1. IBM Tivoli Software © 2007 IBM Corporation Support Technical Exchange Web sitehttp://www-306.ibm.com/software/sysmgmt/products/support/supp_tech_exch.html Support Technical Exchange Web sitehttp://www-306.ibm.com/software/sysmgmt/products/support/supp_tech_exch.html 09/11/200909/11/2009 IBM Tivoli Directory Server Encryption September 11, 2009 By: Sharvari Kulkarni & Pradnya Gandhe kul_sharvari@in.ibm.com prgandhe@in.ibm.com

2. Tivoli © 2007 IBM Corporation 209/11/200909/11/2009 Useful Links  IBM Tivoli Directory Server Support Site –http://www-306.ibm.com/software/sysmgmt/products/support/IBMDirectoryServer.html  IBM Tivoli Directory Server Documentation –http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/com.ibm.IBMDS.d oc/toc.xmlhttp://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/com.ibm.IBMDS.d oc/toc.xml  IBM Tivoli Directory Server Documentation –http://groups.google.com/group/ibm.software.ldap/topics?lnk=gschg&hl=en

3. Tivoli © 2007 IBM Corporation 309/11/200909/11/2009 Introduction Abstract: The purpose of this STE is to give a brief overview of IBM Tivoli Directory Server, and to explain how encryption is implemented in ITDS. Objectives:  Brief introduction to IBM Tivoli Directory Server  Introduction to General encryption concepts.  Encryption in IBM Tivoli Directory Server.  Password Encryption and Attribute level Encryption

4. Tivoli © 2007 IBM Corporation 409/11/200909/11/2009 Agenda 1.Introduction to IBM Tivoli directory Server. –What is IBM Tivoli Directory Server –Versioning Information & new features. 2.Introduction to general encryption concepts. –Definition –Types of encryption (One Way &Two way) 3.Encryption in IBM Tivoli Directory Server –Need of encryption in ITDS. –Supported One way and Two way encryption schemes.

5. Tivoli © 2007 IBM Corporation 509/11/200909/11/2009 Agenda Continued.. 4.Password Encryption –Brief overview of Password Encryption –Supported schemes –Configuration using ITDS 6.1 5.Attribute Level Encryption –Brief overview of Attribute level Encryption –Supported schemes –Configuration using ITDS 6.1

6. Tivoli © 2007 IBM Corporation 609/11/200909/11/2009 Introduction to IBM Tivoli Directory Server

7. Tivoli © 2007 IBM Corporation 709/11/200909/11/2009 What is a Directory?  A directory is a collection of information about objects arranged in a hierarchical (tree-like) structure.  A characteristic of a directory is that it is accessed (read or searched) much more often than it is updated (written).  Directories are usually accessed using the client- server model of communication.  The format and contents of the messages exchanged between client and server must adhere to an agreed upon protocol, eg. LDAP.  The Lightweight Directory Access Protocol, or LDAP, is an application protocol for querying and modifying directory services running over TCP/IP.  As multiple advantages are offered by LDAP it is being used by many different directories available in the market and ITDS is no exception.

8. Tivoli © 2007 IBM Corporation 809/11/200909/11/2009 Brief Overview of IBM Tivoli Directory Server  IBM® Tivoli® Directory Server is the IBM implementation of the Lightweight Directory Access Protocol (LDAP).  ITDS provides a server that stores directory information using a DB2® database, a proxy server for routing LDAP operations to other servers, a client, and a graphical user interface (GUI) for managing servers.  ITDS includes a rich set of features, including - A dynamically extensible directory schema, NLS Support, Replication, and Security Features  ITDS has released V6.0, V6.1 and recently V6.2.  Online backup and restore functionality, support for solaris-zones, AiX WPARS are some of the latest features introduced in V6.2

9. Tivoli © 2007 IBM Corporation 909/11/200909/11/2009 Introduction to General Encryption concepts

10. Tivoli © 2007 IBM Corporation10 09/11/200909/11/2009 Encryption Concepts  Encryption is the term evolved from Cryptography - which is the practice and study of hiding information.  In Cryptography encryption is the process of transforming information into unintelligible gibberish meaning transforming the information to make it unreadable.  The conversion is done using special algorithms called as cipher.  Encryption is also used to protect data in transit, for example data being transferred via networks.  Having understood these terms we can now redefine the term encryption as - "Encryption is the conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people“.

