Configure SSL connections between WebSphere Application Server and an LDAP server

1. Configure SSL in the LDAP server. The procedure varies with the LDAP server being used. Consult the documentation for your server for details. If you are using the OS/400 Directory Service, see the Directory Services documentation in the iSeries Information Center:
   • For V5R2
   • For V5R1

2. Update your WebSphere Application Server trust store file. The trust store file is the repository for the WebSphere server's trust base. Because it needs to authenticate the LDAP server during SSL initialization, the trust store file must provide information about the LDAP server.

   To validate the LDAP server's certificate, your server needs the public key of the CA that issued the LDAP server's certificate. This key is found in that CA's certificate, so you need to add the CA certificate to your trust store file on the server.

   To add the additional certificate to the trust store file, do the following:

   1. Obtain the certificate of the CA that issued the LDAP server's certificate. For example, if your LDAP server's certificate was issued by the Local CA on your iSeries system, extract the Local CA's certificate by using the Digital Certificate Manager (DCM):
      1. Start the Digital Certificate Manager (DCM)

         Procedures vary depending on the release of DCM you have installed on your iSeries system. The release of DCM that is used in this topic is V5R1M0.

      2. In the left pane, click Install CA certificate on your PC.
      3. In the right pane, click Copy and paste certificate.
      4. Create a text file on your PC, then paste the CA certificate into myLocalCA.txt and save the file. Ensure that the copy of the CA certificate ends with the new line character.
      5. Click the Done button.

   2. Add the CA certificate to the server's trust store file:

      1. Start iKeyman on your workstation. For more information, see IBM Key Managment Tool (iKeyman).

      2. Click Key Database File and select Open.
      3. Use the browser, navigate to the directory containing the trust store file for your WebSphere server instance, and open the file. For example: USER_INSTALL_ROOT/etc/DummyServerTrustFile.jks.
      4. Click Personal Certificates and select Signer Certificates.
      5. Click Add.
      6. Specify settings:
         • Data Type: Base64-encoded ASCII data
         • Certificate file name: myLocalCA.txt
         • Location: the path to the directory containing myLocalCA.txt

      7. Click OK.
      8. Enter LocalCA for the label and click OK.
      9. Click Key Database File.
      10. Select Exit.

3. Enable the SSL connection in WebSphere. Use the WebSphere administrative console to modify your LDAP configuration (under Security --> User Registries --> LDAP):
   • Set the port to 636. (If you used a different port number, set the port to that number.)
   • Select SSL Enabled.
   • Select DefaultSSLSettings.

4. Click OK.

5. Save your changes.

6. Stop and restart the application server, then start the administrative console. You are prompted to login to the LDAP registry.

Tips

If your SSL connection does not work, try the following:

• Verify that your LDAP server is listening to port 636 (or the other port specified in the settings).
• Verify that the LDAP server's certificate is still valid.
• To export the certificate for the LDAP server's CA from keyring or other type of file, look for an option that lets you export the certificate in DER binary format or Base64-encoded ASCII. The tools you have can vary with the LDAP server.
• If you transfer a certificate file from a remote host by using file transfer protocol (FTP), be sure to set the transfer mode to binary.