LDAP User Registry over SSL

Configure IBM® WebSphere® Portal to use a standalone LDAP user registry over SSL to store all user account information for secure authorization.

Perform the following steps to configure a standalone LDAP user registry over SSL:

Note: Use the wp_security_xxx.properties helper file, located in the wp_profile_root/ConfigEngine/config/helpersdirectory, when performing this task to ensure the correct properties are entered. In the instructions below, when the step refers to thewkplc.properties file, you will use your wp_security_xxx.properties helper file.

Choose one of the following options to specify the LDAP server's SSL certificate in either the server trust store or the default client trust store:

Choose one of the following to add the certificate to the server trust store:

The following table contains the options for adding the SSL certificate to the server trust store:

Option	Steps
Add the certificate to the server trust store	Log in to the WebSphere Application Server Administrative Console. Navigate to Security, SSL certificate and key management, SSL configurations. Click the appropriate SSL configuration from the list. For example, Stand-alone environments:NodeDefaultSSLSettings Clustered environments: CellDefaultSSLSettings Click Key stores and certificates. Click the appropriate trust store from the list. For example, Stand-alone environments: NodeDefaultTrustStore Clustered environments: CellDefaultTrustStore Click Signer certificates, click Add, and then enter the following information: Type the Alias the key store uses for the signer certificate. Type the File name where the signer certificate is located. Click OK and then click Save to save the changes to the master configuration.
Retrieve the certificate from the port	Log in to the WebSphere Application Server Administrative Console. Navigate to Security, SSL certificate and key management, SSL configurations. Click the appropriate SSL configuration from the list. For example, Stand-alone environments:NodeDefaultSSLSettings Clustered environments: CellDefaultSSLSettings Click Key stores and certificates. Click the appropriate trust store from the list. For example, Stand-alone environments: NodeDefaultTrustStore Clustered environments: CellDefaultTrustStore Click Signer certificates, click Retrieve from port, and then enter the following information: Type the Host name used when attempting to retrieve the signer certificate from the SSL port. Type the SSL Port used when attempting to retrieve the signer certificate. Type the Alias the key store uses for the signer certificate. Clustered environments: Ensure the setting for SSL configuration for outbound connection matches your SSL settings. Click Retrieve signer information to retrieve the certificate from the port. Click OK and then click Save to save the changes to the master configuration.

Option

Steps

Add the certificate to the server trust store

Log in to the WebSphere Application Server Administrative Console.
Navigate to Security, SSL certificate and key management, SSL configurations.
Click the appropriate SSL configuration from the list. For example,
Stand-alone environments:NodeDefaultSSLSettings
Clustered environments: CellDefaultSSLSettings
Click Key stores and certificates.
Click the appropriate trust store from the list. For example,
Stand-alone environments: NodeDefaultTrustStore
Clustered environments: CellDefaultTrustStore
Click Signer certificates, click Add, and then enter the following information:
Type the Alias the key store uses for the signer certificate.
Type the File name where the signer certificate is located.
Click OK and then click Save to save the changes to the master configuration.

Retrieve the certificate from the port

Log in to the WebSphere Application Server Administrative Console.
Navigate to Security, SSL certificate and key management, SSL configurations.
Click the appropriate SSL configuration from the list. For example,
Stand-alone environments:NodeDefaultSSLSettings
Clustered environments: CellDefaultSSLSettings
Click Key stores and certificates.
Click the appropriate trust store from the list. For example,
Stand-alone environments: NodeDefaultTrustStore
Clustered environments: CellDefaultTrustStore
Click Signer certificates, click Retrieve from port, and then enter the following information:
Type the Host name used when attempting to retrieve the signer certificate from the SSL port.
Type the SSL Port used when attempting to retrieve the signer certificate.
Type the Alias the key store uses for the signer certificate. Clustered environments: Ensure the setting for SSL configuration for outbound connection matches your SSL settings.
Click Retrieve signer information to retrieve the certificate from the port.
Click OK and then click Save to save the changes to the master configuration.

