InfoCenter Home >
5: Securing applications -- special topics >
5.5: Certificate-based authentication >
5.5.7: Introduction: Setting up an LDAP connection over SSL >
5.5.7.1: Establishing connections betweenapplication servers and LDAP servers

5.5.7.1: Establishing connections between application servers and LDAP servers

  1. Disable WebSphere security before shutting down the administrative server and client. This is not strictly necessary, but it makes recovery easier if something goes wrong.
  2. To use SSL between WebSphere Application Server and the LDAP server, create your own key and trust store files (if you have not done so already). Put the LDAP server's certificate in the trust store file, as this is used for most public keys. The key store is used for a server's or client's (in the case of client authentication) private keys.

    The same trust store file can be used for LDAP as is used for the ORB and HTTPS. Add the LDAP server's public key or root CA certificate to the trust store specified in the Default SSL Configuration in the Security Center of the administrative console. See the articles under section 5.5.6, Tools for managing certificates and keys, for instructions on how to create key and trust stores with the WebSphere Application Server key tools.

    The key and trust store files you create are used to configure global security. They are also used to enable an SSL connection between WebSphere and the LDAP server.

  3. Place your server key and trust store files in the appropriate directories on the server machine. See Making client and server key store and trust store files accessible for details.
  4. WebSphere determines which key and trust store files to use and their passwords based on the settings in the Default SSL Configuration panel in the Security Center of the Administrative Console. You can also override the default settings by changing the LDAP SSL Settings in the Security Center.
  5. Restart the administrative server and client and configure WebSphere Security including LDAP.
    1. Enable Security (under the Security Center --> General).
    2. Set the Default SSL Configuration (under Security Center --> General --> Default SSL Configuration).
    3. Set the Authentication Mechanism to Lightweight Third-Party Authentication (LTPA) (under Security Center --> Authentication --> Authentication Mechanism)
    4. Set up your LDAP settings (under Security Center --> Authentication Tab --> LDAP Settings)
      • Choose a Security Server ID from your LDAP user registry. This ID must be a valid user from the registry. Do not use the LDAP administrative ID because this is not a searchable ID and validation failures will occur.
      • Set the Security Server Password associated with the Security Server ID.
      • Set the host name or IP address of the LDAP server.
      • Set the port to 389 (or whatever the TCP/IP listener port is for your LDAP server).
      • Set the Base Distinguished Name of your LDAP directory.
      • Optionally, set the Bind Distinguished Name and Bind Password of your LDAP server.
      • Optionally, modify the Advanced settings as necessary for your LDAP server's directory configuration.
      • Do not select the SSL button and then Enable SSL yet.
    5. Click Finish.

The application server now communicates with the LDAP server and the Security Server ID will be authenticated. If the Security Server ID is not valid, you should receive an error message indicating this. Check your LDAP server's configuration to resolve any problems with the WebSphere LDAP Settings. You can verify the communication with your LDAP server by monitoring its connections.

Go to previous article: SSL-LDAP setup Go to next article: Enabling SSL connections between WebSphere and LDAP

 

 
Go to previous article: SSL-LDAP setup Go to next article: Enabling SSL connections between WebSphere and LDAP