Configure a stand-alone LDAP user registry over SSL on i5/OS
Overview
In a single server environment the WebSphere_Portal and server1 servers can be either stopped or started.
In a clustered environment stop all appservers on the system including WebSphere_Portal and server1 and then start the nodeagent and deployment manager servers before starting the following task.
To help ensure correct properties are entered, use the helper file...
profile_root/ConfigEngine/config/helpers/wp_security_xxx.properties
Configure a standalone LDAP user registry over SSL
- Specify the LDAP server's SSL certificate in the client trust store:
- Server trust store
To add the certificate to the trust store:
- Log in to the admin console.
- Navigate to...
Security | SSL certificate and key management | SSL configurations
- Click the appropriate SSL configuration from the list; for example, NodeDefaultSSLSettings.
- Click Key stores and certificates.
- Click the appropriate trust store from the list; for example, NodeDefaultTrustStore.
- Click Signer certificates, click Add, and then enter the following information:
- Alias the key store uses for the signer certificate.
- File name where the signer certificate is located.
- Click OK and then click Save to save the changes to the master configuration.
To retrieve the certificate from the port:
- Log in to the admin console.
- Navigate to...
Security | SSL certificate and key management | SSL configurations
- Click the appropriate SSL configuration from the list; for example, NodeDefaultSSLSettings.
- Click Key stores and certificates.
- Click the appropriate trust store from the list; for example, NodeDefaultTrustStore.
- Click Signer certificates, click Retrieve from port, and then enter the following information:
- Host name used when attempting to retrieve the signer certificate from the SSL port.
- SSL Port used when attempting to retrieve the signer certificate.
- Alias the key store uses for the signer certificate.
- Click Retrieve signer information to retrieve the certificate from the port.
- Click OK and then click Save to save the changes to the master configuration.
- Client trust store
This task may report an error or fail but it will successfully update the trust store so the error message can be ignored.
See Secure installation for client signer retrieval.
During the validation task, you may receive the following prompt: "Add signer to the trust store now?". Type y and then press Enter.
>Run...
retrieveSigners
...from the profile_root/bin directory; see retrieveSigners command.
In a deployed environment, run the retrieveSigners task, for any federated node, against the Deployment Manager.
This task may report an error or fail but it will successfully update the trust store so the error message can be ignored. To update the trust store properties file:
- Edit the ssl.client.props file, located in the profile_root\properties directory.
- Change the com.ibm.ssl.trustStore parameter and the related trust store parameters to match the trust file specified in the SSL configuration.
For example, enter com.ibm.ssl.trustStore=${CONFIG_ROOT}\cells\wpsbvt\nodes\wpsbvt\trust.p12 to use the default trust store.
- Save changes.
- Edit...
profile_root/ConfigEngine/properties/wkplc.properties
- Set the following parameters in wkplc.properties under the VMM Stand-alone LDAP configuration heading:
- standalone.ldap.id
- standalone.ldap.host
- standalone.ldap.port
- standalone.ldap.bindDN
- standalone.ldap.bindPassword
- standalone.ldap.ldapServerType
- standalone.ldap.userIdMap
- standalone.ldap.groupIdMap
- standalone.ldap.groupMemberIdMap
- standalone.ldap.userFilter
- standalone.ldap.groupFilter
- standalone.ldap.serverId
- standalone.ldap.serverPassword
- standalone.ldap.realm
- standalone.ldap.primaryAdminId
- standalone.ldap.primaryAdminPassword
- standalone.ldap.primaryPortalAdminId
- standalone.ldap.primaryPortalAdminPassword
- standalone.ldap.primaryPortalAdminGroup
- standalone.ldap.baseDN
- Set a value for the following required entity types parameters in wkplc.properties under the LDAP entity types heading:
- standalone.ldap.et.group.objectClasses
- standalone.ldap.et.group.objectClassesForCreate
- standalone.ldap.et.group.searchBases
- standalone.ldap.et.personaccount.objectClasses
- standalone.ldap.et.personaccount.objectClassesForCreate
- standalone.ldap.et.personaccount.searchBases
- Set a value for the following required group member parameters in wkplc.properties under the Group member attributes heading:
- standalone.ldap.gm.groupMemberName
- standalone.ldap.gm.objectClass
- standalone.ldap.gm.scope
- standalone.ldap.gm.dummyMember
- Set a value for the following required relative distinguished name (RDN) parameters in wkplc.properties under the Default parent, RDN attribute heading:
- standalone.ldap.personAccountParent
- standalone.ldap.groupParent
- standalone.ldap.personAccountRdnProperties
- standalone.ldap.groupRdnProperties
- Enter a value for the following parameters to enable Secure Socket Layers (SSL): Required parameters:
Optional parameters:
- Save changes to wkplc.properties.
- Run...
ConfigEngine.sh validate-standalone-ldap -DWasPassword=password
...to validate your LDAP server settings.
Note that if you have not deleted the default file repository, WasPassword is the value entered during installation and not a value found in your LDAP user registry.
- Run...
ConfigEngine.sh wp-modify-ldap-security -DWasPassword=password task, from profile_root/ConfigEngine, to set the standalone LDAP user registry.
- Propagate the security changes:
Option Description Standalone stopServer server1 -username admin_userid -password admin_password
stopServer WebSphere_Portal -username admin_userid -password admin_password
startServer server1
startServer WebSphere_Portal
Cluster
- stopManager-username admin_userid -password admin_password
- stopNode -username admin_userid -password admin_password
- stopServer WebSphere_Portal -username admin_userid -password admin_password
...from...
profile_root/bin
- startManager
- startNode
...from...
profile_root/bin
- startServer WebSphere_Portal
...from...
profile_root/bin
- Run...
ConfigEngine.sh wp-validate-standalone-ldap-attribute-config -DWasPassword=password task, from...
profile_root/ConfigEngine
...to check that all defined attributes are available in the configured LDAP user registry.
After configuring LDAP, you can adapt the attribute configuration
- Configure your Web server over SSL. Navigate to Configuring WebSphere Portal > Additional security features > Configuring SSL > Setting up SSL.
- Log on to the admin console and navigate to Security > SSL certificate and key management. Click the Use the United States Federal Information Processing Standard (FIPS) algorithms. check box to enable FIPS.
- Enable TLS in your internet browser, located under Tools > Options > Advanced.
Parent topic:
Configure a stand-alone LDAP user registry on i5/OS
Related tasks
Adapting the attribute configuration