LDAP repository in Websphere Application Server 7

his is to record the steps i used to switch LDAP repository in Websphere Application Server 7 and enabled LDAP over SSL.

Lets Start

Point your browser to the WAS console and login using admin account.

Add in the new LDAP server configurations

As i use a few repositories in my environment, i would be updating the repositories in the “Federated repositories” section.

Click on left column’s link: Security -> Global Security -> Configure (the drop down box is pointed to “Federated repositories”

The page refreshed, look for “Manage repositories” -> Add

Fill the following.
– Repository identifier
– Directory type (here, i used IBM TDS)
– Primary hostname (put in IP, if you have the entry in /etc/hosts, can use hostname)
– Port (389 for a start. Later will be updated to 636)
– Bind DN (The account to connect to LDAP server)

Click Apply when you are done. Then Click Save. Wait for sync to finish and click OK.

If there is something wrong, WAS will complain.

i.e.
cannot reach the LDAP server. (ACL/firewall??)
wrong port
Bind DN is wrong
etc

Import LDAP server SSL

Store the SSL certificate as a flat file in the WAS server. You may need to convert the SSL certificate to “der” format and deposit the certificate to the deployment manager directory.

Create WAS Truststore

We will create the key store in WAS to store keys and certificate for LDAP. Idea is to separate key store for different functions.

By java definition, keystore is an object that holds personal certificate. truststore is a Java object that holds signer certificates. I gather we will only create the truststore since WAS security guide listed this step.

Click Security -> SSL Certificate and key management -> keystores and certificates

Then click New

Fill up the following
– Name (i used LDAPTruststore)
– Management scope (IBM security guide recommended cell level)
– Path (Where you want to store this key store)
– Password

Import the LDAP SSL certiticate into LDAPTruststore

From the breadcrumb of the previous step, Click on “LDAPTruststore” and Signer certificates.

Click Add

Fill up the following
– Alias (i used ldapcert)
– File Name (the path to the LDAP ssl certificate you put in previous step.)

Click Apply when you are done. Then Click Save. Wait for sync to finish and click OK

Creating SSL alias link to the Trust store

We will create Click Security -> SSL certificate and key management -> SSL configuration.

Click New

Fill up the following
– Name (I used LDAPSSLSettings)
– Trust store name (its LDAPTruststore)
– Key store name (its LDAPTruststore)
– Management Scope (Its Cell Level)

Click OK then Save then OK.

We are now ready to enable LDAP over SSL communication to LDAP server

Go back to the repository.

Click Security -> Global Security -> Configure (drop down bar should point to “Federated repositories”)

When the page refreshed, Click “Manage repositories”

Fill up the following
– Port (change to 636)

Check the “Require SSL communication”

Choose the radio button “use specific SSL alias” and select LDAPSSLSettings from the drop down menu.

Click Apply when you are done. Then Click Save. Wait for sync to finish and click OK

Add the Base DN

Here, we need to configure from where in LDAP server we should make the queries.

Click Security -> Global Security -> Configure (drop down bar should point to “Federated repositories”)

Click the “Add base entry to realm” button

Fill up the following
– Repository (Put in the name you used for “Repository identifier”)
– OU (Put in the Base DN here)

Click Apply when you are done. Then Click Save. Wait for sync to finish and click OK

A little housekeeping

Removethe base DN for the old LDAP server.

Click on the base DN -> remove
Then Click Save. Wait for sync to finish and click OK

Click on Manage repositories
Check the old repository -> delete
Then Click Save. Wait for sync to finish and click OK

Restart AppSvr, NodeMgr and Dmgr

To be safe, i would prefer to restart everything and make sure i still can log in as administrator and the application would have no problem working with the new LDAP server.

Check the Dmgr logs, AppSvr logs for signs of errors.

A small test

Click on “users and groups” -> manage users
Search for some valid users and verify that they come from the new LDAP server.
Get the software team to verify too in case the problem is subtle enough not to be caught in the application logs.