA, EDH-RSA-DES-CBC-SHA, EDH-DSS-DES-CBC-SHA, DH-RSA-DES-CBC-SHA, DH-DSS-DES-CBC-SHA, EXP-RC4-MD5, EXP-RC2-CBC-MD5, NULL-SHA, NULL-MD5, NULL.
    If you do not specify the TLSCipherSuite option, the server uses this list.
  • ALL:!LOW:@STRENGTH
    Include all cipher suites, exclude the low strength ciphers suites, sort in strength order. This gives the list AES256-SHA, DH-DSS-AES256-SHA, DH-RSA-AES256-SHA, DHE-DSS-AES256-SHA, DHE-RSA-AES256-SHA, AES128-SHA, DH-DSS-AES128-SHA, DH-RSA-AES128-SHA, DHE-DSS-AES128-SHA, DHE-RSA-AES128-SHA, DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, DH-RSA-DES-CBC3-SHA, DH-DSS-DES-CBC3-SHA, RC4-SHA, RC4-MD5, EXP-RC4-MD5, EXP-RC2-CBC-MD5, NULL-MD5, NULL.
  • DEFAULT:!MD5:!LOW+EXP:@STRENGTH
    Include default ciphers suites, exclude cipher suites that use MD5, exclude the low and export strength cipher suites, sort in strength order. This gives the list AES256-SHA, DH-DSS-AES256-SHA, DH-RSA-AES256-SHA, DHE-DSS-AES256-SHA, DHE-RSA-AES256-SHA, AES128-SHA, DH-DSS-AES128-SHA, DH-RSA-AES128-SHA, DHE-DSS-AES128-SHA, DHE-RSA-AES128-SHA, DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, DH-RSA-DES-CBC3-SHA, DH-DSS-DES-CBC3-SHA, RC4-SHA, NULL.
  • DEFAULT:@STRENGTH
    Include default cipher suites, sort in strength order. This gives the list AES256-SHA, DH-DSS-AES256-SHA, DH-RSA-AES256-SHA, DHE-DSS-AES256-SHA, DHE-RSA-AES256-SHA, AES128-SHA, DH-DSS-AES128-SHA, DH-RSA-AES128-SHA, DHE-DSS-AES128-SHA, DHE-RSA-AES128-SHA, DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, DH-RSA-DES-CBC3-SHA, DH-DSS-DES-CBC3-SHA, RC4-SHA, RC4-MD5, DES-CBC-SHA, EDH-RSA-DES-CBC-SHA, EDH-DSS-DES-CBC-SHA, DH-RSA-DES-CBC-SHA, DH-DSS-DES-CBC-SHA, EXP-RC4-MD5, EXP-RC2-CBC-MD5, NULL-SHA, NULL-MD5, NULL.
Backward Compatibility
For backward compatibility with previous versions of this option, code this option as a string consisting of one or more two-character values. The possible two-character values and their associated cipher suite are as follows:
  • 00
    Specifies no encryption or message authentication and RSA key exchange.
  • 01
    Specifies no encryption with MD5 message authentication and RSA key exchange.
  • 02
    Specifies no encryption with SHA-1 message authentication and RSA key exchange (FIPS).
  • 03
    Specifies 40-bit RC4 encryption with MD5 message authentication and RSA key exchange.
  • 04
    Specifies 128-bit RC4 encryption with MD5 message authentication and RSA key exchange.
  • 05
    Specifies 128-bit RC4 encryption with SHA-1 message authentication and RSA key exchange.
  • 06
    Specifies 40-bit RC2 encryption with MD5 message authentication and RSA key exchange.
  • 09
    Specifies 56-bit DES encryption with SHA-1 message authentication and RSA key exchange.
  • 0A
    Specifies 168-bit Triple DES encryption with SHA-1 message authentication and RSA key exchange (FIPS).
  • 0C
    Specifies 56-bit DES encryption with SHA-1 message authentication and fixed Diffie-Hellman key exchange signed with a DSS certificate.
