Portal Express, Version 6.0
Operating systems: i5/OS, Linux, Windows

---

 

Set up LDAP over SSL with Tivoli Directory Server

Configure your Tivoli Directory Server over SSL to ensure the confidentiality of the data exchanged between WebSphere Application Server, WebSphere Portal Express, and your LDAP user registry.

 

Overview

You might want to configure IBM^® WebSphere^® Application Server and IBM WebSphere Portal Express access to your LDAP user registry over SSL to ensure the confidentiality of the data exchanged between WebSphere Application Server, WebSphere Portal Express, and your LDAP user registry. For example, user passwords are sent over the network between LDAP user registry and WebSphere Portal Express. This occurs to set the password if WebSphere Portal Express user management tools are used to create users and change passwords and also when WebSphere Application Server authenticates any user name and password pair through an LDAP BIND operation. Configuring LDAP over SSL can be important to protect sensitive data. Also, it might be required to ensure that user attributes that are retrieved from the directory are not viewed by someone watching packets on the network, if the attributes of a user include sensitive information or privacy is a concern.

In order to ensure that all this information remains private, it is necessary to configure both WebSphere Application Server and WebSphere Portal Express to use LDAP over SSL to the LDAP user registry. Configuring LDAP over SSL for WebSphere Application Server and WebSphere Portal Express is a separate operation from configuring the IBM HTTP Server to accept incoming browser requests over HTTPS or configuring HTTPS between the IBM HTTP Server and WebSphere Application Server in a distributed setup.

A full primer on the configuration of all the LDAP user registries and WebSphere Application Server is beyond the scope of this Portal Server documentation. Consult the documentation for your LDAP server to configure the user registry for SSL traffic. For IBM Tivoli^® Directory Server, see the most current documentation on IBM LDAP Implementation at http://www.ibm.com/software/webservers/appserv/was/support/. For WebSphere Application Server, refer to http://www.redbooks.ibm.com/ and do a search for Security Handbooks for the latest information about configuring WebSphere Application Server for LDAP over SSL. You can also consult the http://www.ibm.com/software/webservers/appserv/was/library/.

It is required that you first get LDAP (non-SSL) successfully working before setting up LDAP over SSL. This allows you to verify that the user registry is responding to LDAP requests before setting it up for SSL.

 

About keys and certificates

In general, the task of setting up WebSphere Application Server and WebSphere Portal Express to use LDAP over SSL to the LDAP user registry consists of bringing the necessary certificates into key storage files that WebSphere Application Server and WebSphere Portal Express will use. The necessary certificates mentioned are the signing certificates for the LDAP server certificate. The important point to note is that any certificates required to establish the full certificate signing trust chain must be made available to WebSphere Application Server and WebSphere Portal Express. For a self-signed certificate, the certificate trust chain consists of only the one self-signed LDAP server certificate. For a certificate signed by a CA, the certificate chain confirming the identity and validity of the signing CA must be included. Either a purchased certificate or a self-generated CA signing certificate can be used. Some configuration setting changes must also be made to tell WebSphere Application Server and WebSphere Portal Express that LDAP over SSL should be used. Usually, it is only necessary to bring a signing certificate from the LDAP server to the WebSphere Application Server and WebSphere Portal Express. This step allows the authentication of the server side of the SSL connection. WebSphere Application Server and WebSphere Portal Express are LDAP clients to the LDAP user registry server. The client side is authenticated by doing an LDAP BIND within the SSL connection. The identity used by WebSphere Application Server to perform this BIND is the Bind DN configured on the WebSphere Application Server Security Console. The identity used by WebSphere Portal Express to perform this BIND is the adminId configured in portal_server_root/wmm/wmm.xml.

In some cases, if the LDAP user registry is configured to require mutually authenticated SSL for the LDAP connection, meaning that it will request the client-side certificate, then signing certificates for WebSphere Application Server and WebSphere Portal Express must be moved to the LDAP Server key storage. In this case, WebSphere Application Server and WebSphere Portal Express will still do LDAP BINDs using the IDs and passwords configured, even though the SSL connection has already performed a mutual authentication.

 

Set up LDAP over SSL

It is required that you first get LDAP (non-SSL) successfully working before setting up LDAP over SSL. This allows you to verify that the user registry is responding to LDAP requests before setting it up for SSL.

• 1. Install WebSphere Portal Express and WebSphere Application Server

• 2. Install and setup your LDAP

• 3. Generate or import certificates as necessary and activate SSL on the directory

• 4. Import certificates to WebSphere Portal Express to enable SSL connection

• 5. Close down the non-SSL port of the LDAP directory server (optional)

 

1. Install WebSphere Portal Express and WebSphere Application Server

Refer to Installing on Windows and Linux for more information.

