Connecting to Netscape LDAP Server Over SSL, With WebSphere CA Certificate In Keyring

Technote (FAQ)
Problem
The following are steps to creating a WebSphere keyring file that has a CA certificate which can communicate with the Netscape LDAP server over SSL. It consists of using two keyring files: a server keyring and a client keyring. The server keyring will store the private key from the certificate request, the public key, and the CA's root certificate. The client keyring will store the public key, the CA's root certificate and the Netscape LDAP server's public key (all as signer certs).
Solution
Preform the following Steps:

Save External Public Certificates (LDAP and CA Root)
1. Export the public key from the LDAP server to a file called "ldap.arm".
2. Download the CA's root certificate to a file called "caroot.arm".
    Generate the Server Keyring File from the WAS IKeyMan (See WAS 3.5 InfoCenter section 5.5.6.2):
3. Create a new keyring class file called ServerKeyring.class.
4. Generate a certificate request and save it as "certreq.arm".
5. Go to the CA's Web Site to request the cert. Get the cert and save it as "newcert.arm".
6. Go to the Personal Certificates section of IKeyMan and select "Receive". Enter the filename "newcert.arm".
7. Select "Extract Certificate" and save it as "websphere.arm".
8. Go to the Signer Certificates section of IKeyMan and select "Add". Enter the filename "caroot.arm".
    Generate the Client Keyring File from the WAS IKeyMan:
9. Create a new keyring class file called ClientKeyring.class.
10. Go to the Signer Certificates section of IKeyMan and select "Add". Enter the filename "ldap.arm".
11. Go to the Signer Certificates section of IKeyMan and select "Add". Enter the filename "caroot.arm".
12. Go to the Signer Certificates section of IKeyMan and select "Add". Enter the filename "websphere.arm".
    You are now ready to install these in WebSphere:
13. Edit the SAS.SERVER.PROPS file. For WAS AE 4.0.x, use the Security Center to set these. Both the ServerKeyring and ClientKeyring files need to be on the server. Modify the following lines:
    com.ibm.CORBA.KeyRingFile=ServerKeyring
    com.ibm.CORBA.KeyRingPassword=WebAS
    com.ibm.CORBA.SSLClientKeyRingPassword=WebAS
    com.ibm.CORBA.SSLClientKeyRing=ClientKeyring
14. Edit the SAS.CLIENT.PROPS file. Only the ClientKeyring file needs to be on the client. Modify the following lines:
    com.ibm.CORBA.SSLKeyRing=ClientKeyring
    com.ibm.CORBA.SSLKeyRingPassword=WebAS
    com.ibm.CORBA.SSLServerKeyRing=ClientKeyring
    com.ibm.CORBA.SSLServerKeyRingPassword=WebAS











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, Security
Operating system(s): Multi-Platform
Software version: 3.5, 4.0
Software edition: All Editions
Reference #: 1045807
IBM Group: Software Group
Modified date: 2004-07-28