Standalone LDAP over SSL
Configure IBM® WebSphere® Portal to use a standalone LDAP user registry over SSL to store all user account information for secure authorization.
In a single server environment the following task does not have a dependency on the server status; therefore, the WebSphere_Portal and server1 servers can be either stopped or started. In a clustered environment you must stop all application servers on the system including WebSphere_Portal and server1 and then start the nodeagent and deployment manager servers before starting the following task.
Perform the following steps to configure a standalone LDAP user registry over SSL:
Complete the following steps to add the SSL certificate for the LDAP server to the server trust store and the client trust store:
Choose one of the following to add the certificate to the server trust store:
The following table describes the options for adding the SSL certificate to the server trust store:
Option
Steps
Add the certificate to the server trust store
Log in to the WebSphere Application Server Administrative Console.
Navigate to Security -> SSL certificate and key management -> SSL configurations.
Click the appropriate SSL configuration from the list. For example,
Stand-alone environments:NodeDefaultSSLSettings Clustered environments: CellDefaultSSLSettings
Click Key stores and certificates.
Click the appropriate trust store from the list. For example,
Stand-alone environments: NodeDefaultTrustStore Clustered environments: CellDefaultTrustStore
Click Signer certificates, click Add, and then enter the following information:
Type the Alias the key store uses for the signer certificate. Type the File name where the signer certificate is located.
Click OK and then click Save to save the changes to the master configuration.
Retrieve the certificate from the port
Log in to the WebSphere Application Server Administrative Console.
Navigate to Security -> SSL certificate and key management -> SSL configurations.
Click the appropriate SSL configuration from the list. For example,
Stand-alone environments:NodeDefaultSSLSettings Clustered environments: CellDefaultSSLSettings
Click Key stores and certificates.
Click the appropriate trust store from the list. For example,
Stand-alone environments: NodeDefaultTrustStore Clustered environments: CellDefaultTrustStore
Click Signer certificates, click Retrieve from port, and then enter the following information:
Type the Host name used when attempting to retrieve the signer certificate from the SSL port. Type the SSL Port used when attempting to retrieve the signer certificate. Type the Alias the key store uses for the signer certificate. Clustered environments: Ensure the setting for SSL configuration for outbound connection matches your SSL settings.
Click Retrieve signer information to retrieve the certificate from the port.
Click OK and then click Save to save the changes to the master configuration.
Add the certificate to the client trust store:
See "Secure installation for client signer retrieval."
Run the retrieveSigners task from the wp_profile_root/bin directory; see retrieveSigners command for information. In a deployed environment, you will need to run the retrieveSigners task, for any federated node, against the Deployment Manager.
Note: This task might report an error, but it does successfully update the trust store. You can ignore the error message.Example task:
Stand-alone environments
retrieveSigners.sh NodeDefaultTrustStore ClientDefaultTrustStore -autoAcceptBootstrapSigner -conntype SOAP -port port_number
Clustered environments
retrieveSigners.sh CellDefaultTrustStore ClientDefaultTrustStore -autoAcceptBootstrapSigner -conntype SOAP -port port_number
When prompted, enter the following:
Realm/Cell Name: name
Username: user_ID
Password: password
The following message displays: CWPKI0308I: Adding signer alias “alias_name" to local keystore “ClientDefaultTrustStore" with the following SHA digest: ssl_certificate_fingerprint
Update the trust store properties file.
Clustered environments:
Perform the following steps on the primary node then resynchronize through the Deployment Manager to propagate the changes.
Check each node to ensure that ssl.client.props contains the same values as on the primary node. If the values in ssl.client.props are not identical for a particular node, restart that server to synchronize the changes.
Open ssl.client.props with any text editor in the following directory: wp_profile_root/properties
Change the com.ibm.ssl.trustStore parameter and the related trust store parameters to match the trust file specified in the SSL configuration. For example,
Stand-alone environments:
To use the default trust store, enter the following: com.ibm.ssl.trustStore=wp_profile_root\\config\\cells\\cell_name\\nodes\\node_name\\trust.p12
Clustered environments:
To use the default trust store, enter the following: com.ibm.ssl.trustStore=wp_profile_root/config/cells/cell_name/trust.p12
Save your changes.
Use a text editor to open the wkplc.properties file, located in the wp_profile_root/ConfigEngine/properties directory.
