Portal Express, Version 6.0
Operating systems: i5/OS, Linux, Windows

---

 

Set up LDAP over SSL to Active Directory

Configure your Active Directory over SSL to ensure the confidentiality of the data exchanged between WebSphere Application Server, WebSphere Portal Express, and your LDAP user registry.

 

Overview

You might want to configure IBM^® WebSphere^® Application Server and IBM WebSphere Portal Express access to your LDAP user registry over SSL to ensure the confidentiality of the data exchanged between WebSphere Application Server, WebSphere Portal Express, and your LDAP user registry. For example, user passwords are sent over the network between LDAP user registry and WebSphere Portal Express. This occurs to set the password if WebSphere Portal Express user management tools are used to create users and change passwords and also when WebSphere Application Server authenticates any user name and password pair through an LDAP BIND operation. Configuring LDAP over SSL can be important to protect sensitive data. Also, it might be required to ensure that user attributes that are retrieved from the directory are not viewed by someone watching packets on the network, if the attributes of a user include sensitive information or privacy is a concern.

In order to ensure that all this information remains private, it is necessary to configure both WebSphere Application Server and WebSphere Portal Express to use LDAP over SSL to the LDAP user registry. Configuring LDAP over SSL for WebSphere Application Server and WebSphere Portal Express is a separate operation from configuring the IBM HTTP Server to accept incoming browser requests over HTTPS, or configuring HTTPS between the HTTP Server and WebSphere Application Server in a distributed setup.

A full primer on the configuration of all the LDAP user registries and WebSphere Application Server is beyond the scope of this WebSphere Portal Express documentation. Consult the documentation for your LDAP server to configure the directory for SSL traffic. For WebSphere Application Server, refer to http://www.redbooks.ibm.com/ and do a search for Security Handbooks for the latest information about configuring WebSphere Application Server for LDAP over SSL. You can also consult the http://www.ibm.com/software/webservers/appserv/was/library/.

 

Before configuring

It is required that you first get LDAP (non-SSL) successfully working before setting up LDAP over SSL. By doing this, you can verify that the directory is responding to LDAP requests before setting it up for SSL.

WebSphere Portal Express does not support installing to an LDAP user registry that is only available through SSL. It requires than a non-SSL LDAP port be available for the install. LDAP over SSL should be configured as a post-install step.

To use Microsoft^® Active Directory as the LDAP Server, you might need to configure the LDAP connection between WebSphere Portal Express and Active Directory over SSL. Configuring the connection between WebSphere Portal Express and Active Directory over SSL is required if you want to create new users using WebSphere Portal Express. New users can be created by either allowing users to use the WebSphere Portal Express self-registration function or by allowing administrators to use the Manage Users and Manage Groups portlets. This is because Active Directory will not allow an unsecured LDAP connection to be used to set the password for a user. If you do not intend to use WebSphere Portal Express to create new users in Active Directory, then you do not need to configure LDAP to Active Directory over SSL.

 

Import certificates to WebSphere Portal Express to enable SSL connection

 

Importing certificates to a WebSphere Portal Express keystore

Active Directory and Internet Information Services (IIS) should be installed and configured before you install WebSphere Portal Express.

1. You must have Certificate Services installed before configuring Active Directory for SSL. Refer to Installing Active Directory for more information.

2. You must then export the root CA certificate.

   1. Open a Web browser and connect to http://localhost/certsrv.

   2. Select task Retrieve the CA certificate or certificate revocation list and click Next.

   3. Choose the certificate you created (Current) and the format (either DER encoded or Base 64 encoded). Then click Download CA certificate.

   4. Save this certificate in a file. For example, call the certificate certnew.cer.

3. Import the certificate to the WebSphere Application Server keystore.

   1. Open a command window and change directory to was_profile_root/bin.

   2. Launch the IKeyMan utility by typing ikeyman.

   3. In IKeyMan, click on Open, leave the Key database type as JKS and choose the was_profile_root/etc/DummyServertrustfile.jks file. By default, the password for this file is WebAS.

   4. Choose Signer Certificates and click Add.

   5. According to the data type of the certificate you created in the previous step, select the corresponding data type (either Binary DER data or Base64-encoded ASCII data). Locate the certificate file (for example, certnew.cer) and then click OK.

   6. Type a name for the certificate and click OK.

   7. Save the updated DummyServertrustfile.jks file and exit the utility.

 

Configure WebSphere Portal Express to contact Active Directory over SSL

WebSphere Portal Express can be configured to use to a specifically named Java Key Store so that WebSphere Portal Express and WebSphere Application Server can share the same configured truststore in the SSL configuration of the CSIv2 Outbound Transport. To specify the Java Key Store, follow these steps:

If WebSphere Application Server is not set up to use the LDAP as the user registry, the first seven steps are not necessary. For example, if you ran the enable-security-wmmur-ldap or enable-security-wmmur-db task to enable security.

