Configure Secure Sockets Layer for the Lightweight Directory Access Protocol client
Overview
This topic describes how to establish a Secure Sockets Layer (SSL) connection between WebSphere Application Server and a Lightweight Directory Access Protocol (LDAP) server. This page provides an overview. Refer to the linked pages for more details. To understand SSL concepts, refer to Secure Sockets Layer.
Setting up an SSL connection between WebSphere Application Server and an LDAP server requires the following steps:
- Set up an LDAP server with users.The server configured
in this example is IBM Directory Server. Other servers are configured
differently. Refer to the documentation of the directory server you are using
for details on SSL enablement. For a product-supported LDAP directory server,
see the Supported directory services article.
- Configure certificates for the LDAP server using the key management
utility (iKeyman) that is shipped with the IBM HTTP Server product.
- Click Key Database File > New.
- Type LDAPkey.kdb as the file name and a proper path.
- Click Personal Certificates > New Self-Signed Certificate.
The Create New Self-Signed Certificate panel is displayed. Type the
following information in the fields and click OK:
- Key Label
- LDAP_Cert
- Common Name
- droplet.austin.ibm.com
This common name is the host name where the WebSphere Application Server plug-in runs.
- Organization
- ibm
- Country
- US
- Return to the Personal Certificates panel and click Extract
Certificate.
- Click the Base64-encoded ASCII data data type. Type LDAP_cert.arm as
the file name and a proper path. Click OK.
- Enable SSL on the LDAP server:
- Copy the LDAPkey.kdb, LDAPkey.sth, LDAPkey.rdb,
and LDAPkey.crl files created previously to the LDAP server system,
for example, the \Program Files\IBM\LDAP\ssl\ directory.
- Open the LDAP Web administrator from a browser (http://secnt3.austin.ibm.com/ldap,
for example). IBM HTTP Server is running on secnt3.
- Click SSL properties to open the SSL Settings window.
- Click SSL On > Server Authentication and type
an SSL port (636, for example) and a full path to the LDAPkey.kdb file.
- Click Apply, and restart the LDAP server.
- Copy the LDAPkey.kdb, LDAPkey.sth, LDAPkey.rdb,
and LDAPkey.crl files created previously to the LDAP server system,
for example, the \Program Files\IBM\LDAP\ssl\ directory.
- Manage certificates for WebSphere Application Server using the
default SSL key files.
- Open the install_root\etc\DummyServerTrustFile.jks file
using the key management utility that shipped with WebSphere Application Server.
The password is WebAS.
- Click Personal Certificates > Import.The Import Key panel is displayed. Specify LDAP_cert.arm for the file name. Complete this step for all the servers including the deployment manager.
- Open the install_root\etc\DummyServerTrustFile.jks file
using the key management utility that shipped with WebSphere Application Server.
The password is WebAS.
- Establish a connection between the WebSphere Application Server
and the LDAP server.
- In the administrative console, click User Registry > LDAP
User Registry > LDAP Settings. Fill in the Server ID, Server
Password, Type, Host, Port, and Base Distinguished
Name fields. Select the SSL Enabled check box. The port is the
one that the LDAP server is using for SSL (636, for example). Click Apply.
- Click Authentication Mechanisms > LTPA > Single SignOn (SSO). Type in a domain name (austin.ibm.com, for example). Click Apply.
- In the administrative console, click User Registry > LDAP
User Registry > LDAP Settings. Fill in the Server ID, Server
Password, Type, Host, Port, and Base Distinguished
Name fields. Select the SSL Enabled check box. The port is the
one that the LDAP server is using for SSL (636, for example). Click Apply.
- Enable global security.
- Click Security > Global Security. Select the Enabled check
box. Choose LTPA as the active authentication mechanism and LDAP as
the active user registry. Click Apply and Save.
Note: Verify that the security level for the LDAP server is set to HIGH. The default security level is HIGH (128-bit).
- Check the LDAP_install_root\etc\slapd32.conf file;
verify that the ibm-slapdSSLCipherSpecs parameter has the value, 15360, instead
of 12288.
- Restart the servers.For a Network Deployment environment, see Enabling global security. Restarting the servers ensures that the security settings are synchronized between the deployment manager and the appservers.
- Click Security > Global Security. Select the Enabled check
box. Choose LTPA as the active authentication mechanism and LDAP as
the active user registry. Click Apply and Save.
Results
You can test the configuration by accessing https://fully_qualified_host_name:9443/snoop. You are presented with a login challenge.
Example
What to do next
- If you are enabling security, make sure that you complete the remaining
steps. As the final step, validate this configuration by clicking OK or Apply in
the Global Security panel. Refer to the Configuring global security article for detailed steps on enabling global security.
- For changes in this panel to become effective, save, stop, and start all
WebSphere Application Servers (cells, nodes and all the appservers).
- After the server starts up, go through all the security-related tasks (getting users, getting groups, and so on) to make sure that the changes to the filters are functioning.
Secure Sockets Layer
Lightweight Directory Access Protocol
Local operating system user registries
Custom user registries
Configuring Secure Sockets Layer
Creating a keystore file
Creating self-signed personal certificates
Creating certificate signing requests
Creating truststore files
Importing signer certificates
Configuring global security
Enabling global security