AIX stand-alone: Configure a stand-alone LDAP user registry over SSL


Overview

In single server environments, you do not have to start or stop the WebSphere_Portal and server1 servers to complete the following steps. In clustered environments, stop all application servers on system, including WebSphere_Portal, then start the nodeagent and dmgr servers before you begin any of the following steps.

To ensure the correct properties are entered, you can use the helper file...

In the instructions below, when the step refers to wkplc.properties, you will use wp_security_xxx.properties helper file.


Configure a standalone LDAP user registry over SSL

  1. Add the SSL certificate for the LDAP server to the server trust store and the client trust store using one of the following methods:

    • Add cert to server trust store

      1. Log in to the WAS console.

      2. Navigate to...

          Security -> SSL certificate and key management -> SSL configurations

        .and click the appropriate SSL configuration from the list. For example,

          Standalone NodeDefaultSSLSettings
          Clustered CellDefaultSSLSettings

      3. Click...

          Key stores and certificates

      4. Click the appropriate trust store from the list. For example,

          Standalone NodeDefaultTrustStore
          Clustered CellDefaultTrustStore

      5. Click...

          Signer certificates | Add

        .and then enter...

        • Alias the key store uses for the signer certificate.
        • File name where the signer certificate is located.

      6. Click OK and then click Save to save the changes to the master configuration.

    • Retrieve cert from port

      1. Log in to the WAS console.

      2. Navigate to...

          Security -> SSL certificate and key management -> SSL configurations

      3. Click the appropriate SSL configuration from the list. For example,

          Standalone NodeDefaultSSLSettings
          Clustered CellDefaultSSLSettings

      4. Click Key stores and certificates.

      5. Click the appropriate trust store from the list. For example,

          Standalone NodeDefaultTrustStore Clustered CellDefaultTrustStore

      6. Click...

        .and then enter the following information...

        • Host name used when attempting to retrieve the signer certificate from the SSL port.
        • SSL Port used when attempting to retrieve the signer certificate.
        • Alias the key store uses for the signer certificate.

        For clustered, ensure the setting for SSL configuration for outbound connection matches SSL settings.

      7. Click...

          Retrieve signer information to retrieve the certificate from the port

      8. Click OK and then click Save to save the changes to the master configuration.

  2. Add the LDAP certificate to the client trust store:

    1. Secure installation for client signer retrieval.

    2. Run the retrieveSigners task

      In a deployed environment, run retrieveSigners for any federated node, against the Deployment Manager.

      This task might report an error, but it does successfully update the trust store. You can ignore the error message.

      Standalone...

        cd WP_PROFILE/bin
        ./retrieveSigners.sh NodeDefaultTrustStore ClientDefaultTrustStore -autoAcceptBootstrapSigner -conntype SOAP -port port_number

      Clustered...

        cd WP_PROFILE/bin
        ./retrieveSigners.sh CellDefaultTrustStore ClientDefaultTrustStore -autoAcceptBootstrapSigner -conntype SOAP -port port_number

      When prompted...

        Realm/Cell Name: name
        Username: user_ID
        Password: password

      The following message displays: CWPKI0308I: Add signer alias "alias_name" to local keystore "ClientDefaultTrustStore" with the following SHA digest: ssl_certificate_fingerprint

    3. Update the trust store properties file.
      Clustered:

      Perform the following steps on the primary node then resynchronize through the Dmgr to propagate the changes.

      Check each node to ensure that ssl.client.props contains the same values as on the primary node. If the values are not identical to those on the primary node, restart that server to synchronize the changes.

      1. Edit...

          WP_PROFILE/properties/ssl.client.props

      2. Change the com.ibm.ssl.trustStore parameter and the related trust store parameters to match the trust file specified in the SSL configuration. For example,

        Standalone: To use the default trust store...

              com.ibm.ssl.trustStore=WP_PROFILE/config/cells/cell_name/trust.p12


        Clustered: To use the default trust store...

          com.ibm.ssl.trustStore=WP_PROFILE/config/cells/cell_name/trust.p12

      3. Save changes.

  3. Edit WP_PROFILE/ConfigEngine/properties/wkplc.properties

  4. Required: Enter a value under the Standalone security heading:

      standalone.ldap.id
      standalone.ldap.host
      standalone.ldap.port
      standalone.ldap.bindDN
      standalone.ldap.bindPassword
      standalone.ldap.ldapServerType
      standalone.ldap.userIdMap
      standalone.ldap.groupIdMap
      standalone.ldap.groupMemberIdMap
      standalone.ldap.userFilter
      standalone.ldap.groupFilter
      standalone.ldap.serverId
      standalone.ldap.serverPassword
      standalone.ldap.realm
      standalone.ldap.primaryAdminId
      standalone.ldap.primaryAdminPassword
      standalone.ldap.primaryPortalAdminId
      standalone.ldap.primaryPortalAdminPassword
      standalone.ldap.primaryPortalAdminGroup
      standalone.ldap.baseDN

  5. Required: Enter a value under the LDAP entity types heading:

      standalone.ldap.et.group.objectClasses
      standalone.ldap.et.group.objectClassesForCreate
      standalone.ldap.et.group.searchBases
      standalone.ldap.et.personaccount.objectClasses
      standalone.ldap.et.personaccount.objectClassesForCreate
      standalone.ldap.et.personaccount.searchBases

  6. Required: Enter a value under the Group member attributes heading:

      standalone.ldap.gm.groupMemberName
      standalone.ldap.gm.objectClass
      standalone.ldap.gm.scope
      standalone.ldap.gm.dummyMember

  7. Required: Enter a value for the following required relative distinguished name (RDN®) parameters in wkplc.properties under the Default parent, RDN attribute heading:

      standalone.ldap.personAccountParent
      standalone.ldap.groupParent
      standalone.ldap.personAccountRdnProperties
      standalone.ldap.groupRdnProperties

  8. Enter a value for the following parameters to enable SSL:

      Required parameters:

        standalone.ldap.sslEnabled
        standalone.ldap.sslConfiguration

      Optional parameters:

        standalone.ldap.certificateMapMode
        standalone.ldap.certificateFilter

  9. Save changes to wkplc.properties.

  10. Validate LDAP server settings...

      ./ConfigEngine.sh validate-standalone-ldap -DWasPassword=foo

    If you have not deleted the default file repository, WasPassword is the value entered during installation and not a value found in LDAP user registry.

    During the validation task, you may receive the following prompt: Add signer to the trust store now?. Press y then Enter.

  11. Set the stand-alone LDAP user registry.

        cd WP_PROFILE/ConfigEngine


      ./ConfigEngine.sh wp-modify-ldap.security -DWasPassword=foo

  12. Stop and restart the appropriate servers to propagate the changes.

  13. Check that all defined attributes are available in the configured LDAP user registry.

        cd WP_PROFILE/ConfigEngine


      ./ConfigEngine.sh wp-validate-standalone-ldap-attribute-config -DWasPassword=foo

    See "Adapting the attribute configuration" for information about adding and mapping attributes to ensure proper communication between WebSphere Portal and the LDAP server.


Parent

Configure a stand-alone user registry


Related tasks

Adapt the attribute configuration
Start and stop servers, dmgrs, and node agents

 


+

Search Tips   |   Advanced Search