(r14) ConfigureLDAPs < Deployment

Engineering Lifecycle Management Wiki - Deployment
Community information and contribution guidelines
~~EditAttach~~Printable
TWiki > Deployment Web > RwattsSandbox > DeploymentAdminstering > ConfigureLDAPs
Revision 14 - 2022-05-09 - 07:41:48 - KrzysztofKazmierczyk
<div id="header-title" style="padding: 10px 15px; border-width:1px; border-style:solid; border-color:#FFD28C; background-image: url(<nop>https://jazz.net/wiki/pub/Deployment/WebPreferences/TLASE.jpg); background-size: cover; font-size:120%">
---+!! Configure Secure LDAP with Liberty and !WebSphere for ELM Applications <img src="https://jazz.net/wiki/pub/Deployment/WebPreferences/new.png" alt="new.png" width="50" height="50" align="right"> 
%DKGRAY% Authors: Main.BharathRao, Main.ShradhaSrivastav <br>
Build basis: 6.0.1 to above
%ENDCOLOR%</div></sticky>

<!-- Page contents top of page on right hand side in box -->
<sticky><div style="float:right; border-width:1px; border-style:solid; border-color:#DFDFDF; background-color:#F6F6F6; margin:0 0 15px 15px; padding: 0 15px 0 15px;">
%TOC{title="Page contents"}%
</div></sticky>

<sticky><div style="margin:15px;"></sticky>

LDAP directory servers, mainly used as an authentication repository, are often used to store sensitive information like passwords and other account details. If your ELM environment uses an external LDAP-based user repository, such as IBM Tivoli Directory Server or Microsoft Active Directory, you can configure it to communicate over a secure SSL channel.

This article assumes that you have already an existing connection to an LDAP server set up.

Your LDAP server, must be configured to accept SSL connections and be running on secured port number (636). Refer to your LDAP server documentation if you need to create a signer certificate, which as part of this task, must be imported from your LDAP server into the trust store of the application server.

This article provides step by step instructions on configuring ELM with secure LDAP(LDAPS)<br /><br /><br />

---++ !Liberty Server
       *NOTE: Ensure you have a working LDAP configuration with CLM before enabling LDAP SSL.*<br />
        Reference: ConfigureLDAPforLibertyProfile

---+++ Configure secure LDAP in Liberty <br />

   - Enable *Require SSL* and update the *LDAP Port* to secure port in the ldapUserRegistry.xml file located in <JazzTeamServer>\server\liberty\servers\clm\conf\ <br /><br />
    *NOTE: Any changes to the group / ldap properties if made had to be corrected in the application.xml file located in <JazzTeamServer>\server\liberty\servers\clm\conf\* <br /><br />
   a. Ensure to include the below features in the ldapUserRegistry.xml <br /> <img src="%ATTACHURLPATH%/Picture15.png" alt="Picture15.png" width="939" height="72" /> <br /><br />
   a. Edit the LDAP configuration in the Liberty server in ldapUserRegistry.xml file<br /> <img src="%ATTACHURLPATH%/Picture16.png" alt="Picture16.png" width="939" height="230" /> <br /><br />
   a. Proceed with the next section to add LDAP SSL certificate<br /><br />

---+++ Add LDAP SSL certificate<br />

   a. To configuration secure LDAP, obtain the SSL signer certificate from the LDAP server<br /><br />
   a. From the file explorer, navigate to <JazzTeamServer>\server\jre\bin and double click on ikeyman.exe<br /><br />
   a. To open an existing keystore file, Click on <br /> <img src="%ATTACHURLPATH%/Picture10.png" alt="Picture10.png" width="400" height="100" /> <br /><br />
   a. Choose the Key database type from the drop-down and click on Browse to select the key database file(kdb). Enter the password and click on Ok to open the file  <br /> <img src="%ATTACHURLPATH%/Picture11.png" alt="Picture11.png" width="450" height="130" /> <br /><br />
   a. After the kdb is open, click on the drop-down and choose Signer Certificate <br /> <img src="%ATTACHURLPATH%/Picture12.png" alt="Picture12.png" width="600" height="200" /> <br /><br />
   a. Click on Add and browse the signer certificate file(.arm) obtained from the LDAP server, then click ok to add the certificate <br /> <img src="%ATTACHURLPATH%/Picture13.png" alt="Picture13.png" width="600" height="200" /> <br /><br />
   a. Proceed with the next section to configure secure LDAP in JTS server<br /><br />

