InfoCenter Home >
5: Securing applications -- special topics >
5.5: Tools for managing keys >
5.5.7: Introduction: Setting up an LDAP connection over SSL >
5.5.7.1: Establishing connections between application servers and LDAP servers

5.5.7.1: Establishing connections between application servers and LDAP servers

  1. Disable WebSphere security before shutting down the administrative server and client. This is not strictly necessary, but it makes recovery easier if something goes wrong.
  2. Create your own keyring. To use SSL between WebSphere Application Server and the LDAP server, you have to create your own keyring. The DummyKeyring file that comes with WebSphere is not sufficient because it does not contain the necessary information about the servers involved. See the articles under section 5.5.6, Tools for managing certificates and keys, for instructions on how to create keyrings with the WebSphere Application Server key tools.
  3. Place your keyring class in the appropriate directory. Because you are replacing the default keyring class with your own, make sure that WebSphere Application Server is able to find the new class file. The keyring class is a Java class, so the CLASSPATH variable is used to find it. For example, if you give the file a class name like com.mycompany.test.keyring, you need to add the search path com/mycompany/test to the CLASSPATH.

    If your chosen search path is not on WebSphere's default CLASSPATH, then you have to update the following files:
    • admin.config: Add the search path to the com.ibm.ejs.sm.adminserver.classpath property.
    • adminserver.bat and adminclient.bat: Add the search path to the WAS_CP variable. Insert a line like this:
      set WAS_CP=%WAS_CP%;search-path
  4. Update the property files.
    • WebSphere determines the keyring file to use and its password by examining properties in the files sas.server.props and sas.client.props. The following properties determine the keyring to use:
      • com.ibm.CORBA.SSLKeyRing
      • com.ibm.CORBA.SSLClientKeyRing
      • com.ibm.CORBA.SSLServerKeyRing
      Set these properties to the name of your keyring class, for example, com.ibm.websphere.TestKeyring.
    • When you create a file for a keyring class, you specify a password for the file. This password protects the file from unrestricted use. The following properties are used to specify the password for a application that needs to use the keyring:
      • com.ibm.CORBA.SSLKeyRingPassword
      • com.ibm.CORBA.SSLClientKeyRingPassword
      • com.ibm.CORBA.SSLServerKeyRingPassword
      These properties default to the value "WebAS," so if you used a different password when you created the keyring file, change the value of these properties accordingly.
    After you modify the properties files, you need to delete the file sas.server.props.future, or your changes to the other properties files will not take effect when you restart the administrative server.
  5. Restart the administrative server and client and configure LDAP.
    1. Set the Challenge Type to Basic (under Security --> Specify Global Settings --> Application Defaults)
    2. Set the Authentication Mechanism to LDAP (under Security --> Specify Global Settings --> Authentication Mechanism)
    3. Set up your LDAP registry (under Security --> Specify Global Settings --> User Registry)
      1. Set the port to 389.
      2. Do not check the box that says "Use SSL to connect to directory" yet.
    4. Click Finish. The application server now communicates with the LDAP server. You can verify the communication with your LDAP server by monitoring its connections.
  6. Stop and restart the administrative server and client. You will now be prompted to authenticate against the LDAP registry.

At this point, you know that WebSphere Application Server can communicate with the LDAP server successfully.

Go to previous article: SSL-LDAP setup Go to next article: Enabling SSL connections between WebSphere and LDAP

 

 
Go to previous article: SSL-LDAP setup Go to next article: Enabling SSL connections between WebSphere and LDAP