You may want to configure your WebSphere Application Server and WebSphere Commerce Server access to your LDAP directory over SSL to ensure the confidentiality of the data exchanged between WebSphere Application Server, the WebSphere Commerce Server, and your LDAP server.
For example, user passwords are sent over the network between the LDAP directory and WebSphere Commerce. Passwords are sent over the network if the WebSphere Commerce administration tools are used to create users and change passwords and also when the WebSphere Application Server authenticates any username and password pair through an LDAP BIND operation. Configuring LDAP over SSL may be important to protect sensitive data. Also, it may be desirable to ensure that user attributes that are retrieved from the directory are not viewed by someone watching packets on the network, if the attributes of a user include sensitive information or privacy is a concern.
In order to ensure that all this information remains private, it is necessary to configure both the WebSphere Application Server and WebSphere Commerce Server to use LDAP over SSL to the LDAP directory. Configuring LDAP over SSL for WebSphere Application Server and WebSphere Portal is a separate operation from configuring the HTTP Server to accept incoming browser requests over HTTPS, or configuring HTTPS between the HTTP Server and WebSphere Application Server in a distributed setup.
For more information on the configuration of all the LDAP directories and WebSphere Application Server see your LDAP server documentation to configure the directory for SSL traffic. For WebSphere Application Server, the redbook IBM WebSphere V5.0 Security, SG24-6573-00 is available, and Appendix B contains instructions for configuring WebSphere Application Server for LDAP over SSL. You may also consult the WebSphere Application Server product documentation.
Keys and Certificates
In order to set up the WebSphere Application Server and WebSphere Commerce Server to use LDAP over SSL to the LDAP directory you must move the signing certificates for the LDAP server into key storage files that WebSphere Application Server and WebSphere Commerce Server will use. Any certificates necessary to establish the full certificate signing trust chain must be made available to WebSphere Application Server and WebSphere Commerce Server.
For a self-signed certificate, the certificate trust chain consists of only one self-signed LDAP server certificate. For a certificate signed by a CA, the certificate chain confirming the identity and validity of the signing CA must be included. You may use either a purchased certificate or a self-generated CA signing certificate.
You must also change some configuration setting changes to tell WebSphere Application Server and WebSphere Commerce Server that LDAP over SSL should be used. Usually, it is only necessary to bring a signing certificate from the LDAP server to the WebSphere Application Server and WebSphere Commerce Server. This step allows the authentication of the server side of the SSL connection.
WebSphere Application Server and WebSphere Commerce Server are LDAP clients to the LDAP directory server. The client side is authenticated by doing an LDAP BIND within the SSL connection. The identity used by WebSphere Application Server to perform this BIND is the Bind DN configured on the WebSphere Application Server Security Console. The identity used by WebSphere Commerce to perform this BIND is the adminId configured in wc_root/shared/app/wmm/wmm.xml.
In some cases, if the LDAP directory is configured to require mutually authenticated SSL for the LDAP connection, meaning that it will request the client-side certificate, then signing certificates for WebSphere Application Server and WebSphere Commerce Server must be moved to the LDAP Server key storage. In this case, WebSphere Application Server and WebSphere Commerce Server will still do LDAP BINDs using the IDs and passwords configured, even though the SSL connection has already performed a mutual authentication.
Note: It is recommended that you first get LDAP (non-SSL) successfully working before setting up LDAP over SSL. This allows you to verify that the directory is responding to LDAP requests before setting it up for SSL.