Configure SSL for the LDAP client
To set up an SSL connection between WAS and an LDAP server...
- Set up an LDAP server with users.
The server configured in this example is IBM Directory Server. Other servers are configured differently. Refer to the documentation of the directory server you are using for details on SSL enablement. For a product-supported LDAP directory server, see Supported directory services article.
- Configure certificates for the LDAP server using the key management utility (iKeyman) shipped with IBM HTTP Server product.
- Click Key Database File > New.
- Type LDAPkey.kdb as the file name and a proper path.
- Click...
Personal Certificates | New Self-Signed CertificateThe Create New Self-Signed Certificate panel is displayed. Type the following information in the fields and click OK...
Key Label LDAP_Cert
Common Name Host name where the WAS plug-in runs. For example... amsterdam.mydomain.com
Organization ibm
Country US - Return to the Personal Certificates panel and click Extract Certificate.
- Click the Base64-encoded ASCII data data type. Type LDAP_cert.arm as the file name and a proper path. Click OK.
- Enable SSL on the LDAP server...
- Copy the LDAPkey.kdb, LDAPkey.sth, LDAPkey.rdb, and LDAPkey.crl files created previously to the LDAP server system, for example...
\IBM\LDAP\ssl\- Open the LDAP Web administrator from a browser...
http://httpserver.mydomain.com/ldap- Click SSL properties to open the SSL Settings window.
- Click SSL On > Server Authentication and type an SSL port (636, for example) and a full path to the LDAPkey.kdb file.
- Click Apply, and restart the LDAP server.
- Manage certificates for WAS using the default SSL key files.
- Open the $WAS_HOME\etc\DumservernameTrustFile.jks file using the key management utility that shipped with WAS. The password is WebAS.
- Click Personal Certificates with the pull-down tab. Click Import. The Import Key panel is displayed. Specify LDAP_cert.arm for the file name. Complete this step for all the servers including the deployment manager.
- Establish a connection between the WAS and the LDAP server.
- In the administrative console, click User Registry > LDAP User Registry > LDAP Settings. Fill in the Server ID, Server Password, Type, Host, Port, and Base Distinguished Name fields. Select the SSL Enabled check box. The port is the one that the LDAP server is using for SSL (636, for example). Click Apply.
- Click Authentication Mechanisms > LTPA > Single SignOn (SSO). Type in a domain name (amsterdam.mydomain.com, for example). Click Apply.
- Enable global security.
- Click Security > Global Security. Select the Enabled check box. Choose LTPA as the active authentication mechanism and LDAP as the active user registry. Click Apply and Save.
Note that Verify that the security level for the LDAP server is set to HIGH. The default security level is HIGH (128-bit).
- Check the LDAP_$WAS_HOME\etc\slapd32.conf file; verify that the ibm-slapdSSLCipherSpecs parameter has the value, 15360, instead of 12288.
- Restart the servers. Restarting the servers ensures that the security settings are synchronized between the deployment manager and the appservers.
You can test the configuration by accessing https://fully_qualified_host_name:9443/snoop. You are presented with a login challenge.
Usage Scenario
- If you are enabling security, make sure that you complete the remaining steps. As the final step, validate this configuration by clicking OK or Apply in the Global Security panel. Refer to the Configuring global security article for detailed steps on enabling global security.
- For changes in this panel to become effective, save, stop, and start all WASs (cells, nodes and all the appservers).
- After the server starts up, go through all the security-related tasks (getting users, getting groups, and so on) to make sure that the changes to the filters are functioning.
See Also
SSL
LDAP
Local operating system user registries
Custom user registries
Configuring SSL
Creating a keystore file
Creating self-signed personal certificates
Creating certificate signing requests
Creating truststore files
Importing signer certificates
Configuring global security
Enabling and disabling global security