Set up LDAP over SSL with Sun Java System Directory Server server

This section describes procedures for configuring Sun Java System Directory Server server over SSL:

 

Overview

We can configure IBM WebSphere Application Server and IBM WebSphere Portal access to the LDAP user registry over SSL to ensure the confidentiality of the data exchanged between WebSphere Application Server, WebSphere Portal, and the LDAP user registry. For example, user passwords are sent over the network between LDAP user registry and WebSphere Portal. This occurs to set the password if WebSphere Portal user management tools are used to create users and change passwords and also when WebSphere Application Server authenticates any user name and password pair through an LDAP BIND operation. Configuring LDAP over SSL might be important to protect sensitive data. Also, it might be required to ensure that user attributes that are retrieved from the directory are not viewed by someone watching packets on the network, if the attributes of a user include sensitive information or privacy is a concern.

In order to ensure that all this information remains private, configure both WebSphere Application Server and WebSphere Portal to use LDAP over SSL to the LDAP user registry. Configuring LDAP over SSL for WebSphere Application Server and WebSphere Portal is a separate operation from configuring the IBM HTTP Server to accept incoming browser requests over HTTPS, or configuring HTTPS between the HTTP Server and WebSphere Application Server in a distributed setup.

A full primer on the configuration of all the LDAP user registries and WebSphere Application Server is beyond the scope of this Portal Server documentation. Consult the documentation for the LDAP server to configure the directory for SSL traffic. For WebSphere Application Server, refer to http://www.redbooks.ibm.com/ and do a search for Security Handbooks for the latest information about configuring WebSphere Application Server for LDAP over SSL. We can also consult the http://www.ibm.com/software/webservers/appserv/was/library/.

It is required that you first get LDAP (non-SSL) successfully working before setting up LDAP over SSL. This allows you to verify that the directory is responding to LDAP requests before setting it up for SSL.

 

About keys and certificates

Configuring LDAP over SSL from Application Server and Portal Server to Sun Java System Directory Server as the LDAP user registry is almost the same as for IBM Directory Server or any of the other LDAP user registry servers. Sun Java System Directory Server will present a signed certificate as part of the LDAP-over-SSL handshake. The signer certificates for this Sun Java System Directory Server LDAP server certificate must be available to WebSphere Application Server and Portal Server. Because the Sun Java System Directory Server LDAP user registry does not allow the use of self-signed certificates, the signing CA certificate chain must be imported as signer certificates into the named WebSphere Application Server Java Key Store (.jks) for WebSphere Application Server LDAP over SSL and into the cacerts file for Portal Server usage. The WebSphere Application Server and Portal Server configuration steps are then identical to that for any other directory.

However, there are some slight differences in the Sun Java System Directory Server key management utilities; they generate key files that are compatible with the GSKIT key management tool, but not directly with the WebSphere Application Server key management tool. So, if Sun Java System Directory Server key management has been used to generate self-signed certificates, then the GSKIT key management tool must be used as an intermediate step to extract that certificate in Base64-encoded ASCII format (the.arm file) which can then be imported to WebSphere Application Server and the default JSSE key stores using the WebSphere Application Server key management tool. To import the file, follow the procedures outlined below.

To make the CA certificate chain available to WebSphere Application Server and Portal Server, use the key management tool supplied by WebSphere Application Server to import the certificate(s) into the necessary Java Key Store (.jks) format key storage files.

In general, the task of setting up WebSphere Application Server and Portal Server to use LDAP over SSL to the LDAP user registry consists of bringing the necessary certificates into key storage files that WebSphere Application Server and Portal Server will use. The necessary certificates mentioned are the signing certificates for the LDAP server certificate. Some configuration setting changes must also be made to tell WebSphere Application Server and Portal Server that LDAP over SSL should be used. Usually, it is only necessary to bring a signing certificate from the LDAP server to WebSphere Application Server and Portal Server. This step allows the authentication of the server side of the SSL connection. WebSphere Application Server and Portal Server are LDAP clients to the LDAP user registry server. The client side is authenticated by doing an LDAP BIND within the SSL connection. The identity used by WebSphere Application Server to perform this BIND is the Bind DN configured on the WebSphere Application Server Security Console. The identity used by WebSphere Portal to perform this BIND is the adminId configured in portal_server_root/wmm/wmm.xml.

