InfoCenter Home >
5: Securing applications -- special topics >
5.5: Certificate-based authentication >
5.5.7: Introduction: Setting up an LDAP connection over SSL >
5.5.7.1: Establishing connections betweenapplication servers and LDAP servers
- Disable WebSphere security before shutting down the administrative
server and client. This is not strictly necessary, but it makes
recovery easier if something goes wrong.
- To use SSL between WebSphere Application Server and the LDAP
server, create your own key and trust store files (if you
have not done so already). Put the LDAP server's certificate in
the trust store file, as this is used for most public keys. The key
store is used for a server's or client's (in the case of client
authentication) private keys.
The same trust store file can be used for LDAP as is used for the
ORB and HTTPS. Add the LDAP server's public key or root CA
certificate to the trust store specified in the Default SSL
Configuration in the Security Center of the administrative console.
See the articles under section 5.5.6, Tools for
managing certificates and keys, for instructions on how to create
key and trust stores with the WebSphere Application Server key tools.
The key and trust store files you create are used to configure
global security. They are also used to enable an SSL connection
between WebSphere and the LDAP server.
- Place your server key and trust store files in the appropriate
directories on the server machine. See Making client and server key store and trust
store files accessible for details.
- WebSphere determines which key and trust store files to use and
their passwords based on the settings in the Default SSL Configuration
panel in the Security Center of the Administrative Console. You can
also override the default settings by changing the LDAP SSL Settings
in the Security Center.
- Restart the administrative server and client and configure WebSphere Security including LDAP.
- Enable Security (under the Security Center --> General).
- Set the Default SSL Configuration (under Security Center
--> General --> Default SSL Configuration).
- Set the Authentication Mechanism to Lightweight Third-Party
Authentication (LTPA) (under Security Center --> Authentication
--> Authentication Mechanism)
- Set up your LDAP settings (under Security Center -->
Authentication Tab --> LDAP Settings)
- Choose a Security Server ID from your LDAP user
registry. This ID must be a valid user from the registry.
Do not use the LDAP administrative ID because this is not a
searchable ID and validation failures will occur.
- Set the Security Server Password associated with the
Security Server ID.
- Set the host name or IP address of the LDAP server.
- Set the port to 389 (or whatever the TCP/IP listener
port is for your LDAP server).
- Set the Base Distinguished Name of your LDAP directory.
- Optionally, set the Bind Distinguished Name and Bind
Password of your LDAP server.
- Optionally, modify the Advanced settings as necessary
for your LDAP server's directory configuration.
- Do not select the SSL button and then Enable
SSL yet.
- Click Finish.
The application server now communicates with the
LDAP server and the Security Server ID will be authenticated. If the
Security Server ID is not valid, you should receive an error message
indicating this. Check your LDAP server's configuration to resolve
any problems with the WebSphere LDAP Settings. You can verify the
communication with your LDAP server by monitoring its connections.
|
|