Add the certificate to the client trust store:
- See Secure installation for client signer retrieval.
- Run the retrieveSigners task from the wp_profile_root/bin directory; see retrieveSigners command for information. In a deployed environment, you will need to run the retrieveSigners task, for any federated node, against the Deployment Manager.
  Note: This task might report an error, but it does successfully update the trust store. You can ignore the error message. Example task: Stand-alone environments
  Example task:
  For stand-alone environments:
  retrieveSigners.bat NodeDefaultTrustStore ClientDefaultTrustStore -autoAcceptBootstrapSigner -conntype SOAP -port port_number
  For clustered environments
  retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore -autoAcceptBootstrapSigner -conntype SOAP -port port_number
  When prompted, enter the following:
  Realm/Cell Name: name
  Username: user_ID
  Password: password
  The following message displays:
  CWPKI0308I: Adding signer alias "alias_name" to local keystore "ClientDefaultTrustStore" with the following SHA digest: ssl_certificate_fingerprint
- Update the trust store properties file.

Use a text editor to open the wkplc.properties file, located in the wp_profile_root\\ConfigEngine\\properties directory.
Required: Enter a value for the following required parameters in the wkplc.properties file under the VMM Stand-alone LDAP configuration heading:
Note: See the properties file for specific information about the required parameters and for advanced parameters.
standalone.ldap.id
standalone.ldap.host
standalone.ldap.port
standalone.ldap.bindDN
standalone.ldap.bindPassword
standalone.ldap.ldapServerType
standalone.ldap.userIdMap
standalone.ldap.groupIdMap
standalone.ldap.groupMemberIdMap
standalone.ldap.userFilter
standalone.ldap.groupFilter
standalone.ldap.serverId
standalone.ldap.serverPassword
standalone.ldap.realm
standalone.ldap.primaryAdminId
standalone.ldap.primaryAdminPassword
standalone.ldap.primaryPortalAdminId
standalone.ldap.primaryPortalAdminPassword
standalone.ldap.primaryPortalAdminGroup
standalone.ldap.baseDN
Required: Enter a value for the following required entity types parameters in the wkplc.properties file under the LDAP entity types heading:
Note: See the properties file for specific information about the required parameters and for advanced parameters.
standalone.ldap.et.group.objectClasses
standalone.ldap.et.group.objectClassesForCreate
standalone.ldap.et.group.searchBases
standalone.ldap.et.personaccount.objectClasses
standalone.ldap.et.personaccount.objectClassesForCreate
standalone.ldap.et.personaccount.searchBases
Required: Enter a value for the following required group member parameters in the wkplc.properties file under the Group member attributes heading:
Note: See the properties file for specific information about the required parameters and for advanced parameters.
standalone.ldap.gm.groupMemberName
standalone.ldap.gm.objectClass
standalone.ldap.gm.scope
standalone.ldap.gm.dummyMember
Required: Enter a value for the following required relative distinguished name (RDN®) parameters in the wkplc.properties file under the Default parent, RDN attribute heading:
Note: See the properties file for specific information about the required parameters and for advanced parameters.
standalone.ldap.personAccountParent
standalone.ldap.groupParent
standalone.ldap.personAccountRdnProperties
standalone.ldap.groupRdnProperties
Enter a value for the following parameters to enable Secure Socket Layers (SSL):
Note: See the properties file for specific information about the required parameters and for advanced parameters.
Required parameters:
standalone.ldap.sslEnabled
standalone.ldap.sslConfiguration
Optional parameters:
standalone.ldap.certificateMapMode
standalone.ldap.certificateFilter
Save your changes to the wkplc.properties file.
Run the ./ConfigEngine.sh validate-standalone-ldap -DWasPassword=password task to validate your LDAP server settings.
Attention: If you have not deleted the default file repository, WasPassword is the value entered during installation and not a value found in your LDAP user registry.
Note: During the validation task, you may receive the following prompt: Add signer to the trust store now? Press y and then Enter.
Run the ./ConfigEngine.sh wp-modify-ldap-security -DWasPassword=password task, from thewp_profile_root\\ConfigEngine directory, to set the stand-alone LDAP user registry.
Stop and restart the appropriate servers to propagate the changes. For specific instructions, see the following link under Related tasks: Starting and stopping servers, deployment managers, and node agents.
Run the ./ConfigEngine.sh wp-validate-standalone-ldap-attribute-config -DWasPassword=password task, from the wp_profile_root\\ConfigEngine directory, to check that all defined attributes are available in the configured LDAP user registry.
Important: When you finish configuring your LDAP user registry, see "Adapting the attribute configuration" for information about adding and mapping attributes to ensure proper communication between WebSphere Portal and the LDAP server.