In some cases, if the LDAP user registry is configured to require mutually authenticated SSL for the LDAP connection, meaning that it will request the client-side certificate, then signing certificates for Application Server and Portal Server must be moved to the LDAP Server key storage. The mechanisms for importing these certificates on the various LDAP servers are vendor-specific. Consult the directory documentation for specific instructions. Even in this case, WebSphere Application Server and WebSphere Portal will still do LDAP BINDs using the IDs and passwords configured, even though the SSL connection has already performed a mutual authentication.

To use LDAP over SSL to the LDAP user registry consists of bringing the necessary certificates into key storage files that WebSphere Application Server and WebSphere Portal will use. The necessary certificates mentioned are the signing certificates for the LDAP server certificate. The important point to note is that any certificates required to establish the full certificate signing trust chain must be made available to WebSphere Application Server and WebSphere Portal. For a self-signed certificate, the certificate trust chain consists of only the one self-signed LDAP server certificate. For a certificate signed by a CA, the certificate chain confirming the identity and validity of the signing CA must be included. Either a purchased certificate or a self-generated CA signing certificate can be used. Some configuration setting changes must also be made to tell WebSphere Application Server and WebSphere Portal that LDAP over SSL should be used. Usually, it is only necessary to bring a signing certificate from the LDAP server to the WebSphere Application Server and WebSphere Portal. This step allows the authentication of the server side of the SSL connection. WebSphere Application Server and WebSphere Portal are LDAP clients to the LDAP user registry server. The client side is authenticated by doing an LDAP BIND within the SSL connection. The identity used by WebSphere Application Server to perform this BIND is the Bind DN configured on the WebSphere Application Server Security Console.

In some cases, if the LDAP user registry is configured to require mutually authenticated SSL for the LDAP connection, meaning that it will request the client-side certificate, then signing certificates for WebSphere Application Server and WebSphere Portal must be moved to the LDAP Server key storage. In this case, WebSphere Application Server and WebSphere Portal will still do LDAP BINDs using the IDs and passwords configured, even though the SSL connection has already performed a mutual authentication.

 

Set up LDAP over SSL

It is required that you first get LDAP (non-SSL) successfully working before setting up LDAP over SSL. This allows you to verify that the directory is responding to LDAP requests before setting it up for SSL.

1. 1. Install WebSphere Portal and WAS

2. 2. Install and setup the LDAP

3. 3. Generate or import certificates as necessary and activate SSL on the directory

4. 4. Import certificates to WebSphere Portal to enable SSL connection

5. 5. Close down the non-SSL port of the LDAP user registry server (optional)

 

1. Install WebSphere Portal and WebSphere Application Server

Refer to Installing on Windows and UNIX for more information.

Also refer to Installing on Windows and UNIX for instructions on how to install WebSphere Portal on an existing WebSphere Application Server profile that has security enabled.

 

2. Install and setup the LDAP

IBM recommends that you first get LDAP (non-SSL) successfully working before setting up LDAP over SSL. This allows you to verify that the directory is responding to LDAP requests before setting it up for SSL. Refer to the two previous topics for more information:

• Installing LDAP

• Setting up LDAP

 

3. Generate or import certificates as necessary and activate SSL on the directory

The configuration of LDAP over SSL from WebSphere Application Server and Portal Server to Sun Java System Directory Server is nearly identical on the WebSphere Application Server and Portal Server side to configuration performed for IBM Directory Server. The Sun Java System Directory Server directory server will not allow the use of self-signed certificates, so the Certificate Authority's (CA) signer chain must be imported to the WebSphere Application Server and Portal Server keystores.

 

4. Import certificates to WebSphere Portal to enable SSL connection

Import certificates to a WebSphere Application Server keystore

For Sun Java System Directory Server, it is not possible to use self-signed certificates. Only signing certificates signed by a CA (Certificate Authority) can be used to enable LDAP over SSL to Sun Java System Directory Server. For a certificate signed by a CA, the certificate chain confirming the identity and validity of the signing CA must be included. Either a purchased certificate or a self-generated CA signing certificate can be used. A brief overview of the steps to import the certificates to configure LDAP over SSL for WebSphere Application Server is:

1. Use the GSkit key management tool to extract the Sun signing certificates in Base64-encoded ASCII format (the.arm file).

