Set up LDAP over SSL to Active Directory

 

+
Search Tips   |   Advanced Search

 

 

Overview

We can configure Portal to access the LDAP user registry over SSL, thereby ensuring the confidentiality of sensitive data sent over the network when the tasks such as the following are performed...

• Usage of the the change passwords tool
• WAS authentication of user name and password pairs through an LDAP BIND operation
• Sensitive and private user attributes retrieved from the directory by various portlets

Configuring LDAP over SSL for WAS and WebSphere Portal is a separate operation from configuring the IBM HTTP Server to accept incoming browser requests over HTTPS, or configuring HTTPS between the HTTP Server and WAS in a distributed setup.

A full primer on the configuration of all the LDAP user registries and WAS is beyond the scope of this WebSphere Portal documentation. Consult the documentation for the LDAP server to configure the directory for SSL traffic. For WAS, refer to redbooks.ibm.com/ and do a search for Security Handbooks for the latest information about configuring WAS for LDAP over SSL.

 

Before configuring

To verify that LDAP is responding to requests configure non-SSL LDAP before setting up LDAP over SSL

WebSphere Portal does not support installing to a user registry that is only available through SSL. It requires than a non-SSL LDAP port be available for the install. LDAP over SSL should be configured as a post-install step.

Active Directory will not allow an unsecured LDAP connection to be used to set the password for a user. If you do not intend to use WebSphere Portal to create new users in Active Directory, then you do not need to configure LDAP to Active Directory over SSL.

To use Microsoft Active Directory as the LDAP Server, configure the LDAP connection between WebSphere Portal and Active Directory over SSL. Configuring the connection between WebSphere Portal and Active Directory over SSL is required if you want to create new users using WebSphere Portal. New users can be created by either allowing users to use the WebSphere Portal self-registration function or by allowing administrators to use the Manage Users and Manage Groups portlets.

 

Import certificates to WebSphere Portal to enable SSL connection

1. Install Active Directory and Internet Information Services.

2. Install WebSphere Portal.

3. Install Certificate Services.

4. Export the root CA certificate.
   1. Open a Web browser and connect to...

      http://localhost/certsrv

   2. Select task...

      Retrieve the CA certificate or certificate revocation list

      ...and click Next.

   3. Choose the certificate you created (Current) and the format (either DER encoded or Base 64 encoded). Then click on...

      Download CA certificate

   4. Save this certificate in a file. For example, call the certificate...

      certnew.cer

5. Import the certificate to the WAS keystore.

   1. Launch the ikeyman utility...

      was_profile_root/bin
      ./ikeyman.sh

   2. In ikeyman, click on Open, leave the Key database type as JKS and choose the file...

      was_profile_root/etc/DummyServertrustfile.jks

      By default, the password for this file is WebAS.

   3. Choose Signer Certificates and click Add.

   4. According to the data type of the certificate you created in the previous step, select the corresponding data type...
      • Binary DER data
      • Base64-encoded ASCII data

      Locate the certificate file, for example, certnew.cer, and then click OK.

   5. Type a name for the certificate and click OK.

   6. Save the updated DummyServertrustfile.jks file and exit the utility.

 

Configure WebSphere Portal to contact Active Directory over SSL

WebSphere Portal can be configured to use to a specifically named Java Key Store so that WebSphere Portal and WAS can share the same configured truststore in the SSL configuration of the CSIv2 Outbound Transport.

To specify the Java Key Store...

If WAS is not set up to use the LDAP as the user registry, the first seven steps are not necessary. For example, if you ran the enable-security-wmmur-ldap task, WAS is configured to use the database user registry.

1. Stop WebSphere Portal.

2. Logon to the WAS Administration Console.

3. Navigate to the LDAP User Registry panel.

4. Check the sslEnabled box. This sets sslEnabled to true.

5. Set the LDAP Port to port.

6. Save changes.

7. Stop and restart the WAS (server1).

8. Edit...

   portal_server_root/wmm/wmm.xml

9. Navigate to the stanza that begins ldapRepository name="wmmLDAP".

10. Verify that ldapPort="port".

11. Verify that sslEnabled="true".

12. At the end of this stanza, update

    • sslTrustStore="was_profile_root/etc/DummyServerTrustFile.jks"

    Use the full pathname if the sslTrustStore file is not under...

    was_profile_root/etc/

    If you do not specify an sslTrustStore parameter here, Member Manager will use

    • app_server_root/java/jre/lib/security/cacerts.jks

    In this case, import the root CA certificate for the LDAP server into the cacerts; see the Import the certificate step above for instructions.

13. Save the file.

14. Stop and restart the WAS (server1).

15. Restart WebSphere Portal.

 

Parent topic:

Setting up LDAP over SSL

 

---