Setting up LDAP over SSL
You can configure WebSphere Application Server and WebSphere Commerce to access your LDAP directory over SSL to ensure the confidentiality of the data, for example passwords, exchanged between WebSphere Application Server, the WebSphere Commerce Server, and your LDAP server. This is mandatory for some LDAP servers, for example Microsoft Active Directory and Novell eDirectory. Configuring LDAP over SSL is a separate operation from configuring the HTTP Server to accept incoming browser requests over HTTPS.
Before you begin
Before setting up LDAP over SSL ensure you have met the following prerequisite:
- Installed WebSphere Commerce
Procedure
- Generate or import certificates as necessary and activate
SSL on the directory server. This step varies depending on the LDAP
server you are using.
- IBM Directory Server: IBM Directory Server can use either self-signed
certificates or signing certificates signed by a CA (Certificate Authority)
to enable LDAP over SSL. IBM Directory Server includes a security
key management utility, such as gsk6ikm, which can be used to generate
a self-signed certificate or to import purchased certificates into
the IBM Directory Server keystore. You should consult the IBM Directory
Server documentation for the details of how to import a CA certificate
or create a self-signed certificate in a key database file and extract
that certificate so that it can be moved to the WebSphere Application
Server and WebSphere Commerce. A brief overview of the steps to create
a self-signed certificate are below:
- Activate the security key management utility. For example, gsk6ikm.
- Open an existing CMS Key Database file, if your directory server is already configured for SSL, or create a new CMS Key Database file. If you open an existing file, you must provide the password for that file. If you create a new file, you are asked to supply a password to secure access to that file. Remember this password.
- Within that CMS Key Database file, create a new self-signed certificate, using X.509 Version 3 format and 1024-bit key size. Give the certificate a label. Remember this label.
- Extract the new self-signed certificate as a certificate file using Base64-encoded ASCII data as the data type. This will save the certificate to a filename of your choice with an extension of .arm.
- If it is not already configured, set up IBM Directory Server for LDAP over SSL using the CMS Key Database file containing the self-signed certificate. For details on this step, see the IBM Directory Server documentation.
- Domino Directory: Domino Directory uses either self-signed certificates
or signing certificates signed by a CA (Certificate Authority) to
enable LDAP over SSL. IBM HTTP Server includes a security key management
utility, such as IKeyMan, which can be used to generate a self-signed
certificate or to import purchased certificates into the Domino Directory
keystore. See the Domino Directory and IKeyMan documentation for the
details of how to import a CA certificate or create a self-signed
certificate in a key database file and extract that certificate so
that it can be moved to the WebSphere Application Server and WebSphere
Commerce. A brief overview of the steps to create a self-signed certificate
are below:
- Activate the security key management utility. For example, IKeyMan.
- Open an existing CMS Key Database file, or create a new CMS Key Database file. If you open an existing file, you must provide the password for that file. If you create a new file, you are asked to supply a password to secure access to that file. Remember this password.
- Within that CMS Key Database file, create a new self-signed certificate, using X.509 Version 3 format and 1024-bit key size. Give the certificate a label. Remember this label.
- Extract the new self-signed certificate as a certificate file using Base64-encoded ASCII data as the data type. This will save the certificate to a filename of your choice with an extension of .arm.
- If it is not already configured, set up Domino Directory for LDAP over SSL using the CMS Key Database file containing the self-signed certificate. For details on this step, see the Domino Directory documentation
- Active Directory: Active Directory and Internet Information Services
(IIS) should be installed and configured before you install WebSphere
Commerce. Do the following
- Export root CA certificate.
- Open a Web Brower and connect to http://localhost/certsrv.
- Select task Download a CA certificate, certificate chain, or CRL and click Next.
- Choose the certificate you created (current) and the format (either DER encoded or Base 64 encoded). This must match what is imported in Step 2e (below). Then click Download CA certificate.
- Save this certificate in a file. For example, call the certificate certnew.cer.
- Copy to your WebSphere Commerce machine.
- Export root CA certificate.
- Sun Java System Directory Server: The configuration of LDAP over SSL from WebSphere Application Server and WebSphere Commerce to Sun Java System Directory Server is nearly identical on the WebSphere Application Server and WebSphere Commerce side to configuration performed for IBM Directory Server. The Sun Java System Directory Server will not allow the use of self-signed certificates, so the Certificate Authority's (CA) signer chain must be imported to the WebSphere Application Server and Portal Server keystores.
- Novell eDirectory: You must export the trusted root certificate:
- Logon to Novell ConsoleOne.
- Double-click the base member.
- Right-click SSL Certificate DNS and select Properties.
- Select the Certificate tab and click Export.
- When asked if you want to export the private key with the certificate, select NO.
- In the certificate output format panel, select File in binary DER format and select any file name and location you want.
- Click Finish.
- Copy the downloaded certificate file to your WebSphere Commerce machine.
- IBM Directory Server: IBM Directory Server can use either self-signed
certificates or signing certificates signed by a CA (Certificate Authority)
to enable LDAP over SSL. IBM Directory Server includes a security
key management utility, such as gsk6ikm, which can be used to generate
a self-signed certificate or to import purchased certificates into
the IBM Directory Server keystore. You should consult the IBM Directory
Server documentation for the details of how to import a CA certificate
or create a self-signed certificate in a key database file and extract
that certificate so that it can be moved to the WebSphere Application
Server and WebSphere Commerce. A brief overview of the steps to create
a self-signed certificate are below:
- On the WebSphere Commerce machine, import the certificate
to WebSphere Application Server's default truststore file: DummyServerTrustFile.jks.
- Open a command window and change directory to WAS_installdir/bin.
- Launch the IKeyMan utility by typing
ikeyman,ikeyman.exeorikeyman.sh, depending on your operating system. - In IKeyMan, click Open, leave
the Key database type as JKS and choose DummyServerTrustFile.jks truststore
under the WAS_profiledir/etc directory. The default
password is
WebAS. - Select Signer Certificates. Click Add.
- Locate the certificate file (for example, certnew.cer for Active Directory, or the .arm file for other LDAP servers), then click Ok.
- Type a name for the certificate. Click Ok to finish.
- Restart your WebSphere Commerce Server.