InfoCenter Home >
5: Securing applications -- special topics >
5.5: Certificate-based authentication >
5.5.7: Introduction: Setting up an LDAP connection over SSL >
5.5.7.2: Enabling SSL connections between WebSphere ApplicationServer and an LDAP Server
- Configure SSL in the LDAP server.
The procedure varies with the LDAP server being used. Consult
the documentation for your server for details. For example,
with the SecureWay LDAP server, the following must be done:
- Set the SSL status to SSL ON.
- Set the Authentication Method to Server Authentication.
The SSL protocol requires the server to be authenticated. In this
case, the LDAP server is the server and WebSphere Application
Server is the client. If you need mutual authentication, choose
Server and Client Authentication.
- Make sure that the secure port is set to 636. (You can
optionally choose a different port, but you must
set this port correctly when configuring LDAP SSL in
WebSphere Application Server.)
- Point the Key Database path and filename to the LDAP
server's keyfile.
In SSL, certificates are used for
authentication. Therefore, the LDAP
server requires a certificate, which must be included in its
keyfile.
- Set the Key Label to the label used for the LDAP server's
certificate.
- Update your WebSphere Application Server trust store file. The
trust store file
is the repository for the WebSphere server's
trust base. Because it needs to authenticate the LDAP server
during SSL initialization, the trust store file must provide
information about the LDAP server.
In order to validate the LDAP server's certificate, your server
needs the public key of the CA that issued the LDAP server's
certificate. This key is found in that CA's certificate, so you
need to add the certificate of the CA that issued the LDAP
server's certificate to your trust store file on the
server. (For more information
on authentication by certificate, see 5.5:
Certificate-based authentication.)
To add the additional certificate to the trust store file,
do the following:
- Run IKeyMan, as described in 5.5.6.2: The IBM Key Management tool
- Add the new certificate to the server's trust store file.
- Enable the SSL connection in WebSphere.
- Modify your LDAP configuration (under Security Center -->
Authentication --> LDAP Settings).
- Set the port to 636. (If you used a different
port number, set the port to that numer.)
- Click SSL.
- Click Enable SSL.
- Select Use Global SSL default
configuration, unless you want to use a different
key and trust store file for LDAP.
- Click OK.
- Stop and restart the administrative server and client. After they
restart, you are prompted to login to the LDAP registry.
Tips
- If your SSL connection does not work, try the following:
- Verify that your LDAP server is listening to port 636 (or
the other port specified in the settings).
- Verify that the LDAP server's certificate is still valid.
- If you need to export the certificate for the LDAP server's CA
from keyring or other type of file, look for an option that lets
you export the certificate in DER binary format or
Base64-encoded ASCII. The tools you
have can vary with the LDAP server.
- If you transfer a certificate file from a remote host by using FTP,
be sure to set the transfer mode to binary.
- Make sure that your place your updated keyring class in the
correct location.
|
|