Set up LDAP over SSL with IBM Tivoli Directory Server

Set up LDAP over SSL with Tivoli Directory Server

+
Search Tips | Advanced Search

Overview

Configure IBM WebSphere Application Server (WAS) and IBM WebSphere Portal access to the LDAP user registry over SSL to ensure the confidentiality of the sensitive data exchanged between WAS, WebSphere Portal, and the LDAP user registry.
User passwords are sent over the network between the LDAP user registry and WebSphere Portal when passwords are set using the WebSphere Portal user management tools and change passwords and also when WAS authenticates any user name and password pair through an LDAP BIND operation. An SSL connection ensures that user attributes retrieved from the directory are not viewed by someone using a packet sniffer.
To configure the IBM Tivoli Directory Server (TDS) user registry for SSL traffic, see the most current documentation on IBM LDAP Implementation .
For WAS, refer to http://www.redbooks.ibm.com/ and do a search for Security Handbooks for the latest information about configuring WAS for LDAP over SSL.
We can also consult the http://www.ibm.com/software/webservers/appserv/was/library/.
Before setting up LDAP over SSL, get LDAP (non-SSL) successfully working. This allows you to verify that the user registry is responding to LDAP requests before setting it up for SSL.

About keys and certificates

Setting up WAS and WebSphere Portal to use LDAP over SSL to the LDAP user registry generally consists of bringing the signing certificates for the LDAP server into key storage files used by WAS and WebSphere Portal
For a self-signed certificate, the certificate trust chain consists of only the one self-signed LDAP server certificate. For a certificate signed by a CA, the certificate chain confirming the identity and validity of the signing CA must be included.
Bringing a signing certificate from the LDAP server to WAS and WebSphere Portal allows the authentication of the server side of the SSL connection, where WAS and WebSphere Portal are LDAP clients to the LDAP user registry server. The client side is authenticated by doing an LDAP BIND within the SSL connection. The identity used by WAS to perform this BIND is the Bind DN configured on the WAS Security Console. The identity used by WebSphere Portal to perform this BIND is the adminId configured in...
portal_server_root/wmm/wmm.xml

In some cases, if the LDAP user registry is configured to require mutually authenticated SSL for the LDAP connection, meaning the LDAP server will request a client-side certificate, then signing certificates for WAS and WebSphere Portal must be moved to the LDAP Server key storage. WAS and WebSphere Portal will still do LDAP BINDs using the IDs and passwords configured, even though the SSL connection has already performed a mutual authentication.

Set up LDAP over SSL

Install WebSphere Portal and WAS
Install LDAP
Set up LDAP
Generate or import certificates as necessary and activate SSL on the directory
Import certificates to WebSphere Portal to enable SSL connection
Close down the non-SSL port of the LDAP directory server (optional)

Generate or import certificates as necessary and activate SSL on the directory

TDS can use either self-signed certificates or certificates signed by a Certificate Authority to enable LDAP over SSL.
To create a self-signed certificate in TDS...

Activate the security key management utility. For example, gsk7ikm.

Open an existing CMS Key Database file, if the directory server is already configured for SSL, or create a new CMS Key Database file.

Within that CMS Key Database file, create a new self-signed certificate, using X.509 V3 format and 1024-bit key size. Give the certificate a label.

Extract the new self-signed certificate as a certificate file using Base64-encoded ASCII data as the data type. This will save the certificate to a filename of the choice with an extension of .arm.

Import certificates to WebSphere Portal

Move LDAP server certificates to WAS and WebSphere Portal
To make the signing certificate from TDS, either the CA certificate or the self-signed certificate, available to the WAS and WebSphere Portal machine, move the file through a network transfer or removable media.
Note that a CA certificate must be in Base64-encoded ASCII data format as an .arm file in order to be imported by the WAS key management utilities. The gsk7ikm utility can be used to format a CA certificate which is not in the right format.

Import certificates to a WAS keystore

To make either the self-signed certificate or the CA certificate chain available to WAS and WebSphere Portal, use the key management tool supplied by WAS to import the certificate(s) into the necessary Java Key Store (.jks) format key storage files. Note that the WAS -supplied key management tool, ikeyman, is not the same as the TDS key management tool, even though the user interface is very similar. ikeyman supports the Java Key Store file formats necessary for WAS and WebSphere Portal, whereas the TDS key management tool does not. A brief overview of the steps to import the certificates to configure LDAP over SSL for WAS is:

Execute...
was_profile_root/bin/ikeyman

Open the Java Key Store file which will be used by WAS for LDAP over SSL. The user can create new key files and define a new SSL repertoire. WAS provides a default repertoire called DefaultSSLSetting. Use the default repertoire which contains the default WAS server trust file.
Edit...
was_profile_root/etc/DummyServerTrustFile.jks

The password to the dummy server trust file is "WebAS".

Select Signer Certificates from the top pull-down, then click Add.

Select Base64-encoded ASCII data as the data type, and browse to the certificate file of that type that you exported from the TDS.

You will be asked for a label for the new certificate. Enter the same value that you specified for the label when you created the certificate.

Save the updated key store file.

Import certificates to a WebSphere Portal keystore

WebSphere Portal can be configured to use to a specifically named Java Key Store so that WebSphere Portal and WAS can share the same configured truststore in the SSL configuration of the CSIv2 Outbound Transport.
To specify the Java Key Store...
If WAS is not set up to use the LDAP as the user registry, the first seven steps are not necessary. For example, if you ran the enable-security-wmmur-ldap task, WAS is configured to use the database user registry.

Stop WebSphere Portal
Logon to the WAS Administration Console.

Navigate to the LDAP User Registry panel.

Check the sslEnabled box

Set the LDAP Port to port.

Save changes.

Cycle WAS server1 appserver.

Edit
portal_server_root/wmm/wmm.xml

Navigate to the stanza that begins...
ldapRepository name="wmmLDAP"

Verify...
ldapPort="port"
sslEnabled="true"
sslTrustStore="was_profile_root/etc/DummyServerTrustFile.jks"

Use the full pathname if the sslTrustStore file is not under...
was_profile_root\etc\

If you do not specify an sslTrustStore parameter here, Member Manager will use
app_server_root/java/jre/lib/security/cacerts.jks

In this case, import the root CA certificate for the LDAP server into the cacerts; see the 4. Import certificates to WebSphere Portal to enable SSL connection step above for instructions.

Save the file.

Stop and restart the WAS (server1).

Restart WebSphere Portal.

Close down the non-SSL port of the LDAP directory server (optional)

This is an optional step. Closing the non-SSL port of the directory will ensure that traffic exchanged with the user registry by WAS, WebSphere Portal, or any other application, is confidential.

Parent topic:
Setting up LDAP over SSL