Set up LDAP over SSL to Active Directory Application Mode

This section describes procedures for configuring Microsoft Active Directory Application Mode over SSL.

 

Overview

We can configure IBM WebSphere Application Server and IBM WebSphere Portal access to the LDAP user registry over SSL to ensure the confidentiality of the data exchanged between WebSphere Application Server, WebSphere Portal, and the LDAP user registry. For example, user passwords are sent over the network between LDAP user registry and WebSphere Portal. This occurs to set the password if WebSphere Portal user management tools are used to create users and change passwords and also when WebSphere Application Server authenticates any user name and password pair through an LDAP BIND operation. Configuring LDAP over SSL can be important to protect sensitive data. Also, if the attributes of a user include sensitive information or privacy is a concern, SSL might be required to ensure that user attributes that are retrieved from the directory are not viewed by someone watching packets on the network.

In order to ensure that all this information remains private, configure both WebSphere Application Server and WebSphere Portal to use LDAP over SSL to the LDAP user registry. Configuring LDAP over SSL for WebSphere Application Server and WebSphere Portal is a separate operation from configuring the IBM HTTP Server to accept incoming browser requests over HTTPS, or configuring HTTPS between the HTTP Server and WebSphere Application Server in a distributed setup.

A full primer on the configuration of all the LDAP user registries and WebSphere Application Server is beyond the scope of this WebSphere Portal documentation. Consult the documentation for the LDAP server to configure the directory for SSL traffic. For WebSphere Application Server, refer to http://www.redbooks.ibm.com/ and do a search for Security Handbooks for the latest information about configuring WebSphere Application Server for LDAP over SSL. We can also consult the http://www.ibm.com/software/webservers/appserv/was/library/.

 

Before configuring

It is required that you first get LDAP (non-SSL) successfully working before setting up LDAP over SSL. By doing this, we can verify that the directory is responding to LDAP requests before setting it up for SSL.

WebSphere Portal does not support installing to an LDAP user registry that is only available through SSL. It requires than a non-SSL LDAP port be available for the install. LDAP over SSL should be configured as a post-install step.

 

Import certificates to WebSphere Portal to enable SSL connection

Import certificates to a WebSphere Portal keystore

Active Directory Application Mode and Internet Information Services (IIS) should be installed and configured before you install WebSphere Portal.

1. You must have Certificate Services installed before configuring Active Directory Application Mode for SSL. Refer to Installing Active Directory Application Mode for more information.

2. You must then export the root CA certificate.
   1. Open a Web browser and connect to http://localhost/certsrv.

   2. Select task Retrieve the CA certificate or certificate revocation list and click Next.

   3. Choose the certificate you created (Current) and the format (either DER encoded or Base 64 encoded). Then click Download CA certificate.

   4. Save this certificate in a file. For example, call the certificate certnew.cer

   5. Load mmc.exe and then the Certificate Authority snap-in. Find the root certificate public key and save to file.

3. Import the certificate to the WebSphere Application Server keystore.
   1. Open a command window and change directory to was_profile_root/bin.

   2. Launch the ikeyman utility by typing ikeyman.

   3. In ikeyman, click on Open, leave the Key database type as JKS and choose cacerts key store under the app_server_root/java/jre/lib/security directory. The default password for the key store is changeit.

   4. Choose Signer Certificates and click Add.

   5. According to the data type of the certificate you created in the previous step, select the corresponding data type (either Binary DER data or Base64-encoded ASCII data). Locate the certificate file (for example, certnew.cer), then click OK.

   6. Type a name for the certificate and click OK.

   7. Save the updated cacerts file.

   8. In ikeyman, click on Open, leave the Key database type as JKS and choose the was_profile_root/etc/DummyServertrustfile.jks file. By default, the password for this file is WebAS.

   9. Choose Signer Certificates and click Add.

   10. According to the data type of the certificate you created in the previous step, select the corresponding data type (either Binary DER data or Base64-encoded ASCII data). Locate the certificate file (for example, certnew.cer) and then click OK.

   11. Type a name for the certificate and click OK.

   12. Save the updated DummyServertrustfile.jks file and exit the utility.

 

Configure Active Directory Application Mode over SSL

WebSphere Portal can be configured to use to a specifically named Java Key Store so that WebSphere Portal and WebSphere Application Server can share the same configured truststore in the SSL configuration of the CSIv2 Outbound Transport. To specify the Java Key Store...

If WebSphere Application Server is not set up to use the LDAP as the user registry, the first seven steps are not necessary. For example, if you ran the enable-security-wmmur-ldap task, WebSphere Application Server is configured to use the database user registry.

1. Stop WebSphere Portal.

2. Logon to the WebSphere Application Server Administration Console.

3. Navigate to the LDAP User Registry panel.

4. Check the sslEnabled box (set sslEnabled to true).

5. Set the LDAP Port to port.

6. Save changes.

7. Stop and restart the WebSphere Application Server (server1).

8. Edit wmm.xml in the portal_server_root/wmm directory, where portal_server_root is the installation directory for WebSphere Portal.

9. Navigate to the stanza that begins ldapRepository name="wmmLDAP".

10. Verify that ldapPort="port".

11. Verify that sslEnabled="true".

12. At the end of this stanza, update

    • UNIX:

      sslTrustStore="was_profile_root/etc/DummyServerTrustFile.jks"

    • Windows:

      sslTrustStore="was_profile_root\etc\DummyServerTrustFile.jks"

    where was_profile_root is the profile directory of the WebSphere Application Server installation.

    Use the full pathname if the sslTrustStore file is not under was_profile_root \etc\.

    If you do not specify an sslTrustStore parameter here, Member Manager will use

    • UNIX:

      app_server_root/java/jre/lib/security/cacerts.jks

    • Windows:

      app_server_root\java\jre\lib\security\cacerts.jks

    In this case, import the root CA certificate for your LDAP server into the cacerts; see the Import the certificate step above for instructions.

13. Save the file.

14. Stop and restart the WebSphere Application Server (server1).

15. Restart WebSphere Portal.

 

Parent topic:

Setting up LDAP over SSL

 

---