  • 0D
    Specifies 168-bit Triple DES encryption with SHA-1 message authentication and fixed Diffie-Hellman key exchange signed with a DSS certificate (FIPS).
  • 0F
    Specifies 56-bit DES encryption with SHA-1 message authentication and fixed Diffie-Hellman key exchange signed with an RSA certificate.
  • 10
    Specifies 168-bit Triple DES encryption with SHA-1 message authentication and fixed Diffie-Hellman key exchange signed with an RSA certificate (FIPS).
  • 12
    Specifies 56-bit DES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with a DSS certificate.
  • 13
    Specifies 168-bit Triple DES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with a DSS certificate (FIPS).
  • 15
    Specifies 56-bit DES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate.
  • 16
    Specifies 168-bit Triple DES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate (FIPS).
  • 2F
    Specifies 128-bit AES encryption with SHA-1 message authentication and RSA key exchange (FIPS).
  • 30
    Specifies 128-bit AES encryption with SHA-1 message authentication and fixed Diffie-Hellman key exchange signed with a DSS certificate (FIPS).
  • 31
    Specifies 128-bit AES encryption with SHA-1 message authentication and fixed Diffie-Hellman key exchange signed with an RSA certificate (FIPS).
  • 32
    Specifies 128-bit AES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with a DSS certificate (FIPS).
  • 33
    Specifies 128-bit AES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate (FIPS).
  • 35
    Specifies 256-bit AES encryption with SHA-1 message authentication and RSA key exchange (FIPS).
  • 36
    Specifies 256-bit AES encryption with SHA-1 message authentication and fixed Diffie-Hellman key exchange signed with a DSS certificate (FIPS).
  • 37
    Specifies 256-bit AES encryption with SHA-1 message authentication and fixed Diffie-Hellman key exchange signed with an RSA certificate (FIPS).
  • 38
    Specifies 256-bit AES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with a DSS certificate (FIPS).
  • 39
    Specifies 256-bit AES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate (FIPS)
Default
:
050435363738392F303132330A1613100D0915120F0C0306020100 if security level 3 is installed, and 0915120F0C0306020100 if it is not installed.
You cannot specify any of the new Elliptic Curve cipher suites with this method. If you require an Elliptic Curve cipher suite, convert to the new option format that is documented above.
If FIPS mode is enabled, the cipher suites are limited to those with "(FIPS)" after their description. Any non-FIPS suites are silently removed from whatever list of cipher suites is specified. Verify that the resulting string actually contains cipher suites.
  • TLSEnableFIPSMode
    Specifies that all secure connections are made in the manner that is specified by the FIPS 140-2 specification. Note the following behavior:
    • All connections use TLS 1.0 or higher. The server does not accept connections from clients using either SSL v2 or SSL v3 protocols.
    • Cipher suite selection is restricted to FIPS-approved cipher suites.
    In the current release, the FIPS-approved cipher suites are as follows:
    • 0A
      Specifies 168-bit Triple DES encryption with SHA-1 message authentication and RSA key exchange.
    • 0D
      Specifies 168-bit Triple DES encryption with SHA-1 message authentication and fixed Diffie-Hellman key exchange signed with a DSA certificate.
    • 10
      Specifies 168-bit Triple DES encryption with SHA-1 message authentication and fixed Diffie-Hellman key exchange signed with an RSA certificate.
    • 13
      Specifies 168-bit Triple DES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with a DSA certificate.
    • 16
      Specifies 168-bit Triple DES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate.
    • 2F
      Specifies 128-bit AES encryption with SHA-1 message authentication and RSA key exchange.
    • 30
      Specifies 128-bit AES encryption with SHA-1 message authentication and fixed Diffie-Hellman key exchange signed with a DSA certificate.
    • 31
      Specifies 128-bit AES encryption with SHA-1 message authentication and fixed Diffie-Hellman key exchange signed with an RSA certificate.
    • 32
      Specifies 128-bit AES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with a DSA certificate.
