Configure Secure LDAP with Liberty and WebSphere for ELM Applications

LDAP directory servers are mainly used as an authentication repository, and are often used to store sensitive information like passwords and other account details. It is mostly used by medium-to-large organizations. Since ELM/CLM supports LDAP, you can re-use the existing LDAP directory servers for authenticating and authorizing users when accessing the data in the application.
From IT security perspective, we can have a reliable and secured connectivity between the ELM applications and LDAP Server by using SSL. In this article, we will provide step by step guide on how to configure ELM with secure LDAP(LDAPS)

Liberty Server

Configure LDAPS in Liberty

- Enable Require SSL and update the LDAP Port to secure port in the ldapUserRegistry.xml file located in \server\liberty\servers\clm\conf\

NOTE: Any changes to the group / ldap properties if made had to be corrected in the application.xml file located in \server\liberty\servers\clm\conf\

1. Ensure to include the below features in the ldapUserRegistry.xml
   
   
   
   
2. Edit the LDAP configuration in the Liberty server in ldapUserRegistry.xml file
   
   
   
   
3. Proceed with the next section to add LDAP SSL certificate
   
   

Add LDAP SSL certificate

1. To configuration LDAPS, obtain the SSL signer certificate from the LDAP server
   
   
2. From the file explorer, navigate to \server\jre\bin and double click on ikeyman.exe
   
   
3. To open an existing keystore file, Click on
   
   
   
4. Choose the Key database type from the drop-down and click on Browse to select the key database file(kdb). Enter the password and click on Ok to open the file
   
   
   
5. After the kdb is open, click on the drop-down and choose Signer Certificate
   
   
   
6. Click on Add and browse the signer certificate file(.arm) obtained from the LDAP server, then click ok to add the certificate
   
   
   
7. Proceed with the next section to configure secure LDAP in JTS server
   
   

Configuring LDAPS In JTS server

1. Login to https://clmexample.com:9443/jts/setup, proceed to the User Registry section
   
   
2. In the User Registry section, edit the LDAP host configuration to update the LDAP port to secure port
   
   
   
3. Perform a test connection and ensure the LDAP configuration succeeds
   
   
4. Restart the Liberty server
   
   
   

WebSphere Application Server

Configure LDAPS in WAS

1. Enable Require SSL
   
   
2. Change LDAP PORT to secure port
   
   
   

Add LDAP SSL certificate

1. Login to WebSphere Application Server Administration Console Navigate to Security > SSL certificate and key management
   
   
   
2. Click on Key stores and certificates
   
   
   
3. Click on NodeDefaultTrustStore
   
   
   
4. Click on Signer certificates
   
   
   
5. Click Retrieve from port to retrieve the LDAP SSL certificate from the LDAP server
   
   
   
6. Enter the LDAPS server details and click on Retrieve signer information
   
   
   
7. Click OK
   
   
   
8. Click on Save
   
   
   
9. Proceed with the next section to configure secure LDAP in JTS Server
   
   

Configuring LDAPS In JTS server

1. Login to https://clmexample.com:9443/jts/setup, proceed to the User Registry section
   
   
2. In the User Registry section, edit the LDAP host configuration to update the LDAP port to secure port
   
   
   
3. Perform a test connection and ensure the LDAP configuration succeeds
   
   
4. Proceed with the next section to remap group mappings in WAS
   
   

Remap Security Group Mappings in WAS

1. Login to WAS Administration Console
   
   
2. Remove and re-add the user/group mappings under Security role to user/group mapping for each of the CLM/ELM applications Remap war files
   
   
3. Restart WAS
   
   

Related topics: Configure LDAP for Liberty Profile, Deployment web home

External links:

• IBM

Additional contributors: TWikiUser, TWikiUser