APAR status |
Closed as documentation error.
| Error description
SSL connection configuration between WAS 3.5.3 and Netscape
LDAP Server 4.13 fails on Solaris 2.6
when using a 3rd party cert. The configuration works when the Cu
uses self-signed cert.
Tried simulating the problem in the lab. Verified that it fails.
I could connect to the LDAP making a SSL call
via Netscape Cummnicator/Address Book.
.
Defect # PMR758327TD000
.
It was determined By L3 that its not a Code defect but a
documentation defect. So a Document Defect 100755 was created.
Please associate this APAR with Defect 100755. Local fix
Defined the steps to configure SSL connection between WAS-LDAp
using 3rd party Cert. Problem summary
The customer is asking for a keyring file which has a CA
certificate which can communicate with the Netscape LDAP
server over SSL. The following are steps to do this.
It consists of using two keyring files. A server keyring
and a client keyring. The server keyring will store the
private key from the certificate request, the public key,
and the CA's root certificate. The client keyring will
store the public key, the CA's root certificate and the
Netscape LDAP server's public key (all as signer certs).
.
STEPS
.
Save External Public Certificates (LDAP and CA Root)
1. Export the public key from the LDAP server to a file
called "LDAP.arm".
2. Download the CA's root certificate to a file called
"CARoot.arm".
.
Generate the Server Keyring File from IKeyMan:
3. Create a new keyring class file called ServerKeyring.class.
4. Generate a certificate request and save it as "certreq.arm".
5. Go to the CA's Web Site to request the cert. Get the cert
and save it as "newcert.arm".
6. Go to the Personal Certificates section of IKeyMan and
select "Receive". Enter the filename "newcert.arm".
7. Select "Extract Certificate" and save it as "websphere.arm".
8. Go to the Signer Certificates section of IKeyMan and select
"Add". Enter the filename "caroot.arm".
.
Generate the Client Keyring File from IKeyMan:Generate the Server Keyring File from IKeyMan:3. Create a new keyring class file called ServerKeyring.class.4. Generate a certificate request and save it as "certreq.arm".5. Go to the CA's Web Site to request the cert. Get the certand save it as "newcert.arm".6. Go to the Personal Certificates section of IKeyMan andselect "Receive". Enter the filename "newcert.arm".7. Select "Extract Certificate" and save it as "websphere.arm".8. Go to the Signer Certificates section of IKeyMan and select"Add". Enter the filename "caroot.arm"..
9. Create a new keyring class file called ClientKeyring.class.
10. Go to the Signer Certificates section of IKeyMan and select
"Add". Enter the filename "ldap.arm".
11. Go to the Signer Certificates section of IKeyMan and select
"Add". Enter the filename "caroot.arm".
12. Go to the Signer Certificates section of IKeyMan and select
"Add". Enter the filename "websphere.arm".
.
You are now ready to install these in WebSphere:Generate the Client Keyring File from IKeyMan:9. Create a new keyring class file called ClientKeyring.class.10. Go to the Signer Certificates section of IKeyMan and select"Add". Enter the filename "ldap.arm".11. Go to the Signer Certificates section of IKeyMan and select"Add". Enter the filename "caroot.arm".12. Go to the Signer Certificates section of IKeyMan and select"Add". Enter the filename "websphere.arm"..
13. Edit the SAS.SERVER.PROPS file. Both the ServerKeyring and
ClientKeyring files need to be on the server. Modify the
following lines:You are now ready to install these in WebSphere:13. Edit the SAS.SERVER.PROPS file. Both the ServerKeyring andClientKeyring files need to be on the server. Modify the
com.ibm.CORBA.KeyRingFile=ServerKeyring
com.ibm.CORBA.KeyRingPassword=WebAS
com.ibm.CORBA.SSLClientKeyRingPassword=WebAS
com.ibm.CORBA.SSLClientKeyRing=ClientKeyring
14. Edit the SAS.CLIENT.PROPS file. Only the ClientKeyring
file needs to be on the client. Modify the following lines:following lines:com.ibm.CORBA.KeyRingFile=ServerKeyringcom.ibm.CORBA.KeyRingPassword=WebAScom.ibm.CORBA.SSLClientKeyRingPassword=WebAScom.ibm.CORBA.SSLClientKeyRing=ClientKeyring14. Edit the SAS.CLIENT.PROPS file. Only the ClientKeyring
com.ibm.CORBA.SSLKeyRing=ClientKeyring
com.ibm.CORBA.SSLKeyRingPassword=WebAS
com.ibm.CORBA.SSLServerKeyRing=ClientKeyring
com.ibm.CORBA.SSLServerKeyRingPassword=WebAS file needs to be on the client. Modify the following lines:com.ibm.CORBA.SSLKeyRing=ClientKeyringcom.ibm.CORBA.SSLKeyRingPassword=WebAScom.ibm.CORBA.SSLServerKeyRing=ClientKeyringcom.ibm.CORBA.SSLServerKeyRingPassword=WebAS Problem conclusionTemporary fixComments
APAR information | APAR number | PQ48611 | Reported component name | WAS ADVANCED SU | Reported component ID | 5648C8402 | Reported release | 350 | Status | CLOSED DOC | PE | NoPE | HIPER | NoHIPER | Submitted date | 2001-05-09 | Closed date | 2001-05-10 | Last modified date | 2001-05-10 |
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:APAR is sysrouted FROM one or more of the following:
Modules/Macros APAR is sysrouted TO one or more of the following:Modules/Macros
Applicable component levels |
|