Configure Secure Sockets Layer for the Lightweight Directory Access Protocol client

This topic describes how to establish a Secure Sockets Layer (SSL) connection between WebSphere Application Server and a Lightweight Directory Access Protocol (LDAP) server.

About this task This page provides an overview. Refer to the linked pages for more details.

To understand SSL concepts, refer to Secure Sockets Layer .

Setting up an SSL connection between WebSphere Application Server and an LDAP server requires the following steps:

Procedure

1. Set up an LDAP server with users. The server that is configured in this example is IBM Directory Server. Other servers are configured differently. Refer to the documentation of the directory server that you are using for details on SSL enablement. For a product-supported LDAP directory server, see the Using specific directory servers as the LDAP server article.

2. Configure certificates for the LDAP server using the key management utility (iKeyman) that is located in the install_dir/java/jre/bin directory.

3. Click Key Database File > New.

4. Type LDAPkey.kdb as the file name and a proper path and click OK.

5. Specify a password, confirm the password, and click OK.

6. Under Key database content, select Personal Certificates.

7. Click New Self-signed. The Create New Self-Signed Certificate panel is displayed. Type the following required information in the fields and click OK:

   Key Label

   LDAP_Cert

   Version

   Select the version of the X.509 certificate.

   Key size

   Select either a 512 or a 1024-bit size for your key.

   Common Name

   droplet.austin.ibm.com

   This common name is the host name where the WebSphere Application Server plug-in runs.

   Organization

   ibm

   Country

   US

   Validity period

   Specify the number of days in which your certificate is valid.

8. Return to the Personal Certificates panel and click Extract Certificate.

9. Click the Base64-encoded ASCII data data type. Type LDAP_cert.arm as the file name and a proper path. Click OK.

10. Enable SSL on the LDAP server:

    1. Copy the LDAPkey.kdb, LDAPkey.sth, LDAPkey.rdb, and LDAPkey.crl files that are that are created previously to the LDAP server system, for example, the /Program Files/IBM/LDAP/ssl/ directory.

    2. Open the LDAP Web administrator from a browser (http://secnt3.austin.ibm.com/ldap for example). IBM HTTP Server is running on secnt3.

    3. Click SSL properties to open the SSL Settings window.

    4. Click SSL On > Server Authentication and type an SSL port (636, for example) and a full path to the LDAPkey.kdb file.

    5. Click Apply, and restart the LDAP server.

11. Manage certificates for WebSphere Application Server using the default SSL key files.

    1. Open the install_root/profiles/default/etc/DummyServerTrustFile.jks file using the key management utility that shipped with WebSphere Application Server. The password is WebAS.

       Attention: IBM recommends that you create your own trustfile.jks file rather than modifying the DummyServerTrustFile.jks file. If you use the DummyServerTrustFile.jks file, there is a risk that your changed settings might be overwritten if you update the product with iFixes.

    2. Click Signer certificate > Add. The Add CA's Certificate from a File window is displayed. Specify LDAP_cert.arm for the file name. Complete this step for all the servers, and the deployment manager.

12. Establish a connection between WebSphere Application Server and the LDAP server using the WebSphere Application Server administrative console.

    1. Click Security > Global security.

    2. Under User registries, click LDAP.

    3. Enter the Server ID, Server Password, Type, Host, Port, and Base Distinguished Name fields.

    4. Select the SSL Enabled option. The port is the same port number that the LDAP server is using for SSL (636, for example).

    5. Click Apply.

    6. Return to the Global security panel and click Authentication Mechanisms > LTPA > Single Signon (SSO).

    7. Under Additional properties, click Single signon (SSO).

    8. Type in a domain name (austin.ibm.com, for example).

    9. Click Apply.

13. Enable global security.

    1. Click Security > Global Security.

    2. Select the Enable global security option.

    3. Select the Lightweight Third Party Authentication (LTPA) option as the active authentication mechanism and the Lightweight Directory Access Protocol (LDAP) user registry option as the active user registry.

    4. Verify that the security level for the LDAP server is set to HIGH, which is default.

    5. Click Apply and Save.

    6. Verify that the ibm-slapdSSLCipherSpecs parameter in the LDAP_install_root/etc/slapd32.conf file has the value, 15360, instead of 12288.

    7. Restart the servers.

       For a Network Deployment environment, see Enabling security for the realm .

       Restarting the servers ensures that the security settings are synchronized between the deployment manager and the application servers.

Results

You can test the configuration by accessing https://fully_qualified_host_name:9443/snoop. You are presented with a login challenge. This test can be beneficial when using LDAP as your user registry. Sensitive information can flow between the WebSphere Application Server and the LDAP server, including passwords. Using SSL to encrypt the data protects this sensitive information.

What to do next

1. If you are enabling security, make sure that you complete the remaining steps. As the final step, validate this configuration by clicking OK or Apply in the Global Security panel. Refer to the Enabling security for all application servers article for detailed steps on enabling global security.

2. For changes in this panel to become effective, save, stop, and start all WebSphere Application Servers (cells, nodes, and all the application servers).

3. After the server starts up, go through all the security-related tasks (getting users, getting groups, and so on) to make sure that the changes to the filters are functioning.

Related concepts

Related tasks