InfoCenter Home >
5: Securing applications -- special topics >
5.5: Certificate-based authentication >
5.5.7: Introduction: Setting up an LDAP connection over SSL >
5.5.7.2: Enabling SSL connections between WebSphere ApplicationServer and an LDAP Server

5.5.7.2: Enabling SSL connections between WebSphere Application Server and an LDAP Server

  1. Configure SSL in the LDAP server. The procedure varies with the LDAP server being used. Consult the documentation for your server for details. For example, with the SecureWay LDAP server, the following must be done:
    1. Set the SSL status to SSL ON.
    2. Set the Authentication Method to Server Authentication. The SSL protocol requires the server to be authenticated. In this case, the LDAP server is the server and WebSphere Application Server is the client. If you need mutual authentication, choose Server and Client Authentication.
    3. Make sure that the secure port is set to 636. (You can optionally choose a different port, but you must set this port correctly when configuring LDAP SSL in WebSphere Application Server.)
    4. Point the Key Database path and filename to the LDAP server's keyfile. In SSL, certificates are used for authentication. Therefore, the LDAP server requires a certificate, which must be included in its keyfile.
    5. Set the Key Label to the label used for the LDAP server's certificate.
  2. Update your WebSphere keyring class. The keyring class is the repository for the WebSphere server's trust base. Because it needs to authenticate the LDAP server during SSL initialization, the keyring class must provide information about the LDAP server.

    In order to validate the LDAP server's certificate, your server needs the public key of the CA that issued the LDAP server's certificate. This key is found in that CA's certificate, so you need to add the certificate of the CA that issued the LDAP server's certificate to your keyring. (For more information on authentication by certificate, see 5.5: Certificate-based authentication.)

    To add the additional certificate to the keyring class, you must:
    1. Add the certificate to the keyring class. For example, you can use the VaultTool add public cert command:
      % java  com.ibm.cfwk.tools.VaultTool --password  "vltpwd"
      myVault.vlt
      add public cert LDAPCA 00-hex myLDAPCA.cert
      
    2. Create a new file for the keyring class, including the new certificate. For example, you can use the VaultTool container command:
      % java com.ibm.cfwk.tools.VaultTool --password  "vltpwd"
      myVault.vlt
      container -p  "ringpwd" com.ibm.websphere.TestKeyring
      myTestServer myTestCA LDAPCA
  3. Enable the SSL connection in WebSphere.
    1. Modify your LDAP configuration (under Security --> Specify Global Settings --> User Registry).
      1. Set the port to 636.
      2. Check the box labelled Use SSL to connect to directory.
    2. Click Finish.
  4. Stop and restart the administrative server and client. After they restart, you are prompted to login to the LDAP registry.

Tips

  • If your SSL connection does not work, try the following:
    1. Verify that your LDAP server is listening to port 636.
    2. Verify that the LDAP server's certificate is still valid.
  • If you need to export the certificate for the LDAP server's CA from keyring or other type of file, look for an option that lets you export the certificate in DER binary format. The tools you have can vary with the LDAP server.
  • If you transfer a certificate file from a remote host by using FTP, be sure to set the transfer mode to binary.
  • Make sure that your place your updated keyring class in the correct location.
Go to previous article: Establishing connections between application servers and LDAP servers Go to next article: Example: Generating and using a test keyring

 

 
Go to previous article: Establishing connections between application servers and LDAP servers Go to next article: Example: Generating and using a test keyring