This topic describes how to establish a Secure Sockets Layer (SSL)
connection between WebSphere Application Server and a Lightweight Directory
Access Protocol (LDAP) server.
About this task
This page provides an overview. Refer to the linked pages for more
details.
To understand SSL concepts, refer to Secure Sockets Layer.
Setting
up an SSL connection between WebSphere Application Server and an LDAP server
requires the following steps:
Procedure
- Set up an LDAP server with users. The
server that is configured in this example is IBM Directory Server.
Other servers are configured differently. Refer to the documentation of the
directory server that you are using for details on SSL enablement. For a product-supported
LDAP directory server, see Using specific directory servers as the LDAP server.
- Configure certificates for the LDAP server
using the key management utility (ikeyman.bat)
that is located in the install_dir/bin directory.
- Click .
- Choose CMS as Key database type and
type LDAPkey.kdb as the file name and a proper path and click OK.
- Specify a password, confirm the password, and
click OK.
- Under Key database content, select Personal
Certificates.
- Click New Self-signed. The
Create New Self-Signed Certificate panel is displayed. Type the following
required information in the fields and click OK:
- Key Label
- LDAP_Cert
- Version
- Select the version of the X.509 certificate.
- Key size
- Select either a 512 or a 1024-bit size for your key.
- Common Name
- droplet.austin.ibm.com
This common name is the host name
where the WebSphere Application Server plug-in runs.
- Organization
- ibm
- Country
- US
- Validity period
- Specify the number of days in which your certificate is valid.
- Return to the Personal Certificates panel and
click Extract Certificate.
- Click the Base64-encoded ASCII data data
type. Type LDAP_cert.arm as the file name and a proper path. Click OK.
- Enable SSL on the LDAP server:
- Copy the LDAPkey.kdb, LDAPkey.sth, LDAPkey.rdb,
and LDAPkey.crl files that are that are created previously to the
LDAP server system, for example, the /Program Files/IBM/LDAP/ssl/ directory.
- Open the LDAP Web administrator from a browser (http://secnt3.austin.ibm.com/ldap for
example). IBM HTTP Server is running on secnt3.
- Click SSL properties to open the SSL Settings window.
- Click SSL On > Server Authentication and type
an SSL port (636, for example) and a full path to the LDAPkey.kdb file.
- Click Apply, and restart the LDAP server.
- Manage certificates for WebSphere Application
Server using the default SSL key files.
- Open the install_root/profiles/default/etc/DummyServerTrustFile.jks file
using the key management utility that shipped with WebSphere Application Server.
The password is WebAS.
Attention: It is recommended
that you create your own trustfile.jks file rather than modifying
the DummyServerTrustFile.jks file. If you use the DummyServerTrustFile.jks file,
there is a risk that your changed settings might be overwritten if you update
the product with iFixes.
- Click Signer certificate
> Add. The Add CA's Certificate from a File window is displayed.
Specify LDAP_cert.arm for the file name. Complete this step for all
the servers and the deployment manager.
- Establish a connection between WebSphere Application
Server and the LDAP server using the WebSphere Application Server administrative
console.
- Click Security > Global security.
- Under User registries, click LDAP.
- Enter the Server ID, Server Password, Type, Host, Port,
and Base Distinguished Name fields.
- Select the SSL Enabled option. The port is
the same port number that the LDAP server is using for SSL (636, for example).
- Click Apply.
- Return to the Global security panel and click Authentication
Mechanisms > LTPA > Single Signon (SSO).
- Under Additional properties, click Single signon (SSO).
- Type in a domain name (austin.ibm.com, for example).
- Click Apply.
- Enable global security.
- Click Security > Global Security.
- Select the Enable global security option.
- Select the Lightweight Third Party Authentication (LTPA) option
as the active authentication mechanism and the Lightweight Directory Access
Protocol (LDAP) user registry option as the active user registry.
- Verify that the security level for the LDAP server is set to
HIGH, which is default.
- Click Apply and Save.
- Verify that the ibm-slapdSSLCipherSpecs parameter in the LDAP_install_root/etc/slapd32.conf file
has the value, 15360, instead of 12288.
- Restart the servers.
Restarting the servers ensures that the security
settings are synchronized between the deployment manager and the application
servers.
Results
You can test the configuration by accessing https://fully_qualified_host_name:9443/snoop.
You are presented with a login challenge. This test can be beneficial when
using LDAP as your user registry. Sensitive information can flow between the
WebSphere Application Server and the LDAP server, including passwords. Using
SSL to encrypt the data protects this sensitive information.
What to do next
- If you are enabling security, make sure that you
complete the remaining steps. As the final step, validate this configuration
by clicking OK or Apply in the Global Security panel. Refer
to the Enabling security for all application servers article
for detailed steps on enabling global security.
- For changes in this panel to become effective, save, stop, and start all
WebSphere Application Servers (cells, nodes, and all the application servers).
- After the server starts up, go through all the security-related tasks
(getting users, getting groups, and so on) to make sure that the changes to
the filters are functioning.