Also refer to Installing on Windows and Linux for instructions on how to install WebSphere Portal Express on an existing WebSphere Application Server profile that has security enabled.

 

2. Install and setup your LDAP

IBM recommends that you first get LDAP (non-SSL) successfully working before setting up LDAP over SSL. This allows you to verify that the directory is responding to LDAP requests before setting it up for SSL. Refer to Tivoli Directory Server for more information.

 

3. Generate or import certificates as necessary and activate SSL on the directory

It is possible for Tivoli Directory Server to use either self-signed certificates or signing certificates signed by a CA (Certificate Authority) to enable LDAP over SSL.

Tivoli Directory Server includes a security key management utility, such as gsk7ikm, which can be used to generate a self-signed certificate or to import purchased certificates into the Tivoli Directory Server keystore. You should consult the Tivoli Directory Server documentation for the details of how to import a CA certificate or create a self-signed certificate in a key database file and extract that certificate so that it can be moved to the WebSphere Application Server and WebSphere Portal Express. A brief overview of the steps to create a self-signed certificate are below:

1. Activate the security key management utility. For example, gsk7ikm.

2. Open an existing CMS Key Database file, if your directory server is already configured for SSL, or create a new CMS Key Database file. If you open an existing file, provide the password for that file. If you create a new file, you are asked to supply a password to secure access to that file. You must remember that password.

3. Within that CMS Key Database file, create a new self-signed certificate, using X.509 Version 3 format and 1024-bit key size. Give the certificate a label. You must remember this label.

4. Extract the new self-signed certificate as a certificate file using Base64-encoded ASCII data as the data type. This will save the certificate to a filename of your choice with an extension of .arm.

5. If it is not already configured, set up Tivoli Directory Server for LDAP over SSL using the CMS Key Database file containing the self-signed certificate. For details on this step, consult the Tivoli Directory Server documentation.

 

4. Import certificates to WebSphere Portal Express to enable SSL connection

Moving LDAP server certificates to WebSphere Application Server and WebSphere Portal Express

1. Make the signing certificate from Tivoli Directory Server (either the CA certificate or the self-signed certificate) available to the WebSphere Application Server and WebSphere Portal Express machine. This can be done by moving the file through a network transfer or removable media. Note that a CA certificate must be in Base64-encoded ASCII data format as a .arm file in order to be imported by the WebSphere Application Server key management utilities. The Tivoli Directory Server key management utilities (gsk7ikm) can be used to format a CA certificate which is not in the right format.

 

Importing certificates to a WebSphere Application Server keystore

To make either the self-signed certificate or the CA certificate chain available to WebSphere Application Server and WebSphere Portal Express, use the key management tool supplied by WebSphere Application Server to import the certificate(s) into the necessary Java Key Store (.jks) format key storage files. Note that the WebSphere Application Server-supplied key management tool, IKeyMan, is not the same as the Tivoli Directory Server key management tool, even though the user interface is very similar. IKeyMan supports the Java Key Store file formats necessary for WebSphere Application Server and WebSphere Portal Express, whereas the Tivoli Directory Server key management tool does not. Consult the WebSphere Application Server documentation and the IBM Redbook cited above for details about how to use this tool.

A brief overview of the steps to import the certificates to configure LDAP over SSL for WebSphere Application Server is:

1. Activate the IKeyMan utility, which is located in was_profile_root/bin. One way to do this is to issue the ikeyman.exe or ikeyman.sh command from the command line, depending on your operating system.

2. Open the Java Key Store file which will be used by WebSphere Application Server for LDAP over SSL. The user can create new key files and define a new SSL repertoire. WebSphere Application Server provides a default repertoire called DefaultSSLSetting. Use the default repertoire which contains the default WebSphere Application Server server trust file. Open DummyServerTrustFile.jks located at was_profile_root/etc directory. The password to the dummy server trust file is "WebAS".

3. Select Signer Certificates from the top pull-down, then click Add.

4. Select Base64-encoded ASCII data as the data type, and browse to the certificate file of that type that you exported from the Tivoli Directory Server.

5. You will be asked for a label for the new certificate. Enter the same value that you specified for the label when you created the certificate.

6. Save the updated key store file.

Importing certificates to a WebSphere Portal Express keystore

WebSphere Portal Express can be configured to use to a specifically named Java Key Store so that WebSphere Portal Express and WebSphere Application Server can share the same configured truststore in the SSL configuration of the CSIv2 Outbound Transport. To specify the Java Key Store, follow these steps:

If WebSphere Application Server is not set up to use the LDAP as the user registry, the first seven steps are not necessary. For example, if you ran the enable-security-wmmur-ldap or enable-security-wmmur-db task to enable security.

