Configure a stand-alone LDAP user registry over SSL on Solaris in a clustered environment

Configure WebSphere Portal to use a standalone LDAP user registry over SSL to store all user account information for secure authorization.

In single server environments, you do not have to start or stop the WebSphere_Portal and server1 servers to complete the following steps. In clustered environments, stop all application servers on system, including WebSphere_Portal, then start the nodeagent and dmgr servers before you begin any of the following steps.

To ensure the correct properties are entered, you can use the helper file...

In the instructions below, when the step refers to wkplc.properties, you will use wp_security_xxx.properties helper file.

  1. Add the SSL certificate for the LDAP server to the server trust store and the client trust store:

    1. Add the certificate to the server trust store:

      Options for adding the LDAP SSL certificate to the server trust store

      Option Steps
      Add cert to server trust store

      1. Log in to the WAS console.

      2. Navigate to Security -> SSL certificate and key management -> SSL configurations.

      3. Click the appropriate SSL configuration from the list. For example,

          Stand-alone: NodeDefaultSSLSettings
          Clustered: CellDefaultSSLSettings

      4. Click Key stores and certificates.

      5. Click the appropriate trust store from the list. For example,

          Stand-alone: NodeDefaultTrustStore
          Clustered: CellDefaultTrustStore

      6. Click Signer certificates, click Add, and then enter the following information:

          Alias the key store uses for the signer certificate.

          Type the File name where the signer certificate is located.

      7. Click OK and then click Save to save the changes to the master configuration.

      Retrieve cert from port

      1. Log in to the WAS console.

      2. Navigate to Security -> SSL certificate and key management -> SSL configurations.

      3. Click the appropriate SSL configuration from the list. For example,

          Stand-alone: NodeDefaultSSLSettings
          Clustered: CellDefaultSSLSettings

      4. Click Key stores and certificates.

      5. Click the appropriate trust store from the list. For example,

          Stand-alone: NodeDefaultTrustStore
          Clustered: CellDefaultTrustStore

      6. Click Signer certificates, click Retrieve from port, and then enter the following information:

          Host name used when attempting to retrieve the signer certificate from the SSL port.

          SSL Port used when attempting to retrieve the signer certificate.

          Alias the key store uses for the signer certificate.

          Clusters: Verify SSL configuration for outbound connection matches SSL settings.

      7. Click Retrieve signer information to retrieve the certificate from the port.

      8. Click OK and then click Save to save the changes to the master configuration.

    2. Add the LDAP certificate to the client trust store:

      1. See Secure installation for client signer retrieval.

      2. Run the retrieveSigners task.

        In a deployed environment, run the retrieveSigners task, for any federated node, against the Deployment Manager

          This task might report an error, but it does successfully update the trust store. You can ignore the error message.

          Example task:

          Stand-alone

            ./retrieveSigners.sh NodeDefaultTrustStore ClientDefaultTrustStore -autoAcceptBootstrapSigner -conntype SOAP -port port_number

          Clustered

            ./retrieveSigners.sh CellDefaultTrustStore ClientDefaultTrustStore -autoAcceptBootstrapSigner -conntype SOAP -port port_number

            When prompted...

              Realm/Cell Name: name
              Username: user_ID
              Password: password

            The following message displays: CWPKI0308I: Add signer alias "alias_name" to local keystore "ClientDefaultTrustStore" with the following SHA digest: ssl_certificate_fingerprint

      3. Update the trust store properties file.

          Clustered:

          • Perform the following steps on the primary node then resynchronize through the Dmgr to propagate the changes.

          • Check each node to ensure that ssl.client.props contains the same values as on the primary node. If the values are not identical to those on the primary node, restart that server to synchronize the changes.

          1. Edit...

              WP_PROFILE/properties/ssl.client.props

          2. Change the com.ibm.ssl.trustStore parameter and the related trust store parameters to match the trust file specified in the SSL configuration. For example,

              Stand-alone: To use the default trust store...

                  com.ibm.ssl.trustStore=WP_PROFILE/config/cells/cell_name/trust.p12

              Clustered: To use the default trust store...

                com.ibm.ssl.trustStore=WP_PROFILE/config/cells/cell_name/nodes/node_name/trust.p12

          3. Save changes.

  2. Edit WP_PROFILE/ConfigEngine/properties/wkplc.properties

  3. Required: Enter a value under the Stand-alone security heading:

        standalone.ldap.id
        standalone.ldap.host
        standalone.ldap.port
        standalone.ldap.bindDN
        standalone.ldap.bindPassword
        standalone.ldap.ldapServerType
        standalone.ldap.userIdMap
        standalone.ldap.groupIdMap
        standalone.ldap.groupMemberIdMap
        standalone.ldap.userFilter
        standalone.ldap.groupFilter
        standalone.ldap.serverId
        standalone.ldap.serverPassword
        standalone.ldap.realm
        standalone.ldap.primaryAdminId
        standalone.ldap.primaryAdminPassword
        standalone.ldap.primaryPortalAdminId
        standalone.ldap.primaryPortalAdminPassword
        standalone.ldap.primaryPortalAdminGroup
        standalone.ldap.baseDN

  4. Required: Enter a value under the LDAP entity types heading:

        standalone.ldap.et.group.objectClasses
        standalone.ldap.et.group.objectClassesForCreate
        standalone.ldap.et.group.searchBases
        standalone.ldap.et.personaccount.objectClasses
        standalone.ldap.et.personaccount.objectClassesForCreate
        standalone.ldap.et.personaccount.searchBases

  5. Required: Enter a value under the Group member attributes heading:

        standalone.ldap.gm.groupMemberName
        standalone.ldap.gm.objectClass
        standalone.ldap.gm.scope
        standalone.ldap.gm.dummyMember

  6. Required: Enter a value for the following required relative distinguished name (RDN®) parameters in wkplc.properties under the Default parent, RDN attribute heading:

        standalone.ldap.personAccountParent
        standalone.ldap.groupParent
        standalone.ldap.personAccountRdnProperties
        standalone.ldap.groupRdnProperties

  7. Enter a value for the following parameters to enable Secure Socket Layers (SSL):

      Required parameters:

        standalone.ldap.sslEnabled
        standalone.ldap.sslConfiguration
      Optional parameters:

        standalone.ldap.certificateMapMode
        standalone.ldap.certificateFilter

  8. Save changes to wkplc.properties.

  9. Validate LDAP server settings...

      ./ConfigEngine.sh validate-standalone-ldap -DWasPassword=foo

    If you have not deleted the default file repository, WasPassword is the value entered during installation and not a value found in LDAP user registry. During the validation task, you may receive the following prompt: Add signer to the trust store now?. Press y then Enter.

  10. Set the stand-alone LDAP user registry...

      ./ConfigEngine.sh wp-modify-ldap.security -DWasPassword=foo

  11. Stop and restart the appropriate servers to propagate the changes.

  12. Check that all defined attributes are available in the configured LDAP user registry...

      ./ConfigEngine.sh wp-validate-standalone-ldap-attribute-config

    See "Adapting the attribute configuration" for information about adding and mapping attributes to ensure proper communication between WebSphere Portal and the LDAP server.

If you created clustered environment then performed the steps in this task, now run the update-jcr-admin task on the secondary node. See Enable LDAP security after cluster creation for instructions.


Parent

Choose the stand-alone LDAP user registry on Solaris in a clustered environment


Related tasks


Start and stop servers, dmgrs, and node agents
Enable LDAP security after cluster creation

 


+

Search Tips   |   Advanced Search