Alternatively you can generate the sertificate using the following command line: <br />
=ikeycmd -cert -add -db -type kdb <dbname.kdb> -file <certfile.arm>=

---+++ Configuring secure LDAP In JTS server<br />
       *NOTE: Any changes to the group / ldap properties if made has to be corrected here* <br /><br />

   a. Login to !https://clmexample.com:9443/jts/setup, proceed to the User Registry section <br /><br />
   a. In the User Registry section, edit the LDAP host configuration to update the LDAP port to secure port <br /> <img src="%ATTACHURLPATH%/Picture14.png" alt="Picture14.png" width="681" height="203" /> <br /><br />
   a. Perform a test connection and ensure the LDAP configuration succeeds<br /><br />
   a. Restart the Liberty server<br /><br /><br />


---++ !WebSphere Application Server
       *NOTE: Ensure you have a working LDAP configuration with CLM before enabling LDAP SSL.*

---+++  Configure secure LDAP in WAS<br />

   a. Enable Require SSL<br /><br />
   a. Change LDAP PORT to secure port <br /> <img src="%ATTACHURLPATH%/Picture1.png" alt="Picture1.png" width="732" height="496" /><br /><br />

---+++   Add LDAP SSL certificate<br />
     
   a. Login to !WebSphere Application Server Administration Console Navigate to Security > SSL certificate and key management <br/> <img src="%ATTACHURLPATH%/Picture2.png" alt="Picture2.png" width="375" height="130" /> <br /><br />
   a. Click on Key stores and certificates <br /> <img src="%ATTACHURLPATH%/Picture3.png" alt="Picture3.png" width="735" height="260" /> <br /><br />
   a. Click on !NodeDefaultTrustStore <br /> <img src="%ATTACHURLPATH%/Picture4.png" alt="Picture4.png" width="535" height="388" /> <br /><br />
   a. Click on Signer certificates <br /> <img src="%ATTACHURLPATH%/Picture5.png" alt="Picture5.png" width="735" height="180" /> <br /><br />
   a. Click Retrieve from port to retrieve the LDAP SSL certificate from the LDAP server <br /> <img src="%ATTACHURLPATH%/Picture6.png" alt="Picture6.png" width="802" height="145" /> <br /><br />
   a. Enter the LDAPS server details and click on Retrieve signer information <br /> <img src="%ATTACHURLPATH%/Picture7.png" alt="Picture7.png" width="735" height="337" /> <br /><br />
   a. Confirm  the SSL certificate for LDAPS Server is retrieved and then click OK <br /><br />
   a. Click on Save <br /> <img src="%ATTACHURLPATH%/Picture9.png" alt="Picture9.png" width="681" height="203" /> <br /><br />
   a. Proceed with the next section to configure secure LDAP in JTS Server<br /><br />
      
---+++ Configuring secure LDAP In JTS server
       *NOTE: Any changes to the group / ldap properties if made has to be corrected here* <br /><br />
   a. Login to !https://clmexample.com:9443/jts/setup, proceed to the User Registry section <br /><br />
   a. In the User Registry section, edit the LDAP host configuration to update the LDAP port to secure port <br /> <img src="%ATTACHURLPATH%/Picture14.png" alt="Picture14.png" width="681" height="203" /> <br /><br />
   a. Perform a test connection and ensure the LDAP configuration succeeds<br /><br />
   a. Proceed with the next section to remap group mappings in WAS<br /><br />
 
---+++ Remap Security Group Mappings in WAS
   a. Login to WAS Administration Console<br /><br />
   a. Remove and re-add the user/group mappings under Security role to user/group mapping for each of the CLM/ELM applications [[https://jazz.net/help-dev/clm/index.jsp?topic=%2Fcom.ibm.rational.pe.install.doc%2Ftopics%2Ft_auth_ldap_MS_ADS.html][Remap war files]] <br/><br />
   a. Restart WAS <br /> <br />

 
---+++++!! Related topics: [[ConfigureLDAPforLibertyProfile][Configure LDAP for Liberty Profile]], [[DeploymentWebHome][Deployment web home]]

---+++++!! External links:          

   * [[https://www.ibm.com][IBM]]

<sticky></div></sticky>
Copyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our Terms of Use. Please read the following disclaimer.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.