InfoCenter Home >
5: Securing applications -- special topics >
5.5: Certificate-based authentication >
5.5.7: Introduction: Setting up an LDAP connection over SSL >
5.5.7.2: Enabling SSL connections between WebSphere ApplicationServer and an LDAP Server
- Configure SSL in the LDAP server.
The procedure varies with the LDAP server being used. Consult
the documentation for your server for details. For example,
with the SecureWay LDAP server, the following must be done:
- Set the SSL status to SSL ON.
- Set the Authentication Method to Server Authentication.
The SSL protocol requires the server to be authenticated. In this
case, the LDAP server is the server and WebSphere Application
Server is the client. If you need mutual authentication, choose
Server and Client Authentication.
- Make sure that the secure port is set to 636. (You can
optionally choose a different port, but you must
set this port correctly when configuring LDAP SSL in
WebSphere Application Server.)
- Point the Key Database path and filename to the LDAP
server's keyfile.
In SSL, certificates are used for
authentication. Therefore, the LDAP
server requires a certificate, which must be included in its
keyfile.
- Set the Key Label to the label used for the LDAP server's certificate.
- Update your WebSphere keyring class. The keyring class
is the repository for the WebSphere server's
trust base. Because it needs to authenticate the LDAP server
during SSL initialization, the keyring class must provide
information about the LDAP server.
In order to validate the LDAP server's certificate, your server
needs the public key of the CA that issued the LDAP server's
certificate. This key is found in that CA's certificate, so you
need to add the certificate of the CA that issued the LDAP
server's certificate to your keyring. (For more information
on authentication by certificate, see 5.5:
Certificate-based authentication.)
To add the additional certificate to the keyring class, you
must:
- Add the certificate to the keyring class.
For example, you can use the VaultTool
add public cert command:
% java com.ibm.cfwk.tools.VaultTool --password "vltpwd"
myVault.vlt
add public cert LDAPCA 00-hex myLDAPCA.cert
- Create a new file for the keyring class, including the new
certificate.
For example, you can use the VaultTool container command:
% java com.ibm.cfwk.tools.VaultTool --password "vltpwd"
myVault.vlt
container -p "ringpwd" com.ibm.websphere.TestKeyring
myTestServer myTestCA LDAPCA
- Enable the SSL connection in WebSphere.
- Modify your LDAP configuration (under Security -->
Specify Global Settings --> User Registry).
- Set the port to 636.
- Check the box labelled Use SSL to connect to
directory.
- Click Finish.
- Stop and restart the administrative server and client. After they
restart, you are prompted to login to the LDAP registry.
Tips
- If your SSL connection does not work, try the following:
- Verify that your LDAP server is listening to port 636.
- Verify that the LDAP server's certificate is still valid.
- If you need to export the certificate for the LDAP server's CA
from keyring or other type of file, look for an option that lets
you export the certificate in DER binary format. The tools you
have can vary with the LDAP server.
- If you transfer a certificate file from a remote host by using FTP,
be sure to set the transfer mode to binary.
- Make sure that your place your updated keyring class in the
correct location.
|
|