Required: Enter a value for the following required parameters in the wkplc.properties file under the VMM Stand-alone LDAP configuration heading:
Note: See the properties file for specific information about the required parameters and for advanced parameters.standalone.ldap.id standalone.ldap.host standalone.ldap.port standalone.ldap.bindDN standalone.ldap.bindPassword standalone.ldap.ldapServerType standalone.ldap.userIdMap standalone.ldap.groupIdMap standalone.ldap.groupMemberIdMap standalone.ldap.userFilter standalone.ldap.groupFilter standalone.ldap.serverId standalone.ldap.serverPassword standalone.ldap.realm standalone.ldap.primaryAdminId standalone.ldap.primaryAdminPassword standalone.ldap.primaryPortalAdminId standalone.ldap.primaryPortalAdminPassword standalone.ldap.primaryPortalAdminGroup standalone.ldap.baseDN
Required: Enter a value for the following required entity types parameters in the wkplc.properties file under the LDAP entity types heading:
Note: See the properties file for specific information about the required parameters and for advanced parameters.standalone.ldap.et.group.objectClasses standalone.ldap.et.group.objectClassesForCreate standalone.ldap.et.group.searchBases standalone.ldap.et.personaccount.objectClasses standalone.ldap.et.personaccount.objectClassesForCreate standalone.ldap.et.personaccount.searchBases
Required: Enter a value for the following required group member parameters in the wkplc.properties file under the Group member attributes heading:
Note: See the properties file for specific information about the required parameters and for advanced parameters.standalone.ldap.gm.groupMemberName standalone.ldap.gm.objectClass standalone.ldap.gm.scope standalone.ldap.gm.dummyMember
Required: Enter a value for the following required relative distinguished name (RDN®) parameters in the wkplc.properties file under the Default parent, RDN attribute heading:
Note: See the properties file for specific information about the required parameters and for advanced parameters.standalone.ldap.personAccountParent standalone.ldap.groupParent standalone.ldap.personAccountRdnProperties standalone.ldap.groupRdnProperties
Enter a value for the following parameters to enable Secure Socket Layers (SSL):
Note: See the properties file for specific information about the required parameters and for advanced parameters.Required parameters:
standalone.ldap.sslEnabled standalone.ldap.sslConfiguration
Optional parameters:
standalone.ldap.certificateMapMode standalone.ldap.certificateFilter
Save your changes to the wkplc.properties file.
Run the ConfigEngine.sh validate-standalone-ldap -DWasPassword=password task to validate your LDAP server settings.
Attention: If you have not deleted the default file repository, WasPassword is the value entered during installation and not a value found in your LDAP user registry.Note: During the validation task, you may receive the following prompt: Add signer to the trust store now?. Press y and then Enter.Run the ConfigEngine.sh wp-modify-ldap-security -DWasPassword=password task, from thewp_profile_root/ConfigEngine directory, to set the standalone LDAP user registry.
Stop and restart the appropriate servers to propagate the changes. For specific instructions, see the following link under Related tasks:
Starting and stopping servers, deployment managers, and node agents.
Run the ConfigEngine.sh wp-validate-standalone-ldap-attribute-config -DWasPassword=password task, from thewp_profile_root/ConfigEngine directory, to check that all defined attributes are available in the configured LDAP user registry.
Important: When you finish configuring your LDAP user registry, see "Adapting the attribute configuration" for information about adding and mapping attributes to ensure proper communication between WebSphere Portal and the LDAP server.
After installing IBM® WebSphere® Portal and configuring your LDAP user registries, you can query the defined attributes to see what attributes are flagged as unsupported or if the attribute is mapped to a different LDAP attribute.
Run the ConfigEngine.sh wp-query-attribute-config -DWasPassword=password task, from thewp_profile_root/ConfigEngine directory, any time during the configuration process or at runtime to query an overview of the currently defined attributes. This task creates the availableAttributes.html report, located in the wp_profile_root/ConfigEngine/logdirectory. The report contains one table that lists the available attributes for Users (PersonAccount) and one table that lists the available attributes for Groups. For each configured repository there is a column that indicates if the attribute is flagged as unsupported or if the attribute is mapped to a different LDAP attribute.
The VMM is configured with a default attribute schema that might not be compatible with your LDAP server. If this is the case, extend the VMM attribute schema by adding new attributes that you can map between IBM® WebSphere® Portal and your user registry.
Perform the following steps to add new attributes to your user registry:
Install the required Enterprise Archive (.ear) file on WebSphere Application Server.
Open a command prompt.
Navigate to the wp_profile_root/ConfigEngine directory.
Run the ConfigEngine.sh wp-la-install-ear -DWasPassword=password task.
Stop and restart the appropriate servers to propagate the changes. For specific instructions, see the following link under Related tasks: Starting and stopping servers, deployment managers, and node agents.
Use a text editor to open the wkplc.properties file, located in the wp_profile_root/ConfigEngine/properties directory.
Enter a value for the following required parameters in the wkplc.properties file under the VMM Property Extension Properties heading:
Note: See the properties file for specific information about the required parameters and for advanced parameters.la.providerURL la.propertyName la.entityTypes la.dataType la.multiValued
Save your changes to the wkplc.properties file.
