InfoCenter Home >
5: Securing applications -- special topics >
5.5: Tools for managing keys >
5.5.7: Introduction: Setting up an LDAP connection over SSL >
5.5.7.1: Establishing connections between application servers and LDAP servers
5.5.7.1: Establishing connections between application servers and LDAP servers
- Disable WebSphere security before shutting down the administrative
server and client. This is not strictly necessary, but it makes
recovery easier if something goes wrong.
- Create your own keyring. To use SSL between WebSphere
Application Server and the LDAP server, you have to create your
own keyring. The DummyKeyring file that comes with WebSphere
is not sufficient because it does not contain the necessary
information about the servers involved. See the articles
under section 5.5.6, Tools for managing
certificates and keys, for instructions on how to create keyrings
with the WebSphere Application Server key tools.
- Place your keyring class in the appropriate directory.
Because you are replacing the default keyring class with your own, make
sure that WebSphere Application Server is able to find the new class file. The
keyring class is a Java class, so the CLASSPATH variable is used
to find it. For example, if you give the file a class name like
com.mycompany.test.keyring, you need to add the search path
com/mycompany/test to the CLASSPATH.
If your chosen search path is not on WebSphere's default CLASSPATH,
then you have to update the following files:
- admin.config: Add the search path to the
com.ibm.ejs.sm.adminserver.classpath property.
- adminserver.bat and adminclient.bat: Add the search
path to the WAS_CP variable. Insert a line like this:
set WAS_CP=%WAS_CP%;search-path
- Update the property files.
- WebSphere determines the keyring file to use and its password
by examining properties in the files sas.server.props and
sas.client.props. The following properties determine the keyring to use:
- com.ibm.CORBA.SSLKeyRing
- com.ibm.CORBA.SSLClientKeyRing
- com.ibm.CORBA.SSLServerKeyRing
Set these properties to the name of your keyring class, for
example, com.ibm.websphere.TestKeyring.
- When you create a file for a keyring class, you specify a password
for the file. This password protects the file from unrestricted use.
The following properties are used to specify the password for a
application that needs to use the keyring:
- com.ibm.CORBA.SSLKeyRingPassword
- com.ibm.CORBA.SSLClientKeyRingPassword
- com.ibm.CORBA.SSLServerKeyRingPassword
These properties default to the value "WebAS," so if you used
a different password when you created the keyring file, change
the value of these properties accordingly.
After you modify the properties files, you need to delete the
file sas.server.props.future, or your changes to the other
properties files will not take effect when you restart the
administrative server.
- Restart the administrative server and client and configure LDAP.
- Set the Challenge Type to Basic (under Security -->
Specify Global Settings --> Application Defaults)
- Set the Authentication Mechanism to LDAP (under Security -->
Specify Global Settings --> Authentication Mechanism)
- Set up your LDAP registry (under Security -->
Specify Global Settings --> User Registry)
- Set the port to 389.
- Do not check the box that says
"Use SSL to connect to directory" yet.
- Click Finish. The application server now communicates with the LDAP
server. You can verify the communication with your LDAP server by
monitoring its connections.
- Stop and restart the administrative server and client. You will now
be prompted to authenticate against the LDAP registry.
At this point, you know that WebSphere Application Server can communicate
with the LDAP server successfully.
|
|