Setting up LDAP over SSL to Windows 2000 Active Directory
Overview
You might wish to configure WAS and WebSphere Portal access to the LDAP directory over SSL to ensure the confidentiality of the data exchanged between WAS, WebSphere Portal, and the LDAP directory. For example, user passwords are sent over the network between LDAP directory and WebSphere Portal. This occurs to set the password if WebSphere Portal user management tools are used to create users and change passwords and also when WAS authenticates any user name and password pair through an LDAP BIND operation. Configuring LDAP over SSL can be important to protect sensitive data. Also, it might be desirable to ensure that user attributes that are retrieved from the directory are not viewed by someone watching packets on the network, if the attributes of a user include sensitive information or privacy is a concern.
To ensure that all this information remains private, it is necessary to configure both WAS and WebSphere Portal to use LDAP over SSL to the LDAP directory. Configuring LDAP over SSL for WAS and WebSphere Portal is a separate operation from configuring the IBM HTTP Server to accept incoming browser requests over HTTPS, or configuring HTTPS between the IBM HTTP Server and WAS in a distributed setup.
A full primer on the configuration of all the LDAP directories and WAS is beyond the scope of this Portal Server documentation. Consult the documentation for the LDAP server to configure the directory for SSL traffic. For WAS, the IBM Redbook IBM WebSphere V5.0 Security, SG24-6573-00 is available, and Appendix B contains instructions for configuring WAS for LDAP over SSL. You can also consult the WAS product documentation.
It is recommended that you first get LDAP (non-SSL) successfully working before setting up LDAP over SSL. This allows you to verify that the directory is responding to LDAP requests before setting it up for SSL.
Before configuring
It is required that you first get LDAP (nonSSL) successfully working before setting up LDAP over SSL. By doing this, you can verify that the directory is responding to LDAP requests before setting it up for SSL.
WebSphere Portal does not support installing to an LDAP directory that is only available via SSL. It requires than a non-SSL LDAP port be available for the install. LDAP over SSL should be configured as a post-install step.
To use Active Directory as the LDAP Server, you might need to configure the LDAP connection between Portal Server and Active Directory over SSL. Configuring the connection between Portal Server and Active Directory over SSL is required if you want to create new users using Portal Server. New users can be created by either allowing users to use the Portal Server self-registration function or by allowing administrators to use the Manage Users and Manage Groups portlets. This is because Active Directory will not allow an unsecured LDAP connection to be used to set the password for a user. If you do not intend to use Portal Server to create new users in Active Directory, then you do not need to configure LDAP to Active Directory over SSL.
Configure Active Directory over SSL
Active Directory and Internet Information Services (IIS) should be installed and configured before you install Portal Server.
- You must have installed Certificate Services before configuring Active Directory for SSL. Refer to Install Windows 2000 Active Directory for more information.
- You must then export the root CA certificate.
- Open a Web browser and connect to http://localhost/certsrv
- Select task Retrieve the CA certificate or certificate revocation list and click Next.
- Choose the certificate you created (Current) and the format (either DER encoded or Base 64 encoded). Then click on Download CA certificate.
- Save this certificate in a file. For example, call the certificate certnew.cer
- Load mmc.exe and then the Certificate Authority snap-in. Find the root certificate public key and save to file.
- Import the certificate to the WAS keystore.
- Open a command window and change directory to <was_root>/bin.
- Launch the IKeyMan utility by typing ikeyman.
- In IKeyMan, click on Open, leave the Key database type as JKS and choose cacerts key store under the <was_root>/java/jre/lib/security directory. The default password for the key store is changeit.
- Choose Signer Certificates and click Add.
- According to the data type of the certificate you created in the previous step, select the corresponding data type (either Binary DER data or Base64-encoded ASCII data). Locate the certificate file (for example, certnew.cer), then click OK.
- Type a name for the certificate and click OK.
- Save the updated cacerts file.
- In IKeyMan, click on Open, leave the Key database type as JKS and choose the <was_root>/etc/DummyServertrustfile.jks file. By default, the password for this file is WebAS.
- Choose Signer Certificates and click Add.
- According to the data type of the certificate you created in the previous step, select the corresponding data type (either Binary DER data or Base64-encoded ASCII data). Locate the certificate file (for example, certnew.cer), then click OK.
- Type a name for the certificate and click OK.
- Save the updated DummyServertrustfile.jks file and exit the utility.
For information about this topic, refer to the latest version of the WebSphere Portal Information Center at http://www.ibm.com/websphere/portal/library.
Next steps
You have completed this step. Continue to the next step by choosing one of the following topics:
See also
- Configure WebSphere Portal for Active Directory
- LDAP