1. Stop WebSphere Portal Express.

2. Logon to the WebSphere Application Server Administration Console.

3. Navigate to Security > Global Security > LDAP.

4. Check the sslEnabled box (set sslEnabled to true).

5. Set the LDAP Port to port_number.

6. Save changes.

7. Perform the following steps to stop and restart the WebSphere Application Server:

   1. Open a command prompt and change to the following directory:

      • Linux:

        was_profile_root/bin

      • Windows:

        was_profile_root\bin

      • i5/OS:

        app_server_root/bin

   2. Enter the following command:

      • Linux:

        ./stopServer.sh server1 -user admin_userid -password admin_password

      • Windows:

        stopServer.bat server1 -user admin_userid -password admin_password

      • i5/OS:

        stopServer.sh server1 -profileName profile_root -user admin_userid -password admin_password

        where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

      server1 is the name of your WebSphere Application Server administrative server.

   3. Enter the following command:

      • Linux:

        ./startServer.sh server1

      • Windows:

        startServer.bat server1

      • i5/OS:

        startServer.sh server1 -profileName profile_root

        where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

      server1 is the name of your WebSphere Application Server administrative server.

8. In a text editor, open the file wmm.xml located in the portal_server_root/wmm directory.

   In a clustered environment, the wmm.xml file is moved from the portal_server_root/wmm/ directory to the was_profile_root/config/wmm directory via a configuration task that uploads and replicates to all cluster nodes.

9. Navigate to the stanza that begins ldapRepository name="wmmLDAP".

10. Verify that ldapPort="port_number".

11. Verify that sslEnabled="true".

12. At the end of this stanza, update

    • Linux:

      sslTrustStore="was_profile_root/etc/DummyServerTrustFile.jks"

    • Windows:

      sslTrustStore="was_profile_root\etc\DummyServerTrustFile.jks"

    where was_profile_root is the profile directory of the WebSphere Application Server installation.

    Notes:

    • The full pathname is only mandatory if the sslTrustStore file is not under was_profile_root\etc\; otherwise, you can just use the file name.

    • If you do not specify an sslTrustStore parameter here, Member Manager will use:

      • Linux:

        app_server_root/java/jre/lib/security/cacerts.jks

      • Windows:

        app_server_root\java\jre\lib\security\cacerts.jks

      In this case, you will need to import the root CA certificate for your LDAP server into the cacerts; refer to the Import the certificate step for instructions.

    • As part of setting up SSL for the LDAP repository in a cluster environment, any changes made within the deployment manager to the file defined by sslTrustStore and changes made to the cacerts file are not automatically replicated to all nodes in the cell and must be manually backed up and copied to the node agents. The location of the dummy keys on the deployment manager is was_profile_root\deployment manager name\etc\.

13. Save the file.

14. Perform the following steps to stop and restart the WebSphere Application Server:

    1. Open a command prompt and change to the following directory:

       • Linux:

         was_profile_root/bin

       • Windows:

         was_profile_root\bin

       • i5/OS:

         app_server_root/bin

    2. Enter the following command:

       • Linux:

         ./stopServer.sh server1 -user admin_userid -password admin_password

       • Windows:

         stopServer.bat server1 -user admin_userid -password admin_password

       • i5/OS:

         stopServer.sh server1 -profileName profile_root -user admin_userid -password admin_password

         where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

       server1 is the name of your WebSphere Application Server administrative server.

    3. Enter the following command:

       • Linux:

         ./startServer.sh server1

       • Windows:

         startServer.bat server1

       • i5/OS:

         startServer.sh server1 -profileName profile_root

         where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

       server1 is the name of your WebSphere Application Server administrative server.

15. Perform the following steps to stop and restart the WebSphere Portal Express server:

    1. Open a command prompt and change to the following directory:

       • Linux:

         was_profile_root/bin

       • Windows:

         was_profile_root\bin

       • i5/OS:

         app_server_root/bin

    2. Enter the following command:

       • Linux:

         ./stopServer.sh WebSphere_Portal -user admin_userid -password admin_password

       • Windows:

         stopServer.bat WebSphere_Portal -user admin_userid -password admin_password

       • i5/OS:

         stopServer.sh WebSphere_Portal -profileName profile_root -user admin_userid -password admin_password

         where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

    3. Enter the following command:

       • Linux:

         ./startServer.sh WebSphere_Portal

       • Windows:

         startServer.bat WebSphere_Portal

       • i5/OS:

         startServer.sh WebSphere_Portal -profileName profile_root

         where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

 

Parent topic:

Active Directory

 

Previous topic

Verifying LDAP

---