    • 33
      Specifies 128-bit AES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate.
    • 35
      Specifies 256-bit AES encryption with SHA-1 message authentication and RSA key exchange.
    • 36
      Specifies 256-bit AES encryption with SHA-1 message authentication and fixed Diffie-Hellman key exchange signed with a DSA certificate.
    • 37
      Specifies 256-bit AES encryption with SHA-1 message authentication and fixed Diffie-Hellman key exchange signed with an RSA certificate.
    • 38
      Specifies 256-bit AES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with a DSA certificate.
    • 39
      Specifies 256-bit AES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate.
  • TLSKeyringName
    (optional) Specifies the name of the certificate store that contains the certificates used.
    Default
    : Value of the GSK_KEYRING_FILE environment variable. If the GSK_KEYRING_FILE environment variable is not set, there is no default value.
    Example:
    TLSKeyringName ring_name
    The argument ring_name can have one of three values:
    • Key database name
      The name of an HFS file that contains the key database. This file is created and maintained using the gskkyman utility. For more information about how to use the gskkyman utility, see the information about Certificate/Key Management in the IBM
      Cryptographic Services System Secure Sockets Layer Programming
      Guide
      .
      If you use this form, specify at least one of the following options: TLSKeyringPW or TLSKeyringStashFile.
    • SAF keyring name
      A SAF keyring name is specified as
      userid/keyring
      or
      keyring
      . The user ID of the CA LDAP Server is used if
      userid
      is omitted. When using an SAF keyring that is owned by the user ID, the user ID must have READ authority to the IRR.DIGTCERT.LISTRING resource in the FACILITY class . When using an SAF keyring that is owned by another user, the user ID must have UPDATE authority to the IRR.DIGTCERT.LISTRING resource in the FACILITY class . For more information about how to set up certificates, private keys, and keyrings, see your external security manager documentation.
    • z/OS PKCS #11 token
      A z/OS PKCS #11 token is specified as
      *TOKEN*/token-name
      . The characters
      *TOKEN*
      must be coded as shown to indicate that token-name is the name of a token. For the certificates and their private keys to be read, the user ID of the CA LDAP Server must have READ authority to the resource USER.token-name in the CRYPTOZ class .
  • TLSKeyringPW
    (optional) Specifies the password for the key database. Specify this option only if the ring_name specified in the TLSKeyringName option is a key database.
    Do not
    specify this option if the ring_name is a SAF keyring name or a z/OS PKCS #11 token.
    Default
    : Value of the GSK_KEYRING_PW environment variable. If the GSK_KEYRING_PW environment variable is not set, the default value is NULL.
    Format:
    TLSKeyringPW [ password ]
    The value password can be up to 128 characters in length and can contain any character that the gskkyman utility allows. If necessary, it can be enclosed in double quotes.
  • TLSKeyringStash
    (optional) Specifies the name of the key database password stash file. Specify this option only if the ring_name specified in the TLSKeyringName option is a key database.
    Do not
    specify this option of the ring_name is a SAF keyring name or a z/OS PKCS #11 token.
    Default
    : Value of the GSK_KEYRING_STASH environment variable. If the GSK_KEYRING_STASH environment variable is not set, the default value is NULL.
    Format:
    TLSKeyRingStash [ filename ]
    The stash file name always has an extension of
    .sth
    and the supplied name will be changed if it does not have the correct extension. If this option and the TLSKeyringPW option are specified, this option will be ignored and the value of the TLSKeyringPW option will be used.
  • TLSProtocolMin
    (optional) Specifies the minimum SSL/TLS protocol version that will be negotiated. When the server does not support at least this version, the SSL handshake fails.
    Valid Values:
    • ssl2
      Specifies SSL version 2.
    • ssl3
      Specifies SSL version 3 .
    • tls1
      Specifies TLS version 1.
    • tls1.1
      Specifies TLS version 1.1.
    • tls1.2
      Specifies TLS version 1.2.
