Configure Secure Sockets Layer for the LDAP client
Overview
This topic describes how to establish a SSL connection between WAS and an LDAP server. This page provides an overview.
Setting up an SSL connection between WAS and an LDAP server requires the following steps:
Procedure
- Set up an LDAP server with users.
The server configured in this example is IBM Directory Server. Other servers are configured differently. Refer to the documentation of the directory server you are using for details on SSL enablement. For a product-supported LDAP directory server, see the Supported directory services article.
- Configure certificates for the LDAP server using the key management utility (iKeyman) that is located in...
install_dir/java/jre/bin- Click Key Database File > New.
- Type LDAPkey.kdb as the file name and a proper path and click OK.
- Specify a password, confirm the password, and click OK.
- Under Key database content, select Personal Certificates.
- Click New Self-signed. The Create New Self-Signed Certificate panel is displayed. Type the following required information in the fields and click OK:
- Key Label
- LDAP_Cert
- Version
- Select the version of the X.509 certificate.
- Key size
- Select either a 512 or a 1024 bit size for your key.
- Common Name
- droplet.austin.ibm.com
This common name is the host name where the WAS plug-in runs.
- Organization
- ibm
- Country
- US
- Validity period
- Specify the number days in which your certificate is valid.
- Return to the Personal Certificates panel and click Extract Certificate.
- Click the Base64-encoded ASCII data data type. Type LDAP_cert.arm as the file name and a proper path. Click OK.
- Enable SSL on the LDAP server:
- Copy the LDAPkey.kdb, LDAPkey.sth, LDAPkey.rdb, and LDAPkey.crl files created previously to the LDAP server system, for example, the /Program Files/IBM/LDAP/ssl/ directory.
- Open the LDAP Web administrator from a browser (http://secnt3.austin.ibm.com/ldap, for example). IBM HTTP Server is running on secnt3.
- Click SSL properties to open the SSL Settings window.
- Click SSL On > Server Authentication and type an SSL port (636, for example) and a full path to the LDAPkey.kdb file.
- Click Apply, and restart the LDAP server.
- Manage certificates for WAS using the default SSL key files.
- Open the install_root/profiles/default/etc/DummyServerTrustFile.jks file using the key management utility that shipped with WebSphere Application Server. The password is WebAS. Attention: It is recommended that you create your own trustfile.jks file rather than modifying the DummyServerTrustFile.jks file. If you use the DummyServerTrustFile.jks file, there is a risk that your changed settings might be overwritten if you update the product with iFixes.
- Click Signer certificate > Add. The Add CA's Certificate from a File window is displayed. Specify LDAP_cert.arm for the file name. Complete this step for all the servers and the deployment manager.
- Establish a connection between the WAS and the LDAP server using the WAS administrative console.
- Click Security > Global security.
- Under User registries, click LDAP.
- Enter the Server ID, Server Password, Type, Host, Port, and Base Distinguished Name fields.
- Select the SSL Enabled option. The port is the same port number that the LDAP server is using for SSL (636, for example).
- Click Apply.
- Return to the Global security panel and click Authentication Mechanisms > LTPA > Single SignOn (SSO).
- Under Additional properties, click Single signon (SSO).
- Type in a domain name (austin.ibm.com, for example).
- Click Apply.
- Enable global security.
- Click Security > Global Security.
- Select the Enable global security option.
- Select the LTPA option as the active authentication mechanism and the LDAP user registry option as the active user registry.
Note: Verify that the security level for the LDAP server is set to HIGH. The default security level is HIGH (128-bit).
- Click Apply and Save.
- Verify that the ibm-slapdSSLCipherSpecs parameter in the LDAP_install_root/etc/slapd32.conf file has the value, 15360, instead of 12288.
- Restart the servers.
For a Network Deployment environment, see Enabling global security.
Restarting the servers ensures that the security settings are synchronized between the deployment manager and the application servers.
Result
We can test the configuration by accessing https://fully_qualified_host_name:9443/snoop. You are presented with a login challenge. This test can be beneficial when using LDAP as your user registry. Sensitive information can flow between the WAS and the LDAP server, including passwords. Using SSL to encrypt the data protects this sensitive information.
What to do next
- If you are enabling security, make sure that you complete the remaining steps. As the final step, validate this configuration by clicking OK or Apply in the Global Security panel. Refer to the Configuring global security article for detailed steps on enabling global security.
- For changes in this panel to become effective, save, stop, and start all WAS appservers (cells, nodes and all the application servers).
- After the server starts up, go through all the security-related tasks (getting users, getting groups, and so on) to make sure that the changes to the filters are functioning.
See Also
Secure Sockets Layer
Lightweight Directory Access Protocol
Local operating system user registries
Custom user registries
Related Tasks
Create a keystore file
Create self-signed personal certificates
Create certificate signing requests
Create truststore files
Import signer certificates
Configure global security
Enable global security