AIX stand-alone: Configure a stand-alone LDAP user registry over SSL
Overview
In single server environments, you do not have to start or stop the WebSphere_Portal and server1 servers to complete the following steps. In clustered environments, stop all application servers on system, including WebSphere_Portal, then start the nodeagent and dmgr servers before you begin any of the following steps.
To ensure the correct properties are entered, you can use the helper file...
WP_PROFILE/ConfigEngine/config/helpers/wp_security_xxx.properties
In the instructions below, when the step refers to wkplc.properties, you will use wp_security_xxx.properties helper file.
Configure a standalone LDAP user registry over SSL
- Add the SSL certificate for the LDAP server to the server trust store and the client trust store using one of the following methods:
- Add cert to server trust store
- Log in to the WAS console.
- Navigate to...
Security -> SSL certificate and key management -> SSL configurations
.and click the appropriate SSL configuration from the list. For example,
Standalone NodeDefaultSSLSettings Clustered CellDefaultSSLSettings
- Click...
Key stores and certificates
- Click the appropriate trust store from the list. For example,
Standalone NodeDefaultTrustStore Clustered CellDefaultTrustStore
- Click...
Signer certificates | Add
.and then enter...
- Alias the key store uses for the signer certificate.
- File name where the signer certificate is located.
- Click OK and then click Save to save the changes to the master configuration.
- Retrieve cert from port
- Log in to the WAS console.
- Navigate to...
Security -> SSL certificate and key management -> SSL configurations
- Click the appropriate SSL configuration from the list. For example,
Standalone NodeDefaultSSLSettings Clustered CellDefaultSSLSettings
- Click Key stores and certificates.
- Click the appropriate trust store from the list. For example,
Standalone NodeDefaultTrustStore Clustered CellDefaultTrustStore
- Click...
Signer certificates | Retrieve from port
.and then enter the following information...
- Host name used when attempting to retrieve the signer certificate from the SSL port.
- SSL Port used when attempting to retrieve the signer certificate.
- Alias the key store uses for the signer certificate.
For clustered, ensure the setting for SSL configuration for outbound connection matches SSL settings.
- Click...
Retrieve signer information to retrieve the certificate from the port
- Click OK and then click Save to save the changes to the master configuration.
- Add the LDAP certificate to the client trust store:
- Secure installation for client signer retrieval.
- Run the retrieveSigners task
In a deployed environment, run retrieveSigners for any federated node, against the Deployment Manager.
This task might report an error, but it does successfully update the trust store. You can ignore the error message.
Standalone...
cd WP_PROFILE/bin
./retrieveSigners.sh NodeDefaultTrustStore ClientDefaultTrustStore -autoAcceptBootstrapSigner -conntype SOAP -port port_numberClustered...
cd WP_PROFILE/bin
./retrieveSigners.sh CellDefaultTrustStore ClientDefaultTrustStore -autoAcceptBootstrapSigner -conntype SOAP -port port_numberWhen prompted...
Realm/Cell Name: name
Username: user_ID
Password: passwordThe following message displays: CWPKI0308I: Add signer alias "alias_name" to local keystore "ClientDefaultTrustStore" with the following SHA digest: ssl_certificate_fingerprint
- Update the trust store properties file.
Clustered:Perform the following steps on the primary node then resynchronize through the Dmgr to propagate the changes.
Check each node to ensure that ssl.client.props contains the same values as on the primary node. If the values are not identical to those on the primary node, restart that server to synchronize the changes.
- Edit...
WP_PROFILE/properties/ssl.client.props
- Change the com.ibm.ssl.trustStore parameter and the related trust store parameters to match the trust file specified in the SSL configuration. For example,
Standalone: To use the default trust store...
com.ibm.ssl.trustStore=WP_PROFILE/config/cells/cell_name/trust.p12
Clustered: To use the default trust store...com.ibm.ssl.trustStore=WP_PROFILE/config/cells/cell_name/trust.p12
- Save changes.
- Edit WP_PROFILE/ConfigEngine/properties/wkplc.properties
- Required: Enter a value under the Standalone security heading:
standalone.ldap.id
standalone.ldap.host
standalone.ldap.port
standalone.ldap.bindDN
standalone.ldap.bindPassword
standalone.ldap.ldapServerType
standalone.ldap.userIdMap
standalone.ldap.groupIdMap
standalone.ldap.groupMemberIdMap
standalone.ldap.userFilter
standalone.ldap.groupFilter
standalone.ldap.serverId
standalone.ldap.serverPassword
standalone.ldap.realm
standalone.ldap.primaryAdminId
standalone.ldap.primaryAdminPassword
standalone.ldap.primaryPortalAdminId
standalone.ldap.primaryPortalAdminPassword
standalone.ldap.primaryPortalAdminGroup
standalone.ldap.baseDN
- Required: Enter a value under the LDAP entity types heading:
standalone.ldap.et.group.objectClasses
standalone.ldap.et.group.objectClassesForCreate
standalone.ldap.et.group.searchBases
standalone.ldap.et.personaccount.objectClasses
standalone.ldap.et.personaccount.objectClassesForCreate
standalone.ldap.et.personaccount.searchBases
- Required: Enter a value under the Group member attributes heading:
standalone.ldap.gm.groupMemberName
standalone.ldap.gm.objectClass
standalone.ldap.gm.scope
standalone.ldap.gm.dummyMember
- Required: Enter a value for the following required relative distinguished name (RDN®) parameters in wkplc.properties under the Default parent, RDN attribute heading:
standalone.ldap.personAccountParent
standalone.ldap.groupParent
standalone.ldap.personAccountRdnProperties
standalone.ldap.groupRdnProperties
- Enter a value for the following parameters to enable SSL:
Required parameters:
standalone.ldap.sslEnabled
standalone.ldap.sslConfigurationOptional parameters:
standalone.ldap.certificateMapMode
standalone.ldap.certificateFilter
- Save changes to wkplc.properties.
- Validate LDAP server settings...
./ConfigEngine.sh validate-standalone-ldap -DWasPassword=foo
If you have not deleted the default file repository, WasPassword is the value entered during installation and not a value found in LDAP user registry.
During the validation task, you may receive the following prompt: Add signer to the trust store now?. Press y then Enter.
- Set the stand-alone LDAP user registry.
cd WP_PROFILE/ConfigEngine
./ConfigEngine.sh wp-modify-ldap.security -DWasPassword=foo
- Stop and restart the appropriate servers to propagate the changes.
- Check that all defined attributes are available in the configured LDAP user registry.
cd WP_PROFILE/ConfigEngine
./ConfigEngine.sh wp-validate-standalone-ldap-attribute-config -DWasPassword=fooSee "Adapting the attribute configuration" for information about adding and mapping attributes to ensure proper communication between WebSphere Portal and the LDAP server.
Parent
Configure a stand-alone user registry
Related tasks
Adapt the attribute configuration
Start and stop servers, dmgrs, and node agents