Enabling SSL Between Active Directory LDAP and WebSphere Fails
 Technote (FAQ)
 
Problem
Authentication errors appear in the console after hitting "Apply" to update security configurations in the security center when updating WebSphere to use the SSL port: usually 636.
 
 
Solution
There is a known Microsoft Problem that prevents WebSphere from connecting over SSL with Active Directory when Active Directory is remote. Customers will need to get a fix from Microsoft. See Microsoft Article Q320711: Accessing Active Directory with LDAP by Using Sun JNDI Calls May Not Work.

Apply this fix or any service pack containing the fix to the WebSphere machine and the Active Directory machine.

Preliminary Steps:
A. Follow the steps in Microsoft Article Q247078: How To: Enable Secure Socket Layer (SSL) Communication over LDAP for Windows 2000 Domain Controllers.

B. Make sure you can search Active Directory from the same machine that Active Directory is installed using "Find People" task in the Windows Address Book. You should be able to successfully search either on Port 389 or Port 636. If you cannot perform a successful search, see these Microsoft Articles:
Q238007: How to Configure Address Book to Query Users in Active Directory.
Q254610: System Event ID 36876 When Using LDAP SSL Query of the Active Directory.


WebSphere Steps:
1. Create a user in Active Directory called "AdminUser". This user is a member of Administrative and Domain Administrator groups.
2. Shut down and log off the Active Directory machine. Restart and log in as "AdminUser".
3. On the Active Directory machine
Install DB2 7.2, Fixpack 5
Install WAS 4.01
4. Export the certificate created for the domain controller with the Windows Export Wizard. Export in Binary-64 format.
5. Open the IKEYMAN utility from the WebSphere menu.
6. Pull up WebSphere's dummy trust file from /WebSphere/AppServer/etc. The password is WebAS.
7. Add the certificate to the signer certificates area.
8. Save and close the file.
9. Configure WebSphere to connect to Active Directory LDAP over port 389:
a. Set the LDAP server to listen on Port 389 in Address Book,
b. Enable Security under the security center general tab.
c. Also under the security center general tab, click on default SSL configuration.
Security level should be "Medium".
d. Set the Authentication mechanism to LTPA in the Authentication Mechanism tab.
e. Set up your LDAP settings. Use "AdminUser" as both Security Center ID and Bind
Distinguished name.
For Active Directory, a Bind Distinguished name is necessary.
f. Set the host name of the LDAP server.
g. Set the base distinguished name of the LDAP directory.
h. Do NOT select the SSL button yet.
i. Click Finish and make sure the settings are updated.
j. Test by stopping the conosole and the admin server. Make sure that when you
restart the admin server and console, you are prompted
and that you can access the conosle with the "AdminUser" id.
10. Configure WebSphere to connect to Active Directory LDAP over port 636:
a. Set the LDAP server to listen on Port 636 in Address Book.
b. On the Authentication tab of the security center, set the port to 636.
c. Click SSL.
d. Click Enable SSL
e. Select "Use Global SSL default configuration"
f. Click "Apply".
g. Test by restarting the admin server and console. You should be prompted, and the
636 port will show in the Realm field of the login prompt.
 
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Security
Operating system(s): Windows
Software version: 4.0
Software edition:
Reference #: 1054139
IBM Group: Software Group
Modified date: Sep 6, 2004