2. Activate the ikeyman utility. One way to do this is to issue the ikeyman.exe or ikeyman.sh command from the command line, depending on the operating system.

3. Open the Java Key Store file which will be used by WebSphere Application Server for LDAP over SSL. The user can create new key files and define a new SSL repertoire. WebSphere Application Server provides a default repertoire called DefaultSSLSetting. Use the default repertoire which contains the default WebSphere Application Server trust file. Open DummyServerTrustFile.jks located at was_profile_root/etc directory. The password to the dummy server trust file is "WebAS".

4. Select Signer Certificates from the top pull-down, then click Add.

5. Select Base64-encoded ASCII data as the data type, and browse to the certificate file of that type that you saved using the GSkit key management tool.

6. You will be asked for a label for the new certificate. Enter the same value that you specified for the label when you created the certificate.

7. Save the updated key store file.

Import certificates to a WebSphere Portal keystore WebSphere Portal can be configured to use to a specifically named Java Key Store so that WebSphere Portal and WebSphere Application Server can share the same configured truststore in the SSL configuration of the CSIv2 Outbound Transport. To specify the Java Key Store...

If WebSphere Application Server is not set up to use the LDAP as the user registry, the first seven steps are not necessary. For example, if you ran the enable-security-wmmur-ldap task, WebSphere Application Server is configured to use the database user registry.

1. Stop WebSphere Portal.

2. Logon to the WebSphere Application Server Administration Console.

3. Navigate to the LDAP User Registry panel.

4. Check the sslEnabled box (set sslEnabled to true).

5. Set the LDAP Port to port.

6. Save changes.

7. Stop and restart the WebSphere Application Server (server1).

8. Edit wmm.xml in the portal_server_root/wmm directory, where portal_server_root is the installation directory for WebSphere Portal.

9. Navigate to the stanza that begins ldapRepository name="wmmLDAP".

10. Verify that ldapPort="port".

11. Verify that sslEnabled="true".

12. At the end of this stanza, update

    • UNIX:

      sslTrustStore="was_profile_root/etc/DummyServerTrustFile.jks"

    • Windows:

      sslTrustStore="was_profile_root\etc\DummyServerTrustFile.jks"

    where was_profile_root is the profile directory of the WebSphere Application Server installation.

    Use the full pathname if the sslTrustStore file is not under was_profile_root \etc\.

    If you do not specify an sslTrustStore parameter here, Member Manager will use

    • UNIX:

      app_server_root/java/jre/lib/security/cacerts.jks

    • Windows:

      app_server_root\java\jre\lib\security\cacerts.jks

    In this case, import the root CA certificate for your LDAP server into the cacerts; see the 3. Generate or import certificates as necessary and activate SSL on the directory step above for instructions.

13. Save the file.

14. Stop and restart the WebSphere Application Server (server1).

15. Restart WebSphere Portal.

i5/OS:

You must also import the certificates to a keystore that can be used by the WebSphere Portal. In this case, WebSphere Portal has no configuration setting to point to a specifically named Java Key Store file. Instead, import the certificates into the default keystore file of the JVM, cacerts. However, in no case should you attempt to modify the cacerts keystore. Rather, you should create a private copy of the cacerts file, and then add or remove certificates to the private copy. The password for cacerts is changeit. Be sure to change the password that protects the private copy of the cacerts file. Also, note that initially, all keystores created using iKeyman contain a number of commercial CA certificates. The configured truststore in the SSL configuration of the CSIv2 Outbound Transport must also be updated.

 

5. Close down the non-SSL port of the LDAP user registry server (optional)

This is an optional step. Closing the non-SSL port of the directory will ensure that traffic exchanged with the directory by WebSphere Application Server, WebSphere Portal, or any other application, is confidential.

 

Parent topic:

Setting up LDAP over SSL

 

---