Novell eDirectory

 

---

Overview

You might want to configure WebSphere Application Server and WebSphere Portal access to your LDAP user registry over SSL to ensure the confidentiality of the data exchanged between WebSphere Application Server, WebSphere Portal, and your LDAP user registry. For example, user passwords are sent over the network between LDAP user registry and WebSphere Portal. This occurs to set the password if WebSphere Portal user management tools are used to create users and change passwords and also when WebSphere Application Server authenticates any user name and password pair through an LDAP BIND operation. Configuring LDAP over SSL can be important to protect sensitive data. Also, it might be required to ensure that user attributes that are retrieved from the directory are not viewed by someone watching packets on the network, if the attributes of a user include sensitive information or privacy is a concern.

In order to ensure that all this information remains private, it is necessary to configure both WebSphere Application Server and WebSphere Portal to use LDAP over SSL to the LDAP user registry. Configuring LDAP over SSL for WebSphere Application Server and WebSphere Portal is a separate operation from configuring the IBM HTTP Server to accept incoming browser requests over HTTPS, or configuring HTTPS between the IBM HTTP Server and WebSphere Application Server in a distributed setup.

A full primer on the configuration of all the LDAP user registries and WebSphere Application Server is beyond the scope of this Portal Server documentation. Consult the documentation for your LDAP server to configure the directory for SSL traffic. For WebSphere Application Server, the IBM Redbook IBM WebSphere V5.0 Security, SG24-6573-00 is available, and Appendix B contains instructions for configuring WebSphere Application Server for LDAP over SSL. You can also consult the WebSphere Application Server product documentation.

Get LDAP (non-SSL) successfully working before setting up LDAP over SSL. This allows you to verify that the directory is responding to LDAP requests before setting it up for SSL.

 

Set up LDAP over SSL

It is required that you first get LDAP (non-SSL) successfully working before setting up LDAP over SSL. This allows you to verify that the directory is responding to LDAP requests before setting it up for SSL.

However, WebSphere Portal also supports installing directly to an LDAP user registry over SSL, even thought it is not recommended.

1. Install WebSphere Portal and WebSphere Application Server
2. Install and setup your LDAP
3. Generate or import certificates as necessary and activate SSL on the directory
4. Import certificate(s) to cacerts to enable SSL connection
5. Close down the non-SSL port of the LDAP user registry server (optional)

 

1. Install WebSphere Portal and WebSphere Application Server

Refer to Install WebSphere Portal for more information.

Also refer to Install WebSphere Portal for instructions on how to install WebSphere Portal on an existing instance of WebSphere Application Server that has security enabled.

 

2. Install and setup your LDAP

Get LDAP (non-SSL) successfully working before setting up LDAP over SSL. This allows you to verify that the directory is responding to LDAP requests before setting it up for SSL.

 

3. Generate or import certificates as necessary and activate SSL on the directory

Refer to the Novell eDirectory documentation for more information.

 

4. Import certificate(s) to WebSphere Portal to enable SSL connection

 

Importing certificates to a WebSphere Application Server keystore

Unix and Windows: To make either the self-signed certificate or the CA certificate chain available to WebSphere Application Server and Portal Server, use the key management tool supplied by WebSphere Application Server to import the certificate(s) into the necessary Java Key Store (.jks) format key storage files. Use the App Server-supplied key management tool, IKeyMan and import the certificates that you have exported from the Novell certificate management process. IKeyMan supports the Java Key Store file formats necessary for WebSphere Application Server and Portal Server. Consult the WebSphere Application Server documentation for details about how to use this tool.

A brief overview of the steps to import the certificates to configure LDAP over SSL for WebSphere Application Server is:

1. Activate the IKeyMan utility, which is located in was_root/bin. One way to do this is to issue the ikeyman.exe or ikeyman.sh command from the command line, depending on your operating system.

2. Open the Java Key Store file which will be used by WebSphere Application Server for LDAP over SSL. The user can create new key files and define a new SSL repertoire. WebSphere Application Server provides a default repertoire called DefaultSSLSetting. Use the default repertoire which contains the default WebSphere Application Server server trust file. Open DummyServerTrustFile.jks located at was_root/etc directory. The password to the dummy server trust file is "WebAS".

3. Select Signer Certificates from the top pulldown, then click Add.

4. Select Base64-encoded ASCII data as the data type, and browse to the certificate file of that type that you exported from the Novell certificate management process.

5. You will be asked for a label for the new certificate. Enter the same value that you specified for the label when you created the certificate.

6. Save the updated key store file.

 

Importing certificates to a WebSphere Portal keystore

WebSphere Portal can be configured to use to a specifically-named Java Key Store so that WebSphere Portal and WebSphere Application Server can share the same configured truststore in the SSL configuration of the CSIv2 Outbound Transport. To specify the Java Key Store, follow these steps:

1. Stop WebSphere Portal

2. Logon to the WebSphere Application Server Administration Console.

3. Navigate to Security > User Registries > LDAP.

4. Check the sslEnabled box (set sslEnabled to true).

5. Set the LDAP Port to 636.

6. Save changes.

7. Stop and restart your WebSphere Application Server (server1).

8. In a text editor, open the file wmm.xml in the wp_root/wmm directory, where wp_root is the installation directory for WebSphere Portal.

9. Navigate to the stanza that begins ldapRepository name="wmmLDAP".

10. Verify that ldapPort="636".

11. Verify that sslEnabled="true".

12. At the end of this stanza, add sslTrustStore="was_root\etc\DummyServerTrustFile.jks", where was_root is the installation directory for WebSphere Application Server.

13. Save the file.

14. Stop and restart your WebSphere Application Server (server1).

15. Restart WebSphere Portal.

 

5. Close down the non-SSL port of the LDAP user registry server (optional)

This is an optional step. Closing the non-SSL port of the directory will ensure that traffic exchanged with the directory by WebSphere Application Server, WebSphere Portal, or any other application, is confidential.

 

Next steps

You have completed this step. Continue to the next step by choosing one of the following topics:

• LDAP user registry
• Plan
• Install Novell eDirectory
• Set up Novell eDirectory
• Configure for Novell eDirectory without realm support
• Configure for Novell eDirectory with realm support

• Configure WebSphere Portal for Novell eDirectory without realm support

• Configure WebSphere Portal for Novell eDirectory with realm support

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.