Run the ConfigEngine.sh wp-add-property -DWasPassword=password task to add the attribute to the user registry.
Note:This task performs an EJB call to WebSphere Application Server, which must authenticate against WebSphere Application Server. Depending on the configuration in the sas.client.props file, you may receive a popup window or a command line prompt asking for user identity and password. Enter the WebSphere Application Server user ID and password.
Remember, if you have multiple properties to add, repeat all steps, except for the wp-la-install-ear task, until all new attributes are added.
Stop and restart the appropriate servers to propagate the changes.
After you install and configure your LDAP user registry and after you query the defined attributes, you can map the attributes so they match the configured LDAP servers and your business needs.
Perform the following steps to map attributes between WebSphere Portal and your LDAP server; if you have multiple LDAP servers, you will need to perform these steps for each LDAP server:
Use a text editor to open the wkplc.properties file, located in the wp_profile_root/ConfigEngine/properties directory.
Enter a value for one of the following sets of parameters in the wkplc.properties file to identify your LDAP server:
Note: Make sure you use the same values you used to configure your LDAP server.The following table contains information on how to identify your LDAP server in the wkplc.properties file:
Repository type
Parameters
Stand-alone
The following parameters are found under the LDAP attribute configuration heading:
Note: See the properties file for specific information about the required parameters and for advanced parameters.
standalone.ldap.id standalone.ldap.host standalone.ldap.port standalone.ldap.sslEnabled standalone.ldap.bindDN standalone.ldap.bindPassword standalone.ldap.baseDN
Run one of the following tasks to check that all defined attributes are available in the configured LDAP user registry.
The following table describes the task to check that all defined attributes are available in the configured LDAP user registry.
Repository type
Task
Stand-alone
ConfigEngine.sh wp-validate-standalone-ldap-attribute-config -DWasPassword=password task, from the wp_profile_root/ConfigEngine directory.
Open the ConfigTrace.log file, located in the wp_profile_root\\ConfigEngine\\log directory, to review the following output for the PersonAccount and Group entity type:
The following attributes are defined in WebSphere Portal but not in the LDAP server:
This list contains all attributes that are defined in WebSphere Portal but not available in the LDAP. Flag attributes that you do not plan to use in WebSphere Portal as unsupported. Map the attributes that you plan to use to the attributes that exist in the LDAP; you must also map the uid, cn, firstName, sn, preferredLanguage, and ibm-primaryEmail attributes if they are contained in the list.
The following attributes are flagged as required in the LDAP server but not in WebSphere Portal:
This list contains all attributes that are defined as “MUST" in the LDAP server but not as required in WebSphere Portal. You should flag these attributes as required within WebSphere Portal; see the step below about flagging an attribute as either unsupported or required.
The following attributes have a different type in WebSphere Portal and in the LDAP server:
This list contains all attributes that WebSphere Portal might ignore because the data type within WebSphere Portal and within the LDAP server do not match.
Use a text editor to open the wkplc.properties file, located in the wp_profile_root/ConfigEngine/properties directory.
Enter a value for one of the following sets of parameters in the wkplc.properties file to correct any issues found in the config trace file.
The following table describe the parameters that you can define in the wkplc.properties file to correct any issues found in the config trace file.
Repository type
Parameters
Stand-alone
The following parameters are found under the LDAP attribute configuration heading:
Note: See the properties file for specific information about the required parameters and for advanced parameters.
standalone.ldap.id standalone.ldap.attributes.nonSupported standalone.ldap.attributes.nonSupported.delete standalone.ldap.attributes.mapping.ldapName standalone.ldap.attributes.mapping.portalName standalone.ldap.attributes.mapping.entityTypes
For example, the following values will flag certificate and members as unsupported attributes and will map ibm-primaryEmail to mail and ibm-jobTitle to title for both the PersonAccount andGroup entityTypes:
standalone.ldap.attributes.nonSupported=certificate, members standalone.ldap.attributes.nonSupported.delete= standalone.ldap.attributes.mapping.ldapName=mail, title standalone.ldap.attributes.mapping.portalName=ibm-primaryEmail, ibm-jobTitle standalone.ldap.attributes.mapping.entityTypes=PersonAccount, Group
standalone.ldap.attributes.nonSupported=certificate, members
standalone.ldap.attributes.nonSupported.delete=
standalone.ldap.attributes.mapping.ldapName=mail, title
standalone.ldap.attributes.mapping.portalName=ibm-primaryEmail, ibm-jobTitle
standalone.ldap.attributes.mapping.entityTypes=PersonAccount, Group
Save your changes to the wkplc.properties file.
Run one of the following tasks to update the LDAP user registry configuration with the list of unsupported attributes and the proper mapping between WebSphere Portal and the LDAP user registry.
This table describes the task to update the LDAP user registry configuration with the list of unsupported attributes and the proper mapping between Portal and the LDAP user registry.
