EditAttachPrintable
r17 - 2022-11-09 - 13:35:25 - ShubjitNaikYou are here: TWiki >  Deployment Web > DeploymentAdminstering > ConfigureLDAPs

Configure Secure LDAP with Liberty and WebSphere for ELM Applications new.png

Authors: BharathRao, ShradhaSrivastav
Build basis: ELM 7.0.1 and higher

LDAP directory servers, mainly used as an authentication repository, are often used to store sensitive information like passwords and other account details. If your ELM environment uses an external LDAP-based user repository, such as IBM Tivoli Directory Server or Microsoft Active Directory, you can configure it to communicate over a secure SSL channel.

This article assumes that you have already an existing connection to an LDAP server set up.

Your LDAP server, must be configured to accept SSL connections and be running on secured port number (636). Refer to your LDAP server documentation if you need to create a signer certificate, which as part of this task, must be imported from your LDAP server into the trust store of the application server.

This article provides step by step instructions on configuring ELM with secure LDAP(LDAPS)


Liberty Server

*NOTE: Ensure you have a working LDAP configuration with CLM before enabling LDAP SSL.*
Reference: ConfigureLDAPforLibertyProfile

Configure secure LDAP in Liberty

- Enable Require SSL and update the LDAP Port to secure port in the ldapUserRegistry.xml file located in \server\liberty\servers\clm\conf\

NOTE: Any changes to the group / ldap properties if made had to be corrected in the application.xml file located in \server\liberty\servers\clm\conf\

  1. Ensure to include the below features in the ldapUserRegistry.xml
    Picture15.png

  2. Edit the LDAP configuration in the Liberty server in ldapUserRegistry.xml file
    Picture16.png

  3. Proceed with the next section to add LDAP SSL certificate

Add LDAP SSL certificate

  1. To configuration secure LDAP, obtain the SSL signer certificate from the LDAP server

  2. From the file explorer, navigate to \server\jre\bin and double click on ikeyman.exe

  3. To open an existing keystore file, Click on
    Picture10.png

  4. Choose the Key database type from the drop-down and click on Browse to select the key database file(kdb). Enter the password and click on Ok to open the file
    Picture11.png

  5. After the kdb is open, click on the drop-down and choose Signer Certificate
    Picture12.png

  6. Click on Add and browse the signer certificate file(.arm) obtained from the LDAP server, then click ok to add the certificate
    Picture13.png

  7. Proceed with the next section to configure secure LDAP in JTS server

Alternatively you can generate the certificate using the following command line:
ikeycmd -cert -add -db -type kdb <dbname.kdb> -file <certfile.arm> -pw

Configuring secure LDAP In JTS server

NOTE: Any changes to the group / ldap properties if made has to be corrected here

  1. Login to https://clmexample.com:9443/jts/setup, proceed to the User Registry section

  2. In the User Registry section, edit the LDAP host configuration to update the LDAP port to secure port
    Picture14.png

  3. Perform a test connection and ensure the LDAP configuration succeeds

  4. Restart the Liberty server


WebSphere Application Server

NOTE: Ensure you have a working LDAP configuration with CLM before enabling LDAP SSL.

Configure secure LDAP in WAS

  1. Enable Require SSL

  2. Change LDAP PORT to secure port
    Picture1.png

Add LDAP SSL certificate

  1. Login to WebSphere Application Server Administration Console Navigate to Security > SSL certificate and key management
    Picture2.png

  2. Click on Key stores and certificates
    Picture3.png

  3. Click on NodeDefaultTrustStore
    Picture4.png

  4. Click on Signer certificates
    Picture5.png

  5. Click Retrieve from port to retrieve the LDAP SSL certificate from the LDAP server
    Picture6.png

  6. Enter the LDAPS server details and click on Retrieve signer information
    Picture7.png

  7. Confirm the SSL certificate for LDAPS Server is retrieved and then click OK

  8. Click on Save
    Picture9.png

  9. Proceed with the next section to configure secure LDAP in JTS Server

Configuring secure LDAP In JTS server

NOTE: Any changes to the group / ldap properties if made has to be corrected here

  1. Login to https://clmexample.com:9443/jts/setup, proceed to the User Registry section

  2. In the User Registry section, edit the LDAP host configuration to update the LDAP port to secure port
    Picture14.png

  3. Perform a test connection and ensure the LDAP configuration succeeds

  4. Proceed with the next section to remap group mappings in WAS

Remap Security Group Mappings in WAS

  1. Login to WAS Administration Console

  2. Remove and re-add the user/group mappings under Security role to user/group mapping for each of the CLM/ELM applications Remap war files

  3. Restart WAS

Related topics: Configure LDAP for Liberty Profile, Deployment web home

External links:

Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r17 < r16 < r15 < r14 < r13 | More topic actions
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our Terms of Use. Please read the following disclaimer.