Set up LDAP over SSL

Set up LDAP over SSL
The steps on this page describe how to set up LDAP over SSL.
Prerequisite
Before setting up LDAP over SSL ensure you have met the following prerequisite:

Installed WAS and WebSphere Commerce. For more information, see WebSphere Commerce Installation Guide.

Generate or import certificates as necessary and activate SSL on the directory server. This step varies depending on the LDAP server you are using.

IBM Directory Server: IBM Directory Server can use either self-signed certificates or signing certificates signed by a CA (Certificate Authority) to enable LDAP over SSL. IBM Directory Server includes a security key management utility, such as gsk6ikm, which can be used to generate a self-signed certificate or to import purchased certificates into the IBM Directory Server keystore. You should consult the IBM Directory Server documentation for the details of how to import a CA certificate or create a self-signed certificate in a key database file and extract that certificate so that it can be moved to the WAS and WebSphere Commerce. A brief overview of the steps to create a self-signed certificate are below:

Activate the security key management utility. For example, gsk6ikm.
Open an existing CMS Key Database file, if your directory server is already configured for SSL, or create a new CMS Key Database file. If you open an existing file, provide the password for that file. If you create a new file, you are asked to supply a password to secure access to that file. Remember this password.
Within that CMS Key Database file, create a new self-signed certificate, using X.509 V3 format and 1024-bit key size. Give the certificate a label. Remember this label.
Extract the new self-signed certificate as a certificate file using Base64-encoded ASCII data as the data type. This will save the certificate to a filename of your choice with an extension of .arm.
If it is not already configured, set up IBM Directory Server for LDAP over SSL using the CMS Key Database file containing the self-signed certificate. For details on this step, see the IBM Directory Server documentation.

Domino Directory: Domino Directory uses either self-signed certificates or signing certificates signed by a CA (Certificate Authority) to enable LDAP over SSL. IBM HTTP Server includes a security key management utility, such as IKeyMan, which can be used to generate a self-signed certificate or to import purchased certificates into the Domino Directory keystore. See the Domino Directory and IKeyMan documentation for the details of how to import a CA certificate or create a self-signed certificate in a key database file and extract that certificate so that it can be moved to the WebSphere Application Server and WebSphere Commerce. A brief overview of the steps to create a self-signed certificate are below:

Activate the security key management utility. For example, IKeyMan.
Open an existing CMS Key Database file, or create a new CMS Key Database file. If you open an existing file, provide the password for that file. If you create a new file, you are asked to supply a password to secure access to that file. Remember this password.
Within that CMS Key Database file, create a new self-signed certificate, using X.509 V3 format and 1024-bit key size. Give the certificate a label. Remember this label.
Extract the new self-signed certificate as a certificate file using Base64-encoded ASCII data as the data type. This will save the certificate to a filename of your choice with an extension of .arm.
If it is not already configured, set up Domino Directory for LDAP over SSL using the CMS Key Database file containing the self-signed certificate. For details on this step, see the Domino Directory documentation

Active Directory: Active Directory and Internet Information Services (IIS) should be installed and configured before you install WebSphere Commerce. Do the following

Export root CA certificate.

Open a Web Brower and connect to http://localhost/certsrv.
Select task Retrieve the CA certificate or certificate revocation list and click Next.
Choose the certificate you created (current) and the format (either DER encoded or Base 64 encoded). This must match what is imported in Step 2e (below). Then click Download CA certificate.
Save this certificate in a file. For example, call the certificate certnew.cer.
Copy to your WebSphere Commerce machine.

Sun Java System Directory Server: The configuration of LDAP over SSL from WAS and WebSphere Commerce to Sun Java System Directory Server is nearly identical on the WAS and WebSphere Commerce side to configuration performed for IBM Directory Server. The Sun Java System Directory Server will not allow the use of self-signed certificates, so the Certificate Authority's (CA) signer chain must be imported to the WAS and Portal Server keystores.

On the WebSphere Commerce machine, import the certificate to WAS's default truststore file: DummyServerTrustFile.jks.

Open a command window and change directory to WAS_installdir/bin.
Launch the IKeyMan utility by typing ikeyman, ikeyman.exe or ikeyman.sh, depending on your operating system.
In IKeyMan, click Open, leave the Key database type as JKS and choose DummyServerTrustFile.jks truststore under the WAS_profiledir/etc directory. The default password is WebAS.
Select Signer Certificates. Click Add.
According to the data type of the certificate you created earlier, select the corresponding data type (either Binary DER data or Base64-encoded ASCII data). This must match the certificate that was exported in Step 1 (Active Directory: a. iii).
Locate the certificate file (for example, certnew.cer for Active Directory, or the .arm file for other LDAP servers), then click Ok.
Type a name for the certificate. Click Ok to finish.

Restart your WebSphere Commerce Server.

Related Concepts

Directory services and WebSphere Commerce
LDAP and SSL

Related tasks

Configure directory services (LDAP) with WebSphere Commerce