+

Search Tips   |   Advanced Search


Configure a stand-alone LDAP user registry over SSL on AIX in a clustered environment


Overview

In a single server environment the WebSphere_Portal and server1 servers can be either stopped or started.

In a clustered environment stop all appservers on the system including WebSphere_Portal and server1 and then start the nodeagent and deployment manager servers before starting the following task.


Configure a standalone LDAP user registry over SSL

To help ensure correct properties are entered, use the helper file...

  1. Specify the LDAP server's SSL certificate in the client trust store:

    • Server trust store

      To add the certificate to the trust store:

      1. Log in to the admin console.

      2. Navigate to...

      3. Click the appropriate SSL configuration from the list; for example, NodeDefaultSSLSettings.

      4. Click Key stores and certificates.

      5. Click the appropriate trust store from the list; for example, NodeDefaultTrustStore.

      6. Click Signer certificates, click Add, and then enter the following information:

        • Alias the key store uses for the signer certificate.

        • File name where the signer certificate is located.

      7. Click OK and then click Save to save the changes to the master configuration.

      To retrieve the certificate from the port:

      1. Log in to the admin console.

      2. Navigate to...

      3. Click the appropriate SSL configuration from the list; for example, NodeDefaultSSLSettings.

      4. Click Key stores and certificates.

      5. Click the appropriate trust store from the list; for example, NodeDefaultTrustStore.

      6. Click Signer certificates, click Retrieve from port, and then enter the following information:

        • Host name used when attempting to retrieve the signer certificate from the SSL port.
        • SSL Port used when attempting to retrieve the signer certificate.
        • Alias the key store uses for the signer certificate.

      7. Click Retrieve signer information to retrieve the certificate from the port.

      8. Click OK and then click Save to save the changes to the master configuration.

    • Client trust store

      This task may report an error or fail but it will successfully update the trust store so the error message can be ignored.

      See Secure installation for client signer retrieval.

      During the validation task, you may receive the following prompt: "Add signer to the trust store now?". Type y and then press Enter.

      Run...

        retrieveSigners

      ...from the profile_root/bin directory; see retrieveSigners command.

      In a deployed environment, run the retrieveSigners task, for any federated node, against the Deployment Manager.

      This task may report an error or fail but it will successfully update the trust store so the error message can be ignored.

      To update the trust store properties file:

      1. Edit the ssl.client.props file, located in the profile_root\properties directory.

      2. Change the com.ibm.ssl.trustStore parameter and the related trust store parameters to match the trust file specified in the SSL configuration.

        For example, enter com.ibm.ssl.trustStore=${CONFIG_ROOT}\cells\wpsbvt\nodes\wpsbvt\trust.p12 to use the default trust store.

      3. Save changes.

  2. Edit...

      profile_root/ConfigEngine/properties/wkplc.properties

  3. Set the following parameters in wkplc.properties under the VMM Stand-alone LDAP configuration heading:

  4. Set a value for the following required entity types parameters in wkplc.properties under the LDAP entity types heading:

  5. Set a value for the following required group member parameters in wkplc.properties under the Group member attributes heading:

  6. Set a value for the following required relative distinguished name (RDN) parameters in wkplc.properties under the Default parent, RDN attribute heading:

  7. Enter a value for the following parameters to enable Secure Socket Layers (SSL): Required parameters:

    Optional parameters:

  8. Save changes to wkplc.properties.

  9. Validate the LDAP server settings...

      ./ConfigEngine.sh validate-standalone-ldap -DWasPassword=password

    Note that if you have not deleted the default file repository, WasPassword is the value entered during installation and not a value found in your LDAP user registry.

  10. Set the stand-alone LDAP user registry...

      cd profile_root/ConfigEngine
      ./ConfigEngine.sh wp-modify-ldap-security -DWasPassword=password

  11. Propagate the security changes:

    Option Description
    Standalone cd profile_root/bin
    ./stopServer.sh server1 -username admin_userid -password admin_password
    ./stopServer.sh WebSphere_Portal -username admin_userid -password admin_password
    ./startServer.sh server1
    ./startServer.sh WebSphere_Portal
    Cluster
    cd dmgr_profile/bin
    ./stopManager.sh-username admin_userid -password admin_password
    cd profile_root/bin
    ./stopNode.sh -username admin_userid -password admin_password
    ./stopServer.sh WebSphere_Portal -username admin_userid -password admin_password
    cd dmgr_profile/bin
    ./startManager.sh
    cd profile_root/bin
    ./startNode.sh
    ./startServer.sh WebSphere_Portal

  12. Check that all defined attributes are available in the configured LDAP user registry...

      cd profile_root/ConfigEngine
      ./ConfigEngine.sh wp-validate-standalone-ldap-attribute-config -DWasPassword=password

    After configuring LDAP, you can adapt the attribute configuration

  13. Configure your Web server over SSL. Navigate to Configuring WebSphere Portal > Additional security features > Configuring SSL > Setting up SSL.

  14. Log on to the admin console and navigate to Security > SSL certificate and key management. Click the Use the United States Federal Information Processing Standard (FIPS) algorithms. check box to enable FIPS.

  15. Enable TLS in your internet browser, located under Tools > Options > Advanced.

If you performed these steps after creating the clustered environment, run enable-jcr-security on the secondary node.


Parent topic:

Configure a stand-alone LDAP user registry on AIX in a clustered environment


Related tasks


Enable LDAP security after cluster creation