11. Tivoli © 2007 IBM Corporation11 09/11/200909/11/2009 Types Of Encryptions -  The two main broad types of encryptions are: – One way Encryption & – Two way Encryption  One way Encryption – – AKA irreversible encryption. – A method of encryption that produces ciphertext, from which the original data cannot be reproduced. – One way encryption is the method, where one cannot decrypt the information. – This encryption is especially used for protecting passwords. – When there is no need to decrypt information at transit, this scheme is used.

12. Tivoli © 2007 IBM Corporation12 09/11/200909/11/2009 Types of encryption continued..  Two way Encryption – – Two-way encryption is the most common form of encryption. – Takes a plain-text input and encrypts it into some encrypted text. – Then, at some later point in time, this encrypted text can be decrypted, which results in the plain-text that was originally encrypted. – Two-way encryption is useful for private communications. – Some applications such as middle-tier authentication servers require passwords to be retrieved in clear text format, however, corporate security policies might prohibit storing clear passwords in a secondary permanent storage.This option satisfies both requirements

13. Tivoli © 2007 IBM Corporation13 09/11/200909/11/2009 Introduction to IBM Tivoli Directory Server Encryption

14. Tivoli © 2007 IBM Corporation14 09/11/200909/11/2009 Encryption in IBM Tivoli Directory Server -  Need - ITDS stores sensitive information such as User Passwords, and other sensitive attributes of users.  Moreover ‘n’ no of clients connect to a ITDS server using different bind mechanisms to request specific information of interest.  In order to satisfy the queries of these clients the ITDS server has to send such a sensitive information to the clients over the network, now providing security to this data is very important.  Hence one of the most powerful feature provided by IBM Tivoli Directory server is its capability to offer secure access to directory data.  ITDS provides this secure access to data by utilizing many techniques like - 1) Securely encrypting the values stored within the directory using the latest encryption algorithms (AES and SHA)

15. Tivoli © 2007 IBM Corporation15 09/11/200909/11/2009 Encryption in IBM Tivoli Directory Server Contd. 2) Use of SSL technology to encrypt data that is transmitted on wire.  Our focus in this discussion is the techniques that ITDS uses to encrypt the data.  ITDS supports both One-way and Two-Way Encryption.  One-way encrypting formats supported by ITDS - – crypt – MD5 - MD5 is a message digest algorithm. MD5 takes a variable length input and produces a 128-bit message digest. – SHA-1 – Salted SHA-1  Two way encryption formats supported by ITDS – – AES 128 – AES 192 – AES 256

16. Tivoli © 2007 IBM Corporation16 09/11/200909/11/2009 Password Encryption

17. Tivoli © 2007 IBM Corporation17 09/11/200909/11/2009 Password Encryption  IBM Directory Server enables you to prevent unauthorized access to user passwords. The administrator can configure the server to encrypt “userPassword” attribute values in either a one- way encrypting format or a two-way encrypting format.  After the server is configured, any new passwords (for new users) or modified passwords (for existing users) are encrypted before they are stored in the directory database.  For applications that require retrieval of clear passwords, such as middle-tier authentication agents, the directory administrator needs to configure the server to perform either a two-way encrypting or no encryption on user passwords.

18. Tivoli © 2007 IBM Corporation18 09/11/200909/11/2009 Password Encryption Contd.  ITDS provides 2 ways to configure password encryption - – Web administration This tool installed on an application server, such as the embedded version of IBM WebSphere® Application Server - Express (WAS) included with the IBM Tivoli Directory Server, and administered through a console. Servers that have been added to the console can be managed through the Web Administration Tool without having to have the tool installed on each server. The preferred method of administering the server is by using the Web Administration Tool.

19. Tivoli © 2007 IBM Corporation19 09/11/200909/11/2009 Password Encryption Contd. Before you start using the Web Administration Tool for the server, you must ensure that you have completed the following tasks during the configuration of the server: – Set the administration DN and password to be able to start a given server. –If the server is not configured as a proxy server, configure a database to be able to start a given server in a state other than the configuration only mode. –Ensure that either the server or the administration server is running. – Command line utility Command line utilities such as idsldapmodify, idaldapadd and idsldapsearch get installed when TDS is installed.