Repository type
Task
Stand-alone
ConfigEngine.sh wp-update-standalone-ldap-attribute-config -DWasPassword=password task, from the wp_profile_root/ConfigEngine directory
Stop and restart the appropriate servers to propagate the changes. For specific instructions, see the following link under Related tasks: Starting and stopping servers, deployment managers, and node agents.
Optional: Perform the following steps to flag an attribute as either unsupported or required for the entire WebSphere Portal environment instead of just for the specified LDAP:
Enter a value for the following required parameters in the wkplc.properties file:
Note: See the properties file for specific information about the required parameters and for advanced parameters.user.attributes.required
user.attributes.nonsupported
Save your changes to the wkplc.properties file.
Run the ConfigEngine.sh wp-update-attribute-config -DWasPassword=password task, from thewp_profile_root/ConfigEngine directory.
Stop and restart all necessary servers to propagate your changes.
Due to a Virtual Member Manager (VMM) limitation, there is currently no task to update an attribute. Therefore, if you added an attribute to your property extension database or when adapting attributes to match your LDAP server that were spelled incorrectly or already added due to migration, you must remove the attribute from the database. Use caution when performing these steps.
Perform the following steps to remove an attribute from your database:
Open the tool you use to edit your database.
Verify that your attribute name is available in the LAPROP table.
Delete the required attributes from the LAPROP table.
Open the wimxmlextension.xml file, located in the wp_profile_root/config/cells/cellname/wim/model directory.
Locate and delete the propertySchema definition for the attributes that you deleted from the LAPROP table; for example:
<wim:propertySchema nsURI="http://www.ibm.com/websphere/wim" dataType="String" multiValued="true" propertyName="attribute_name"> <wim:applicableEntityTypeNames>PersonAccount</wim:applicableEntityTypeNames> </wim:propertySchema>
Save your changes to the wimxmlextension.xml file.
Open the wimconfig.xml file, located in the wp_profile_root/config/cells/cellname/wim/config directory.
Locate and delete the propertiesNotSupported definitions for the attributes that you deleted from the LAPROP table; for example:
<config:propertiesNotSupported name="attribute_name">
Save your changes to the wimconfig.xml file.
Stop and restart the server1 and WebSphere_Portal servers from the wp_profile_root/bin directory.
By default, WebSphere Portal is enabled for static groups. However, the Virtual Member Manager (VMM) allows users to be members of either static or dynamic groups. Static groups are those where a persistent binding exists between a group and its members. Dynamic groups are those where a search query is defined to retrieve the members of a group. If you have your LDAP server configured to use dynamic groups, complete the steps in this task for WebSphere Portal to use dynamic group queries when you setup your LDAP server.
Perform the required tasks to configure either a stand-alone or federated LDAP server security.
The steps in this task use groupOfURLs as the object class for dynamic groups and memberURL as the dynamic membership attribute. The actual values for object classes and dynamic membership attributes can vary depending on your LDAP server. For this reason, you should export an LDIF file to verify the object classes and dynamic membership attributes. Either refer to your LDAP documentation or ask your LDAP administrator for instructions on exporting an LDIF file.
Clustered environments: Perform the following steps on the Deployment Manager then synchronize the nodes.
To configure WebSphere Portal to use dynamic groups, do the following:
Choose the appropriate set of steps, depending on your LDAP server environment:
This table describes the steps for enabling dynamic groups:
LDAP server environment
Steps to perform
Stand-alone LDAP server or federated LDAP server(s)
Navigate to the following directory: wp_profile_root/cells/cell_name/wim/config.
Locate and open wimconfig.xml with any text editor.
Add the following line to the <config:groupConfiguration>tag:
<config:dynamicMemberAttributes name="memberurl" objectClass="groupofurls"/>
Stop and restart the appropriate servers to propagate the changes.
Referrals redirect object requests from one LDAP server to another when objects do not exist or cannot be located in a particular directory tree. You should enable referrals if your environment has more than one user registry existing on multiple servers or domains.
To configure your portal to use LDAP referrals, do the following:
Use any text editor to open the wkplc.properties file in the following directory: wp_profile_root/ConfigEngine/properties.
Specify values for the following parameters:
et.ldap.id=ID_of_your_LDAP_server
et.ldap.host=hostname_of_your_LDAP_server
et.ldap.referral=follow
Save and close wkplc.properties.
Run the following task from the wp_profile_root/ConfigEngine directory to create an LDAP entity type:
UNIX: ./ConfigEngine.sh wp-update-et-ldap -DWasPassword=password Windows: ConfigEngine.bat wp-update-et-ldap -DWasPassword=password i: ConfigEngine.sh wp-update-et-ldap -DWasPassword=password
Stop and restart the appropriate servers to propagate the changes.