    The minimum SSL/TLS protocol version is the minimum version that the server will allow to be negotiated. For example, if the TLSProtocolMin configuration option specifies “tls1.2” and the client supports only TLS 1.1, the client is not allowed to connect to the CA LDAP Server. If the TLSProtocolMin configuration option specifies “tls1.1,” any request for TLS 1.1 or higher is accepted. So, if the client supports TLS 1.2, the connection is at TLS 1.2.
    Default:
    tls1
    Previous versions of the CA LDAP servers behaved as if this option were specified with the value “ssl3”, meaning the minimum protocol version was SSLv3. This change in default behavior could result in SSL handshake failures where there were no failures. If a failure occurs, add the TLSProtocolMin option to the server’s configuration file. The required option is show in the example that follows.
    Example:
    TLSProtocolMin ssl3
  • TLSVerifyClient
    (Optional) Specifies whether a client is required to present a certificate when attempting to establish an SSL or TLS connection with the server. For certificate logon, this option must be set to a value that requires the client to send its certificate.
    Default
    : OFF
    The allowed values of
    option
    are as follows:
    • NEVER, OFF, NO, or FALSE
      Indicates that the server does not request a certificate.
    • ALLOW
      Indicates the server requests, but does not require, a certificate. If no certificate is provided, the session proceeds. If a bad certificate is provided, it is ignored and the session proceeds.
    • TRY
      Indicates the server requests a good certificate. If no certificate is provided, the session proceeds. If a bad certificate is provided, the session is immediately terminated.
    • DEMAND, HARD, ON, YES, or TRUE
      Indicates the server requires a certificate. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated.
You can set the following certificate options
only
on z/OS 2.3 and above. If you set these options on z/OS 2.2 or below, they have no effect.
  • TLSDhMinKeySize
    Specifies the minimum allowed X.509 certificate Diffe-Hellman (DH) key size for the peer end-entity certificate.
    Example:
    TLSDhMinKeySize 1024
  • TLSDsaMinKeySize
    Specifies the minimum allowed X.509 certificate Digital Signature Algorithm (DSA) key size for the peer end-entity certificate.
    Example:
    TLSDsaMinKeySize 2048
  • TLSEccMinKeySize
    Specifies the minimum allowed X.509 certificate Elliptic Curve Cryptography (ECC) key size for the peer end-entity certificate.
    Example:
    TLSEccMinKeySize 194
  • TLSRsaMinKeySize
    Specifies the minimum allowed X.509 certificate Rivest, Shamir, Adleman (RSA) key size for the peer end-entity certificate.
    Example:
    TLSRsaMinKeySize 2048
Dynamic Suffix Values
In some circumstances, you want to use a single slapd.conf file for several LPARs. In previous versions of CA LDAP Server, this was not possible because the suffix variable was system-specific. In CA LDAP Server release 15.1 and higher, you can specify a dynamic suffix value.
To specify a dynamic suffix value, you use the substitution variables %zosnode% and %imnode%. When using these substitution variables, CA LDAP Server uses the LE function uname() to load the current system name, then substitutes this system name for the %zosnode% or %imnode% string.
The two substitution variables have different functions. %zosnode% substitutes the exact system name, while %imnode% appends "_im" to the system name. Use %imnode% with IM naming_mode.
The substitution variables do not set the naming_mode value. They only affect the suffix DN. The default naming_mode is naming_mode zos. If you use %imnode% and you want IM naming_mode, configure IM naming_mode in the slapd.conf file.
Example: %zosnode%
The suffix value for your production CA ACF2 backend is:
Suffix host=%zosnode%, o=ca, c=us
After dynamic substitution, CA LDAP Server inserts the correct system name:
Suffix host=xe42, o=ca, c=us
Example: %imnode%
The suffix value for your production CA ACF2 backend is:
Suffix host=%imnode%, o=ca, c=us
After dynamic substitution, CA LDAP Server inserts the correct system name:
Suffix host=xe42_im, o=ca, c=us