Setting up LDAP over SSL with Sun ONE server


 

Overview

You might wish to configure WAS and WebSphere Portal access to your LDAP directory over SSL to ensure the confidentiality of the data exchanged between WAS, WebSphere Portal, and the LDAP directory. For example, user passwords are sent over the network between LDAP directory and WebSphere Portal. This occurs to set the password if WebSphere Portal user management tools are used to create users and change passwords and also when WAS authenticates any user name and password pair through an LDAP BIND operation. Configuring LDAP over SSL might be important to protect sensitive data. Also, it might be desirable to ensure that user attributes that are retrieved from the directory are not viewed by someone watching packets on the network, if the attributes of a user include sensitive information or privacy is a concern.

To ensure that all this information remains private, it is necessary to configure both WAS and WebSphere Portal to use LDAP over SSL to the LDAP directory. Configuring LDAP over SSL for WAS and WebSphere Portal is a separate operation from configuring the IBM HTTP Server to accept incoming browser requests over HTTPS, or configuring HTTPS between the IBM HTTP Server and WAS in a distributed setup.

A full primer on the configuration of all the LDAP directories and WAS is beyond the scope of this Portal Server documentation. Consult the documentation for the LDAP server to configure the directory for SSL traffic. For WAS, the IBM Redbook IBM WebSphere V5.0 Security, SG24-6573-00 is available, and Appendix B contains instructions for configuring WAS for LDAP over SSL. You can also consult the WAS product documentation.

It is recommended that you first get LDAP (non-SSL) successfully working before setting up LDAP over SSL. This allows you to verify that the directory is responding to LDAP requests before setting it up for SSL.

 

About keys and certificates

To use LDAP over SSL to the LDAP directory consists of bringing the necessary certificates into key storage files that WAS and WebSphere Portal will use. The necessary certificates mentioned are the signing certificates for the LDAP server certificate. The important point to note is that any certificates required to establish the full certificate signing trust chain must be made available to WAS and WebSphere Portal. For a self-signed certificate, the certificate trust chain consists of only the one self-signed LDAP server certificate. For a certificate signed by a CA, the certificate chain confirming the identity and validity of the signing CA must be included. Either a purchased certificate or a self-generated CA signing certificate can be used. Some configuration setting changes must also be made to tell WAS and WebSphere Portal that LDAP over SSL should be used. Usually, it is only necessary to bring a signing certificate from the LDAP server to the WAS and WebSphere Portal. This step allows the authentication of the server side of the SSL connection. WAS and WebSphere Portal are LDAP clients to the LDAP directory server. The client side is authenticated by doing an LDAP BIND within the SSL connection. The identity used by WAS to perform this BIND is the Bind DN configured on the WAS Security Console.

In some cases, if the LDAP directory is configured to require mutually authenticated SSL for the LDAP connection, meaning that it will request the client-side certificate, then signing certificates for WAS and WebSphere Portal must be moved to the LDAP Server key storage. In this case, WAS and WebSphere Portal will still do LDAP BINDs using the IDs and passwords configured, even though the SSL connection has already performed a mutual authentication.

 

Set up LDAP over SSL

It is required that you first get LDAP (non-SSL) successfully working before setting up LDAP over SSL. This allows you to verify that the directory is responding to LDAP requests before setting it up for SSL. Use the IBM Web Administration for iSeries tool for all of the WebSphere Portal configuration tasks. The wizard will create the necessary servers (HTTP and WAS), configures the server for Portal, configures the database for Portal, and configures the Portal server for security (LDAP).

  1. Install WebSphere Portal and WAS

  2. Install and setup the LDAP

  3. Generate or import certificates as necessary and activate SSL on the directory

  4. Import certificate(s) to cacerts to enable SSL connection

  5. Close down the non-SSL port of the LDAP directory server (optional)

 

1. Install WebSphere Portal and WAS

Refer to Install WebSphere Portal for more information.

Also refer to Install WebSphere Portal for instructions on how to install WebSphere Portal on an existing instance of WAS that has security enabled.

 

2. Install and setup the LDAP

It is recommended that you first get LDAP (non-SSL) successfully working before setting up LDAP over SSL. This allows you to verify that the directory is responding to LDAP requests before setting it up for SSL. Use the IBM Web Administration for iSeries tool for all of the WebSphere Portal configuration tasks. The wizard will create the necessary servers (HTTP and WAS), configures the server for Portal, configures the database for Portal, and configures the Portal server for security (LDAP).

 

3. Generate or import certificates as necessary and activate SSL on the directory

The configuration of LDAP over SSL from WAS and Portal Server to Sun ONE is nearly identical on the WAS and Portal Server side to configuration performed for IBM Directory Server. The Sun ONE directory server will not allow the use of self-signed certificates, so the Certificate Authority's (CA) signer chain must be imported to the WAS and Portal Server keystores.

 

4. Import certificate(s) to WebSphere Portal to enable SSL connection

 

Importing certificates to a WAS keystore

For Sun ONE, it is not possible to use self-signed certificates. Only signing certificates signed by a CA (Certificate Authority) can be used to enable LDAP over SSL to Sun ONE. For a certificate signed by a CA, the certificate chain confirming the identity and validity of the signing CA must be included. Either a purchased certificate or a self-generated CA signing certificate can be used.

 

Importing certificates to a WebSphere Portal keystore

You must also import the certificates to a keystore that can be used by the WebSphere Portal. In this case, WebSphere Portal has no configuration setting to point to a specifically named Java Key Store file. Instead, import the certificates into the default keystore file of the JVM, cacerts. However, in no case should you attempt to modify the cacerts keystore. Rather, create a private copy of the cacerts file, and then add or remove certificates to the private copy. The password for cacerts is changeit. Be sure to change the password that protects the private copy of the cacerts file. Also, note that initially, all keystores created using iKeyman contain a number of commercial CA certificates. The configured truststore in the SSL configuration of the CSIv2 Outbound Transport must also be updated.

 

5. Close down the non-SSL port of the LDAP directory server (optional)

This is an optional step. Closing the non-SSL port of the directory will ensure that traffic exchanged with the directory by WAS, WebSphere Portal, or any other application, is confidential.

For information about this topic, refer to the latest version of the WebSphere Portal Information Center at http://www.ibm.com/websphere/portal/library.

 

Next steps

You have completed this step. Continue to the next step by choosing one of the following topics:

 

See also