1. Stop WebSphere Portal Express.

2. Logon to the WebSphere Application Server Administration Console.

3. Navigate to Security > Global Security > LDAP.

4. Check the sslEnabled box (set sslEnabled to true).

5. Set the LDAP Port to port_number.

6. Save changes.

7. Perform the following steps to stop and restart the WebSphere Application Server:

   1. Open a command prompt and change to the following directory:

      • Linux:

        was_profile_root/bin

      • Windows:

        was_profile_root\bin

      • i5/OS:

        app_server_root/bin

   2. Enter the following command:

      • Linux:

        ./stopServer.sh server1 -user admin_userid -password admin_password

      • Windows:

        stopServer.bat server1 -user admin_userid -password admin_password

      • i5/OS:

        stopServer.sh server1 -profileName profile_root -user admin_userid -password admin_password

        where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

      server1 is the name of your WebSphere Application Server administrative server.

   3. Enter the following command:

      • Linux:

        ./startServer.sh server1

      • Windows:

        startServer.bat server1

      • i5/OS:

        startServer.sh server1 -profileName profile_root

        where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

      server1 is the name of your WebSphere Application Server administrative server.

8. In a text editor, open the file wmm.xml located in the portal_server_root/wmm directory.

   In a clustered environment, the wmm.xml file is moved from the portal_server_root/wmm/ directory to the was_profile_root/config/wmm directory via a configuration task that uploads and replicates to all cluster nodes.

9. Navigate to the stanza that begins ldapRepository name="wmmLDAP".

10. Verify that ldapPort="port_number".

11. Verify that sslEnabled="true".

12. At the end of this stanza, update

    • Linux:

      sslTrustStore="was_profile_root/etc/DummyServerTrustFile.jks"

    • Windows:

      sslTrustStore="was_profile_root\etc\DummyServerTrustFile.jks"

    where was_profile_root is the profile directory of the WebSphere Application Server installation.

    Notes:

    • The full pathname is only mandatory if the sslTrustStore file is not under was_profile_root\etc\; otherwise, you can just use the file name.

    • If you do not specify an sslTrustStore parameter here, Member Manager will use:

      • Linux:

        app_server_root/java/jre/lib/security/cacerts.jks

      • Windows:

        app_server_root\java\jre\lib\security\cacerts.jks

      In this case, you will need to import the root CA certificate for your LDAP server into the cacerts; refer to the 4. Import certificates to WebSphere Portal Express to enable SSL connection step for instructions.

    • As part of setting up SSL for the LDAP repository in a cluster environment, any changes made within the deployment manager to the file defined by sslTrustStore and changes made to the cacerts file are not automatically replicated to all nodes in the cell and must be manually backed up and copied to the node agents. The location of the dummy keys on the deployment manager is was_profile_root\deployment manager name\etc\.

13. Save the file.

14. Perform the following steps to stop and restart the WebSphere Application Server:

    1. Open a command prompt and change to the following directory:

       • Linux:

         was_profile_root/bin

       • Windows:

         was_profile_root\bin

       • i5/OS:

         app_server_root/bin

    2. Enter the following command:

       • Linux:

         ./stopServer.sh server1 -user admin_userid -password admin_password

       • Windows:

         stopServer.bat server1 -user admin_userid -password admin_password

       • i5/OS:

         stopServer.sh server1 -profileName profile_root -user admin_userid -password admin_password

         where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

       server1 is the name of your WebSphere Application Server administrative server.

    3. Enter the following command:

       • Linux:

         ./startServer.sh server1

       • Windows:

         startServer.bat server1

       • i5/OS:

         startServer.sh server1 -profileName profile_root

         where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

       server1 is the name of your WebSphere Application Server administrative server.

15. Perform the following steps to stop and restart the WebSphere Portal Express server:

    1. Open a command prompt and change to the following directory:

       • Linux:

         was_profile_root/bin

       • Windows:

         was_profile_root\bin

       • i5/OS:

         app_server_root/bin

    2. Enter the following command:

       • Linux:

         ./stopServer.sh WebSphere_Portal -user admin_userid -password admin_password

       • Windows:

         stopServer.bat WebSphere_Portal -user admin_userid -password admin_password

       • i5/OS:

         stopServer.sh WebSphere_Portal -profileName profile_root -user admin_userid -password admin_password

         where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

    3. Enter the following command:

       • Linux:

         ./startServer.sh WebSphere_Portal

       • Windows:

         startServer.bat WebSphere_Portal

       • i5/OS:

         startServer.sh WebSphere_Portal -profileName profile_root

         where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

 

5. Close down the non-SSL port of the LDAP directory server (optional)

This is an optional step. Closing the non-SSL port of the directory will ensure that traffic exchanged with the user registry by WebSphere Application Server, WebSphere Portal Express, or any other application, is confidential.

 

Parent topic:

Tivoli Directory Server

 

Previous topic

Verifying LDAP

 

Next topic

i5/OS: Tivoli Directory Server

---