Configure a stand-alone LDAP user registry over SSL on AIX in a clustered environment
Overview
Configure WebSphere Portal to use a standalone LDAP user registry over SSL to store all user account information for secure authorization.
In single server environments, you do not have to start or stop the WebSphere_Portal and server1 servers to complete the following steps. In clustered environments, stop all application servers on system, including WebSphere_Portal, then start the nodeagent and dmgr servers before you begin any of the following steps.
To ensure the correct properties are entered, you can use the helper file...
WP_PROFILE/ConfigEngine/config/helpers/wp_security_xxx.properties
For example...
./ConfigEngine.sh validate-standalone-ldap -DparentProperties=WP_PROFILE/ConfigEngine/config/helpers/wp_security_sunone.properties -DSaveParentProperties=true
Configure a standalone LDAP user registry over SSL
If you created clustered environment then performed the steps in this task, now run the update-jcr-admin task on the secondary node. See Enable LDAP security after cluster creation for instructions.
- Add the SSL certificate for the LDAP server to the server trust store and the client trust store:
- Add the certificate to the server trust store:
Options for adding the LDAP SSL certificate to the server trust store
Option Steps Add cert to server trust store
- Log in to the WAS console.
- Navigate to Security -> SSL certificate and key management -> SSL configurations.
- Click the appropriate SSL configuration from the list. For example,
Stand-alone: NodeDefaultSSLSettings
Clustered: CellDefaultSSLSettings
- Click Key stores and certificates.
- Click the appropriate trust store from the list. For example,
Stand-alone: NodeDefaultTrustStore
Clustered: CellDefaultTrustStore
- Click Signer certificates, click Add, and then enter the following information:
Alias the key store uses for the signer certificate.
Type the File name where the signer certificate is located.
- Click OK and then click Save to save the changes to the master configuration.
Retrieve cert from port
- Log in to the WAS console.
- Navigate to Security -> SSL certificate and key management -> SSL configurations.
- Click the appropriate SSL configuration from the list. For example,
Stand-alone: NodeDefaultSSLSettings
Clustered: CellDefaultSSLSettings
- Click Key stores and certificates.
- Click the appropriate trust store from the list. For example,
Stand-alone: NodeDefaultTrustStore
Clustered: CellDefaultTrustStore
- Click Signer certificates, click Retrieve from port, and then enter the following information:
Host name used when attempting to retrieve the signer certificate from the SSL port.
SSL Port used when attempting to retrieve the signer certificate.
Alias the key store uses for the signer certificate.
Clusters: Verify SSL configuration for outbound connection matches SSL settings.
- Click Retrieve signer information to retrieve the certificate from the port.
- Click OK and then click Save to save the changes to the master configuration.
- Add the LDAP certificate to the client trust store:
- See Secure installation for client signer retrieval.
- Run the retrieveSigners task.
In a deployed environment, run the retrieveSigners task, for any federated node, against the Deployment Manager
This task might report an error, but it does successfully update the trust store. You can ignore the error message.
Example task:
Stand-alone
./retrieveSigners.sh NodeDefaultTrustStore ClientDefaultTrustStore -autoAcceptBootstrapSigner -conntype SOAP -port port_number
Clustered
./retrieveSigners.sh CellDefaultTrustStore ClientDefaultTrustStore -autoAcceptBootstrapSigner -conntype SOAP -port port_number
When prompted...
Realm/Cell Name: name
The following message displays: CWPKI0308I: Add signer alias "alias_name" to local keystore "ClientDefaultTrustStore" with the following SHA digest: ssl_certificate_fingerprint
Username: user_ID
Password: password
- Update the trust store properties file.
Clustered:
- Perform the following steps on the primary node then resynchronize through the Dmgr to propagate the changes.
- Check each node to ensure that ssl.client.props contains the same values as on the primary node. If the values are not identical to those on the primary node, restart that server to synchronize the changes.
- Edit...
WP_PROFILE/properties/ssl.client.props
- Change the com.ibm.ssl.trustStore parameter and the related trust store parameters to match the trust file specified in the SSL configuration. For example,
Stand-alone: To use the default trust store...
com.ibm.ssl.trustStore=WP_PROFILE/config/cells/cell_name/trust.p12
Clustered: To use the default trust store...
com.ibm.ssl.trustStore=WP_PROFILE/config/cells/cell_name/nodes/node_name/trust.p12
- Save changes.
- Edit WP_PROFILE/ConfigEngine/properties/wkplc.properties
- Required: Enter a value under the Stand-alone security heading:
standalone.ldap.id
standalone.ldap.host
standalone.ldap.port
standalone.ldap.bindDN
standalone.ldap.bindPassword
standalone.ldap.ldapServerType
standalone.ldap.userIdMap
standalone.ldap.groupIdMap
standalone.ldap.groupMemberIdMap
standalone.ldap.userFilter
standalone.ldap.groupFilter
standalone.ldap.serverId
standalone.ldap.serverPassword
standalone.ldap.realm
standalone.ldap.primaryAdminId
standalone.ldap.primaryAdminPassword
standalone.ldap.primaryPortalAdminId
standalone.ldap.primaryPortalAdminPassword
standalone.ldap.primaryPortalAdminGroup
standalone.ldap.baseDN
- Required: Enter a value under the LDAP entity types heading:
standalone.ldap.et.group.objectClasses
standalone.ldap.et.group.objectClassesForCreate
standalone.ldap.et.group.searchBases
standalone.ldap.et.personaccount.objectClasses
standalone.ldap.et.personaccount.objectClassesForCreate
standalone.ldap.et.personaccount.searchBases
- Required: Enter a value under the Group member attributes heading:
standalone.ldap.gm.groupMemberName
standalone.ldap.gm.objectClass
standalone.ldap.gm.scope
standalone.ldap.gm.dummyMember
- Required: Enter a value for the following required relative distinguished name (RDN®) parameters in wkplc.properties under the Default parent, RDN attribute heading:
standalone.ldap.personAccountParent
standalone.ldap.groupParent
standalone.ldap.personAccountRdnProperties
standalone.ldap.groupRdnProperties
- Enter a value for the following parameters to enable Secure Socket Layers (SSL):
Required parameters:
standalone.ldap.sslEnabled
Optional parameters:
standalone.ldap.sslConfigurationstandalone.ldap.certificateMapMode
standalone.ldap.certificateFilter
- Save changes to wkplc.properties.
- Validate LDAP server settings...
./ConfigEngine.sh validate-standalone-ldap -DWasPassword=foo
If you have not deleted the default file repository, WasPassword is the value entered during installation and not a value found in LDAP user registry. During the validation task, you may receive the following prompt: Add signer to the trust store now?. Press y then Enter.
- Set the stand-alone LDAP user registry...
./ConfigEngine.sh wp-modify-ldap.security -DWasPassword=foo
- Stop and restart the appropriate servers to propagate the changes.
- Check that all defined attributes are available in the configured LDAP user registry...
./ConfigEngine.sh wp-validate-standalone-ldap-attribute-config
See "Adapting the attribute configuration" for information about adding and mapping attributes to ensure proper communication between WebSphere Portal and the LDAP server.
Parent
Choose the stand-alone LDAP user registry on AIX in a clustered environment
Related tasks
Start and stop servers, dmgrs, and node agents
Enable LDAP security after cluster creation