Set up LDAP over SSL with Novell eDirectory

 

Overview

By default, user passwords are sent cleartext over the network between LDAP user registry and portal when...

  • Portal user management tools are used to create users and change passwords
  • WAS authenticates user name and password pairs through an LDAP bind operation.

We can configure WAS and portal to access to a Novell eDirectory LDAP user registry over SSL, and stymie anyone watching packets on the network.

Configuring LDAP over SSL for WAS and portal encrypts data between WAS and eDirectory servers. Other procedures are available for encrypting network packets between an HTTP server and Novell eDirectory servers.

First get LDAP (non-SSL) successfully working before setting up LDAP over SSL.


Procedure

  1. Install portal and WAS
  2. Refer to Installing on Windows and UNIX for more information.


  3. Install and setup the LDAP
    1. Install LDAP
    2. Set up LDAP

     

  4. Generate or import certificates as necessary and activate SSL on the directory
  5. Cert can be either self-signed or CA certificate chain.

    Refer to the Novell eDirectory documentation for more information.

     

  6. Import certificates to portal to enable SSL connection
  7. Use ikeyman to import the certificate exported from the Novell certificate management process into the required Java Key Store (.jks)

    1. Run ikeyman...

    2. Open the Java Key Store file which will be used by WAS for LDAP over SSL.

      We can create a new key file...

      ...or we can use the default *.jks file...

      The password to the dummy server trust file is "WebAS".

    3. If you created a new key file, then define a new SSL repertoire.

      If not, we can use the default repertoire, DefaultSSLSetting, which contains the default WAS server trust file.

    4. Select Signer Certificates from the top pull-down, then click Add.

    5. Select Base64-encoded ASCII data as the data type, and browse to the certificate file of that type that you exported from the Novell certificate management process.

    6. You will be asked for a label for the new certificate. Enter the same value that you specified for the label when you created the certificate.

    7. Save the updated key store file.


  8. Specify a key Java Key Store
  9. Portal can be configured to use to a specifically named Java Key Store so that portal and WAS can share the same configured truststore in the SSL configuration of the CSIv2 Outbound Transport.

    1. Stop portal.

    2. Logon to the WAS Administration Console and navigate to the LDAP User Registry panel.

    3. Check the sslEnabled box and set the LDAP Port to port.

    4. Save changes.

    5. Cycle server1

    6. Edit...

    7. Navigate to the stanza that begins...

        ldapRepository name="wmmLDAP"

    8. Verify that ldapPort="port" and sslEnabled="true".

    9. At the end of this stanza, set...

      If you do not specify an sslTrustStore parameter here, Member Manager will use

      Import the Novell eDirectory root CA certificate into the specified cacerts key store.

    10. Save the file.

    11. Stop and restart the WebSphere Application Server (server1).

    12. Restart portal.

     

  10. Close down the non-SSL port of the LDAP user registry server (optional)
  11. This is an optional step. Closing the non-SSL port of the directory will ensure that traffic exchanged with the directory by WebSphere Application Server, portal, or any other application, is confidential.


i5/OS notes

For i5/OS, If your application uses commercial certificate authority certificates (signer or CA certificates), you might be able to use the cacerts keystore (the default trust keystore) with the application. The integrated file system path for cacerts is /QIBM /ProdData/Java400/jdk14/lib/security/cacerts.

However, in no case should you attempt to modify the original cacerts keystore.

Create a private copy of the cacerts file, and then add or remove certificates to the private copy. The password for cacerts is changeit. Be sure to change the password that protects the private copy of the cacerts file. Also, note that initially, all keystores created using iKeyman contain a number of commercial CA certificates.

We can create the Java keystores in any iSeries integrated file system directory. However, it might be convenient to place them in the same directory as those that are used by the WebSphere profile. This might make it easier to include them in the backup and restore procedure. WAS provides an initial set of Java keystores that are used to secure connections between WebSphere components. These keystores are found in the etc directory of your WebSphere profile. For example, the keystores for the default profile are found in the app_server_root/etc directory.

For an example of how to create a Java keystore, see Using Java keystore files in the WAS for iSeries documentation.

You must also import the certificates to a keystore that can be used by the portal. In this case, portal has no configuration setting to point to a specifically named Java Key Store file.

Instead, import the certificates into the default keystore file of the JVM, cacerts. However, in no case should you attempt to modify thecacerts keystore. Rather, you should create a private copy of the cacerts file, and then add or remove certificates. The configured truststore in the SSL configuration of the CSIv2 Outbound Transport must also be updated.

 

Parent topic:

Setting up LDAP over SSL