Before setting up LDAP over SSL ensure you have met the following prerequisites:
- Installed WebSphere Application Server and WebSphere Commerce. For more information, see WebSphere Commerce Installation Guide.
- Installed your LDAP server and set it up with WebSphere Application Server and WebSphere Commerce. It is recommended that you first get LDAP (non-SSL) successfully working before setting up LDAP over SSL. This allows you to verify that the directory is responding to LDAP requests before setting it up for SSL.
To set up LDAP over SSL, do the following:
- Generate or import certificates as necessary and activate on SSL on the directory. This step varies depending on the LDAP server you are using.
- IBM Directory Server: IBM Directory Server may use either self-signed certificates or signing certificates signed by a CA (Certificate Authority) to enable LDAP over SSL. IBM Directory Server includes a security key management utility, such as gsk6ikm, which can be used to generate a self-signed certificate or to import purchased certificates into the IBM Directory Server keystore. You should consult the IBM Directory Server documentation for the details of how to import a CA certificate or create a self-signed certificate in a key database file and extract that certificate so that it can be moved to the WebSphere Application Server and WebSphere Commerce. A brief overview of the steps to create a self-signed certificate are below:
- Activate the security key management utility. For example, gsk6ikm.
- Open an existing CMS Key Database file, if your directory server is already configured for SSL, or create a new CMS Key Database file. If you open an existing file, you must provide the password for that file. If you create a new file, you are asked to supply a password to secure access to that file. Remember this password.
- Within that CMS Key Database file, create a new self-signed certificate, using X.509 Version 3 format and 1024-bit key size. Give the certificate a label. Remember this label.
- Extract the new self-signed certificate as a certificate file using Base64-encoded ASCII data as the data type. This will save the certificate to a filename of your choice with an extension of .arm.
- If it is not already configured, set up IBM Directory Server for LDAP over SSL using the CMS Key Database file containing the self-signed certificate. For details on this step, see the IBM Directory Server documentation.
- Domino Directory: Domino Directory uses either self-signed certificates or signing certificates signed by a CA (Certificate Authority) to enable LDAP over SSL. IBM HTTP Server includes a security key management utility, such as IKeyMan, which can be used to generate a self-signed certificate or to import purchased certificates into the Domino Directory keystore. See the Domino Directory and IKeyMan documentation for the details of how to import a CA certificate or create a self-signed certificate in a key database file and extract that certificate so that it can be moved to the WebSphere Application Server and WebSphere Commerce. A brief overview of the steps to create a self-signed certificate are below:
- Activate the security key management utility. For example, IKeyMan.
- Open an existing CMS Key Database file, or create a new CMS Key Database file. If you open an existing file, you must provide the password for that file. If you create a new file, you are asked to supply a password to secure access to that file. Remember this password.
- Within that CMS Key Database file, create a new self-signed certificate, using X.509 Version 3 format and 1024-bit key size. Give the certificate a label. Remember this label.
- Extract the new self-signed certificate as a certificate file using Base64-encoded ASCII data as the data type. This will save the certificate to a filename of your choice with an extension of .arm.
- If it is not already configured, set up Domino Directory for LDAP over SSL using the CMS Key Database file containing the self-signed certificate. For details on this step, see the Domino Directory documentation
- Active Directory: Active Directory and Internet Information Services (IIS) should be installed and configured before you install WebSphere Commerce. Do the following
- Export root CA certificate.
- Open a Web Brower and connect to http://localhost/certsrv.
- Select task Retrieve the CA certificate or certificate revocation list and click Next.
- Choose the certificate you created (current) and the format (either DER encoded or Base 64 encoded). Then click Download CA certificate.
- Save this certificate in a file. For example, call the certificate certnew.cer.
- Copy to your WebSphere Commerce machine.
- Export root CA certificate.
- Sun ONE: The configuration of LDAP over SSL from WebSphere Application Server and WebSphere Commerce to Sun ONE is nearly identical on the WebSphere Application Server and WebSphere Commerce side to configuration performed for IBM Directory Server. The Sun ONE directory server will not allow the use of self-signed certificates, so the Certificate Authority's (CA) signer chain must be imported to the WebSphere Application Server and Portal Server keystores.
- IBM Directory Server: IBM Directory Server may use either self-signed certificates or signing certificates signed by a CA (Certificate Authority) to enable LDAP over SSL. IBM Directory Server includes a security key management utility, such as gsk6ikm, which can be used to generate a self-signed certificate or to import purchased certificates into the IBM Directory Server keystore. You should consult the IBM Directory Server documentation for the details of how to import a CA certificate or create a self-signed certificate in a key database file and extract that certificate so that it can be moved to the WebSphere Application Server and WebSphere Commerce. A brief overview of the steps to create a self-signed certificate are below:
- On the WebSphere Commerce machine, import the certificate to the keystore cacerts file.
- Open a command window and change directory to WAS_installdir/bin.
- Launch the IKeyMan utility by typing ikeyman, ikeyman.exe or ikeyman.sh, depending on your operating system.
- In IKeyMan, click Open, leave the Key database type as JKS and choose cacerts key store under the WAS_installdir/java/jre/lib/security directory. The default password for the key store is changeit.
- Select Signer Certificates. Click Add.
- According to the data type of the certificate you created in from your Active Directory Server, select the corresponding data type (either Binary DER data or Base64-encoded ASCII data).
- Locate the certificate file (for example, certnew.cer), then click Ok.
- Type a name for the certificate. Click Ok to finish.
- Import the certificate to the DummyServerTrustFile.jks.
- In IKeyMan, click on Open, leave the Key database type as JKS and choose DummyServerTrustFile.jks under the WAS_installdir\etc directory. The default password for the key store is WebAS.
- Choose Signer Certificates. Click Add.
- According to the data type of the certificate you created, select the corresponding data type (either Binary DER data or Base64-encoded ASCII data).
- Locate the certificate file certnew.cer, then click Ok.
- Type a name for the certificate. Click Ok.
- Extract the certificate from the DummyServerKeyFile.jks using the IKeyMan tool. Then add the cetificate to the cacerts file.
- In IKeyMan, click Open, leave the Key database type as JKS and choose DummyServerKeyFile.jks under the WAS_installdir\etc directory. The default password for the key store is WebAS.
- Click Extract Certificate, and save the certificate to a file, for example, cert.arm.
- Click Open, leave the Key database type as JKS and choose cacerts key store under the WAS_installdir/java/jre/lib/security directory. The default password for the key store is changeit.
- Choose Signer Certificates and click Add.
- According to the data type of the certificate you created above, select the corresponding data type (either Binary DER data or Base64-encoded ASCII data).
- Locate the certificate file cert.arm, then click Ok.
- Type a name for the certificate and click Ok.