This is to record the steps i used to switch LDAP repository in Websphere Application Server 7 and enabled LDAP over SSL.
Lets Start
Point your browser to the WAS console and login using admin account.
Add in the new LDAP server configurations
As i use a few repositories in my environment, i would be updating the repositories in the "Federated repositories" section.
Click on left column's link: Security -> Global Security -> Configure (the drop down box is pointed to "Federated repositories"
The page refreshed, look for "Manage repositories" -> Add
Fill the following.
- Repository identifier
- Directory type (here, i used IBM TDS)
- Primary hostname (put in IP, if you have the entry in /etc/hosts, can use hostname)
- Port (389 for a start. Later will be updated to 636)
- Bind DN (The account to connect to LDAP server)
Click Apply when you are done. Then Click Save. Wait for sync to finish and click OK.
If there is something wrong, WAS will complain.
i.e.
cannot reach the LDAP server. (ACL/firewall??)
wrong port
Bind DN is wrong
etc
Import LDAP server SSL
Store the SSL certificate as a flat file in the WAS server. You may need to convert the SSL certificate to "der" format and deposit the certificate to the deployment manager directory.
Create WAS Truststore
We will create the key store in WAS to store keys and certificate for LDAP. Idea is to separate key store for different functions.
By java definition, keystore is an object that holds personal certificate. truststore is a Java object that holds signer certificates. I gather we will only create the truststore since WAS security guide listed this step.
Click Security -> SSL Certificate and key management -> keystores and certificates
Then click New
Fill up the following
- Name (i used LDAPTruststore)
- Management scope (IBM security guide recommended cell level)
- Path (Where you want to store this key store)
- Password
Import the LDAP SSL certiticate into LDAPTruststore
From the breadcrumb of the previous step, Click on "LDAPTruststore" and Signer certificates.
Click Add
Fill up the following
- Alias (i used ldapcert)
- File Name (the path to the LDAP ssl certificate you put in previous step.)
Click Apply when you are done. Then Click Save. Wait for sync to finish and click OK
Creating SSL alias link to the Trust store
We will create Click Security -> SSL certificate and key management -> SSL configuration.
Click New
Fill up the following
- Name (I used LDAPSSLSettings)
- Trust store name (its LDAPTruststore)
- Key store name (its LDAPTruststore)
- Management Scope (Its Cell Level)
Click OK then Save then OK.
We are now ready to enable LDAP over SSL communication to LDAP server
Go back to the repository.
Click Security -> Global Security -> Configure (drop down bar should point to "Federated repositories")
When the page refreshed, Click "Manage repositories"
Fill up the following
- Port (change to 636)
Check the "Require SSL communication"
Choose the radio button "use specific SSL alias" and select LDAPSSLSettings from the drop down menu.
Click Apply when you are done. Then Click Save. Wait for sync to finish and click OK
Add the Base DN
Here, we need to configure from where in LDAP server we should make the queries.
Click Security -> Global Security -> Configure (drop down bar should point to "Federated repositories")
Click the "Add base entry to realm" button
Fill up the following
- Repository (Put in the name you used for "Repository identifier")
- OU (Put in the Base DN here)
Click Apply when you are done. Then Click Save. Wait for sync to finish and click OK
A little housekeeping
Removethe base DN for the old LDAP server.
Click on the base DN -> remove
Then Click Save. Wait for sync to finish and click OK
Click on Manage repositories
Check the old repository -> delete
Then Click Save. Wait for sync to finish and click OK
Restart AppSvr, NodeMgr and Dmgr
To be safe, i would prefer to restart everything and make sure i still can log in as administrator and the application would have no problem working with the new LDAP server.
Check the Dmgr logs, AppSvr logs for signs of errors.
A small test
Click on "users and groups" -> manage users
Search for some valid users and verify that they come from the new LDAP server.
Get the software team to verify too in case the problem is subtle enough not to be caught in the application logs.