20. Tivoli © 2007 IBM Corporation20 09/11/200909/11/2009 Password Encryption Contd.  Viewing results using Command line -

21. Tivoli © 2007 IBM Corporation21 09/11/200909/11/2009 Password Encryption Contd. Using web administration – Add image password encryption image

22. Tivoli © 2007 IBM Corporation22 09/11/200909/11/2009 Password Encryption Contd. Command line utility - idsldapmodify  To change or set the type of encryption using the command line, use the following ldapmodify operation as follows - idsldapmodify -D -w dn: cn=configuration changetype: modify replace: ibm-slapdPWEncryption ibm-slapdPWEncryption:  Here, the ibm-slapdPWEncryption attribute can be assigned any of the following values: none,aes128,aes192,aes256,crypt,sha,ssha,or md5.

23. Tivoli © 2007 IBM Corporation23 09/11/200909/11/2009 Password Encryption Contd.  To reflect the updated settings user needs to restart the server using following command ibmslapd -I -k ibmslapd -I -n  To reflect the updated settings to take effect dynamically, issue the following idsldapexop command: idsldapexop -D -w -op readconfig - scope single "cn=configuration" ibm-slapdPWEncryption

24. Tivoli © 2007 IBM Corporation24 09/11/200909/11/2009 Attribute level Encryption

25. Tivoli © 2007 IBM Corporation25 09/11/200909/11/2009 Attribute level Encryption  Using this method, user can encrypt any attribute available in the schema. User can hide/ protect any other confidential/ sensitive data apart from password attribute. It is a value addition feature to ITDS.  Enables local administrative group members who are assigned DirDataAdmin and SchemaAdmin roles to specify attributes that are to be encrypted in the directory database using a subset of the encryption schemes  DirDataAdmin – Members of the administrative group who are assigned this role will gain unrestricted access to all the entries in the RDBM back-end. However, for setting the password attribute of RDBM entries, members will still have to follow the usual password policy rules that are in effect.  SchemaAdmin – Members of the administrative group who are assigned the Schema Administrator role have unrestricted access to schema back-end only.  This will allow group members to define specific attributes as being non- matchable. This means that such attributes can only be used in presence filters. Additionally, the policy also allows group members to specify if values to be returned on a search should be encrypted or if only attribute names should be returned.

26. Tivoli © 2007 IBM Corporation26 09/11/200909/11/2009 Attribute level Encryption Contd.  ITDS provides 2 ways to configure password encryption. – Web administration – Command line utility

27. Tivoli © 2007 IBM Corporation27 09/11/200909/11/2009 Attribute level Encryption Contd. Command line utility - idsldapmodify  To encrypt an attribute, say for instance “uid” attribute using the AES encryption scheme, issue the following command: ldapmodify –D –w dn: cn=schema changetype: modify replace: attributetypes attributetypes:(0.9.2342.19200300.100.1.1 NAME 'uid' DESC 'Typically a user shortname or userid.' EQUALITY 1.3.6.1.4.1.1466.109.114.2 ORDERING 2.5.13.3 SUBSTR 2.5.13.4 USAGE userApplications SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -

28. Tivoli © 2007 IBM Corporation28 09/11/200909/11/2009 Attribute level Encryption Contd. replace: IBMAttributetypes IBMAttributetypes:( 0.9.2342.19200300.100.1.1 DBNAME( 'uid' 'uid' ) ACCESS-CLASS normal LENGTH 256 EQUALITY ORDERING SUBSTR APPROX ENCRYPT AES256 SECURE-CONNECTION-REQUIRED RETURN-VALUE encrypted))

29. Tivoli © 2007 IBM Corporation29 09/11/200909/11/2009 Attribute level Encryption Contd. Using Web-Administration tool -

30. Tivoli © 2007 IBM Corporation30 09/11/200909/11/2009 Attribute level Encryption Contd.

31. Tivoli © 2007 IBM Corporation31 09/11/200909/11/2009 Attribute level Encryption Contd.

32. Tivoli © 2007 IBM Corporation32 09/11/200909/11/2009 Attribute level Encryption Contd.  Viewing results using Command line -