Administer > Manage instances > WCS instance > Configure directory services (LDAP) with WCS
Set up LDAP over SSL
Overview
You can configure WAS and WCS to access the LDAP directory over SSL to ensure the confidentiality of the data, for example passwords, exchanged between WAS, the WCS Server, and the LDAP server. This is mandatory for some LDAP servers, for example Microsoft Active Directory and Novell eDirectory. Configuring LDAP over SSL is a separate operation from configuring the HTTP Server to accept incoming browser requests over HTTPS.
Procedure
- Generate or import certificates as necessary and activate SSL on the directory server. This step varies depending on the LDAP server you are using.
- IBM Directory Server:
IBM Directory Server can use either self-signed certificates or signing certificates signed by a Certificate Authority to enable LDAP over SSL. IBM Directory Server includes a security key management utility, such as gsk6ikm, which can be used to generate a self-signed certificate or to import purchased certificates into the IBM Directory Server keystore. You should consult the IBM Directory Server documentation for the details of how to import a CA certificate or create a self-signed certificate in a key database file and extract that certificate so that it can be moved to the WAS and WCS.
A brief overview of the steps to create a self-signed certificate are below:
- Activate the security key management utility. For example, gsk6ikm.
- Open an existing CMS Key Database file, if the directory server is already configured for SSL, or create a new CMS Key Database file.
If you open an existing file, provide the password for that file. If you create a new file, you are asked to supply a password to secure access to that file. Remember this password.
- Within that CMS Key Database file, create a new self-signed certificate, using X.509 v3 format and 1024-bit key size.
Give the certificate a label. Remember this label.
- Extract the new self-signed certificate as a certificate file using Base64-encoded ASCII data as the data type.
This will save the certificate to a filename of the choice with an extension of .arm.
- If it is not already configured, set up IBM Directory Server for LDAP over SSL using the CMS Key Database file containing the self-signed certificate.
- Domino Directory:
Domino Directory uses either self-signed certificates or signing certificates signed by a Certificate Authority to enable LDAP over SSL. IBM HTTP Server includes a security key management utility, such as IKeyMan, which can be used to generate a self-signed certificate or to import purchased certificates into the Domino Directory keystore.
A brief overview of the steps to create a self-signed certificate are below:
- Activate the security key management utility. For example, IKeyMan.
- Open an existing CMS Key Database file, or create a new CMS Key Database file. If you open an existing file, provide the password for that file. If you create a new file, you are asked to supply a password to secure access to that file. Remember this password.
- Within that CMS Key Database file, create a new self-signed certificate, using X.509 v3 format and 1024-bit key size. Give the certificate a label. Remember this label.
- Extract the new self-signed certificate as a certificate file using Base64-encoded ASCII data as the data type. This will save the certificate to a filename of the choice with an extension of .arm.
- If it is not already configured, set up Domino Directory for LDAP over SSL using the CMS Key Database file containing the self-signed certificate. For details on this step, see the Domino Directory documentation
- Active Directory:
Active Directory and Internet Information Services (IIS) should be installed and configured before you install WCS.
Do the following to export root CA certificate...
- Open a Web Brower and connect to...
http://localhost/certsrv
- Select task...
Download a CA certificate, certificate chain, or CRL...and click Next.
- Choose the certificate you created (current) and the format (either DER encoded or Base 64 encoded). This must match what is imported in Step 2e (below). Then click Download CA certificate.
- Save this certificate in a file. For example, call the certificate certnew.cer.
- Copy to the WCS machine.
- Sun Java System Directory Server:
The configuration of LDAP over SSL from WAS and WCS to Sun Java System Directory Server is nearly identical on the WAS and WCS side to configuration performed for IBM Directory Server. The Sun Java System Directory Server will not allow the use of self-signed certificates, so the Certificate Authority's (CA) signer chain must be imported to the WAS and Portal Server keystores.
- Novell eDirectory:
You must export the trusted root certificate:
- Logon to Novell ConsoleOne.
- Double-click the base member.
- Right-click SSL Certificate DNS and select Properties.
- Select the Certificate tab and click Export.
- When asked to export the private key with the certificate, select NO.
- In the certificate output format panel, select File in binary DER format and select any file name and location you want.
- Click Finish.
- Copy the downloaded certificate file to the WCS machine.
- On the WCS machine, import the certificate to WAS's default truststore file...
- Run...
cd WAS_HOME/bin
./ikeyman.sh
- In IKeyMan, click Open, leave the Key database type as JKS and choose truststore...
PROFILE_HOME/etc/DummyServerTrustFile.jksThe default password is WebAS.
- Select Signer Certificates. Click Add.
- According to the data type of the certificate you created earlier, select the corresponding data type (either Binary DER data or Base64-encoded ASCII data). This must match the certificate that was exported in Step 1 (Active Directory: a. iii).
- Locate the certificate file (for example, certnew.cer for Active Directory, or the .arm file for other LDAP servers), then click Ok.
- Type a name for the certificate. Click Ok to finish.
- Restart the WCS Server.
Previous topic:
Prepare the LDAP server for use with WCS
Next topic:
Enable security with federated repositories