Windows Active Directory

 

Overview

You might want to configure WebSphere Application Server and WebSphere Portal access to your LDAP user registry over SSL to ensure the confidentiality of the data exchanged between WebSphere Application Server, WebSphere Portal, and your LDAP user registry. For example, user passwords are sent over the network between LDAP user registry and WebSphere Portal. This occurs to set the password if WebSphere Portal user management tools are used to create users and change passwords and also when WebSphere Application Server authenticates any user name and password pair through an LDAP BIND operation. Configuring LDAP over SSL can be important to protect sensitive data. Also, it might be required to ensure that user attributes that are retrieved from the directory are not viewed by someone watching packets on the network, if the attributes of a user include sensitive information or privacy is a concern.

In order to ensure that all this information remains private, it is necessary to configure both WebSphere Application Server and WebSphere Portal to use LDAP over SSL to the LDAP user registry. Configuring LDAP over SSL for WebSphere Application Server and WebSphere Portal is a separate operation from configuring the IBM HTTP Server to accept incoming browser requests over HTTPS, or configuring HTTPS between the IBM HTTP Server and WebSphere Application Server in a distributed setup.

A full primer on the configuration of all the LDAP user registries and WebSphere Application Server is beyond the scope of this WebSphere Portal documentation. Consult the documentation for your LDAP server to configure the directory for SSL traffic. For WebSphere Application Server, the IBM Redbook IBM WebSphere V5.0 Security, SG24-6573-00 is available, and Appendix B contains instructions for configuring WebSphere Application Server for LDAP over SSL. You can also consult the WebSphere Application Server product documentation.

To use Active Directory as the LDAP Server, configure the LDAP connection between WebSphere Portal and Active Directory over SSL. Configuring the connection between WebSphere Portal and Active Directory over SSL is required if you want to create new users or write to the LDAP using WebSphere Portal. New users can be created by either allowing users to use the WebSphere Portal self-registration function or by allowing administrators to use the Manage Users and Manage Groups portlets. This is because Active Directory will not allow an unsecured LDAP connection to be used to set the password for a user. If you do not intend to use WebSphere Portal to create new users in Active Directory, then you do not need to configure LDAP to Active Directory over SSL.

Get LDAP (non-SSL) successfully working before setting up LDAP over SSL. This allows you to verify that the directory is responding to LDAP requests before setting it up for SSL.

 

Before configuring

It is required that you first get LDAP (nonSSL) successfully working before setting up LDAP over SSL. By doing this, you can verify that the directory is responding to LDAP requests before setting it up for SSL.

WebSphere Portal does not support installing to an LDAP user registry that is only available via SSL. It requires than a non-SSL LDAP port be available for the install. LDAP over SSL should be configured as a post-install step.

To use Active Directory as the LDAP Server, you might need to configure the LDAP connection between WebSphere Portal and Active Directory over SSL. Configuring the connection between WebSphere Portal and Active Directory over SSL is required if you want to create new users using WebSphere Portal. New users can be created by either allowing users to use the WebSphere Portal self-registration function or by allowing administrators to use the Manage Users and Manage Groups portlets. This is because Active Directory will not allow an unsecured LDAP connection to be used to set the password for a user. If you do not intend to use WebSphere Portal to create new users in Active Directory, then you do not need to configure LDAP to Active Directory over SSL.

 

Import certificate(s) to WebSphere Portal to enable SSL connection

 

Importing certificates to a WebSphere Portal keystore

WebSphere Portal can be configured to use to a specifically-named Java Key Store so that WebSphere Portal and WebSphere Application Server can share the same configured truststore in the SSL configuration of the CSIv2 Outbound Transport. To specify the Java Key Store, follow these steps:

  1. Stop WebSphere Portal

  2. Logon to the WebSphere Application Server Administration Console.

  3. Navigate to Security > User Registries > LDAP.

  4. Check the sslEnabled box (set sslEnabled to true).

  5. Set the LDAP Port to 636.

  6. Save changes.

  7. Stop and restart your WebSphere Application Server (server1).

  8. In a text editor, open the file wmm.xml in the wp_root/wmm directory, where wp_root is the installation directory for WebSphere Portal.

  9. Navigate to the stanza that begins ldapRepository name="wmmLDAP".

  10. Verify that ldapPort="636".

  11. Verify that sslEnabled="true".

  12. At the end of this stanza, add sslTrustStore="was_root\etc\DummyServerTrustFile.jks", where was_root is the installation directory for WebSphere Application Server.

  13. Save the file.

  14. Stop and restart your WebSphere Application Server (server1).

  15. Restart WebSphere Portal.

 

Configure Active Directory over SSL

Active Directory and Internet Information Services (IIS) should be installed and configured before you install WebSphere Portal.

  1. have installed Certificate Services before configuring Active Directory for SSL. Refer to Install Windows Active Directory for more information.

  2. then export the root CA certificate.

    1. Open a Web browser and connect to http://localhost/certsrv

    2. Select task Retrieve the CA certificate or certificate revocation list and click Next.

    3. Choose the certificate you created (Current) and the format (either DER encoded or Base 64 encoded). Then click on Download CA certificate.

    4. Save this certificate in a file. For example, call the certificate certnew.cer

    5. Load mmc.exe and then the Certificate Authority snap-in. Find the root certificate public key and save to file.

  3. Import the certificate to the WebSphere Application Server keystore.

    1. Open a command window and change directory to was_root/bin.

    2. Launch the IKeyMan utility by typing ikeyman.

    3. In IKeyMan, click on Open, leave the Key database type as JKS and choose cacerts key store under the was_root/java/jre/lib/securitydirectory. The default password for the key store is changeit.

    4. Choose Signer Certificates and click Add.

    5. According to the data type of the certificate you created in the previous step, select the corresponding data type (either Binary DER data or Base64-encoded ASCII data). Locate the certificate file (for example, certnew.cer), then click OK.

    6. Type a name for the certificate and click Ok.

    7. Save the updated cacerts file.

    8. In IKeyMan, click on Open, leave the Key database type as JKS and choose the was_root/etc/DummyServertrustfile.jks file. By default, the password for this file is WebAS.

    9. Choose Signer Certificates and click Add.

    10. According to the data type of the certificate you created in the previous step, select the corresponding data type (either Binary DER data or Base64-encoded ASCII data). Locate the certificate file (for example, certnew.cer), then click OK.

    11. Type a name for the certificate and click Ok.

    12. Save the updated DummyServertrustfile.jks file and exit the utility.

 

Next steps

You have completed this step. Continue to the next step by choosing one of the following topics:

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.