|
Problem |
Authentication errors appear in the console
after hitting "Apply" to update security configurations in the security
center when updating WebSphere to use the SSL port: usually 636.
|
|
|
|
Solution |
There is a known Microsoft Problem that prevents WebSphere
from connecting over SSL with Active Directory when Active Directory is
remote. Customers will need to get a fix from Microsoft. See Microsoft
Article Q320711: Accessing Active Directory with LDAP by Using Sun JNDI
Calls May Not Work.
Apply this fix or any service pack containing the fix to the WebSphere
machine and the Active Directory machine.
Preliminary Steps:
A. Follow the steps in Microsoft Article Q247078: How To: Enable Secure
Socket Layer (SSL) Communication over LDAP for Windows 2000 Domain
Controllers.
B. Make sure you can search Active Directory from the same machine that
Active Directory is installed using "Find People" task in the Windows
Address Book. You should be able to successfully search either on Port 389
or Port 636. If you cannot perform a successful search, see these
Microsoft Articles:
Q238007: How to Configure Address Book to Query Users in Active Directory.
Q254610: System Event ID 36876 When Using LDAP SSL Query of the Active
Directory.
WebSphere Steps:
1. Create a user in Active Directory called "AdminUser". This user is a
member of Administrative and Domain Administrator groups.
2. Shut down and log off the Active Directory machine. Restart and log in
as "AdminUser".
3. On the Active Directory machine
Install DB2 7.2, Fixpack 5
Install WAS 4.01
4. Export the certificate created for the domain controller with the
Windows Export Wizard. Export in Binary-64 format.
5. Open the IKEYMAN utility from the WebSphere menu.
6. Pull up WebSphere's dummy trust file from /WebSphere/AppServer/etc. The
password is WebAS.
7. Add the certificate to the signer certificates area.
8. Save and close the file.
9. Configure WebSphere to connect to Active Directory LDAP over port 389:
a. Set the LDAP server to listen on Port 389 in Address Book,
b. Enable Security under the security center general tab.
c. Also under the security center general tab, click on default SSL
configuration.
Security level should be "Medium".
d. Set the Authentication mechanism to LTPA in the Authentication
Mechanism tab.
e. Set up your LDAP settings. Use "AdminUser" as both Security Center ID
and Bind
Distinguished name.
For Active Directory, a Bind Distinguished name is necessary.
f. Set the host name of the LDAP server.
g. Set the base distinguished name of the LDAP directory.
h. Do NOT select the SSL button yet.
i. Click Finish and make sure the settings are updated.
j. Test by stopping the conosole and the admin server. Make sure that
when you
restart the admin server and console, you are prompted
and that you can access the conosle with the "AdminUser" id.
10. Configure WebSphere to connect to Active Directory LDAP over port 636:
a. Set the LDAP server to listen on Port 636 in Address Book.
b. On the Authentication tab of the security center, set the port to 636.
c. Click SSL.
d. Click Enable SSL
e. Select "Use Global SSL default configuration"
f. Click "Apply".
g. Test by restarting the admin server and console. You should be
prompted, and the
636 port will show in the Realm field of the login prompt. |
|
|
|
|
|
|