Add the LDAPTrustedCA and LDAPTrustedCAType directives to httpd.conf if
the IBM HTTP Server connection to the LDAP server is an SSL connection.
The LDAPTrustedCA directive specifies the directory path and file
name of the trusted certificate authority (CA) that mod_ldap should use when
establishing an SSL connection to an LDAP server.
Certificates can
be stored in a .kdb file or a SAF key ring. If a .kdb file
is used, a .sth file must be located in the same directory
path and have the same filename, but the extension must be .sth instead
of .kdb.
The LDAPTrustedCAType directive must be
one of the following value types defined for z/OS only:
- KDB_FILE. Use this value if the certificates indicated by the LDAPTrustedCA
directive are stored in a .kdb file.
- SAF_KEYRING. Use this value if the certificates indicated by the LDAPTrustedCA
are stored in a SAF key ring.
Example when the certificate is stored in a
.kdb file:
LDAPTrustedCA "/usr/lpp/internet/server4.kdb"
LDAPTrustedCAType KDB_FILE
Example when the certificate is stored in a SAF key ring.LDAPTrustedCA SAFKeyring
LDAPTrustedCAType SAF_KEYRING
Important: The user
ID that you use to start IBM HTTP Server must have access to the SAF key ring
that you name in this directive. If the user ID does not have access to the
SAF key ring, SSL initialization fails.
See Performing required z/OS system configurations for information on accessing
SAF key rings defined in RACF.