{"id":3713,"date":"2014-11-06T08:26:27","date_gmt":"2014-11-06T00:26:27","guid":{"rendered":"http:\/\/rmohan.com\/?p=3713"},"modified":"2014-11-06T08:26:27","modified_gmt":"2014-11-06T00:26:27","slug":"ldap-repository-in-websphere-application-server-7","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=3713","title":{"rendered":"LDAP repository in Websphere Application Server 7"},"content":{"rendered":"<p>his is to record the steps i used to switch LDAP repository in Websphere Application Server 7 and enabled LDAP over SSL.<\/p>\n<p>Lets Start<\/p>\n<p>Point your browser to the WAS console and login using admin account.<\/p>\n<p>Add in the new LDAP server configurations<\/p>\n<p>As i use a few repositories in my environment, i would be updating the repositories in the &#8220;Federated repositories&#8221; section.<\/p>\n<p>Click on left column&#8217;s link: Security -> Global Security -> Configure (the drop down box is pointed to &#8220;Federated repositories&#8221;<\/p>\n<p>The page refreshed, look for &#8220;Manage repositories&#8221; -> Add<\/p>\n<p>Fill the following.<br \/>\n&#8211; Repository identifier<br \/>\n&#8211; Directory type (here, i used IBM TDS)<br \/>\n&#8211; Primary hostname (put in IP, if you have the entry in \/etc\/hosts, can use hostname)<br \/>\n&#8211; Port (389 for a start. Later will be updated to 636)<br \/>\n&#8211; Bind DN (The account to connect to LDAP server)<\/p>\n<p>Click Apply when you are done. Then Click Save. Wait for sync to finish and click OK.<\/p>\n<p>If there is something wrong, WAS will complain.<\/p>\n<p>i.e.<br \/>\ncannot reach the LDAP server. (ACL\/firewall??)<br \/>\nwrong port<br \/>\nBind DN is wrong<br \/>\netc<\/p>\n<p>Import LDAP server SSL<\/p>\n<p> Store the SSL certificate as a flat file in the WAS server. You may need to convert the SSL certificate to &#8220;der&#8221; format and deposit the certificate to the deployment manager directory.<\/p>\n<p>Create WAS Truststore<\/p>\n<p>We will create the key store in WAS to store keys and certificate for LDAP. Idea is to separate key store for different functions.<\/p>\n<p>By java definition, keystore is an object that holds personal certificate. truststore is a Java object that holds signer certificates. I gather we will only create the truststore since WAS security guide listed this step.<\/p>\n<p>Click Security -> SSL Certificate and key management -> keystores and certificates<\/p>\n<p>Then click New <\/p>\n<p>Fill up the following<br \/>\n&#8211; Name (i used LDAPTruststore)<br \/>\n&#8211; Management scope (IBM security guide recommended cell level)<br \/>\n&#8211; Path (Where you want to store this key store)<br \/>\n&#8211; Password<\/p>\n<p>Import the LDAP SSL certiticate into LDAPTruststore<\/p>\n<p>From the breadcrumb of the previous step, Click on &#8220;LDAPTruststore&#8221; and Signer certificates.<\/p>\n<p>Click Add<\/p>\n<p>Fill up the following<br \/>\n&#8211; Alias (i used ldapcert)<br \/>\n&#8211; File Name (the path to the LDAP ssl certificate you put in previous step.)<\/p>\n<p>Click Apply when you are done. Then Click Save. Wait for sync to finish and click OK<\/p>\n<p>Creating SSL alias link to the Trust store<\/p>\n<p>We will create Click Security -> SSL certificate and key management -> SSL configuration.<\/p>\n<p>Click New<\/p>\n<p>Fill up the following<br \/>\n&#8211; Name (I used LDAPSSLSettings)<br \/>\n&#8211; Trust store name (its LDAPTruststore)<br \/>\n&#8211; Key store name (its LDAPTruststore)<br \/>\n&#8211; Management Scope (Its Cell Level)<\/p>\n<p>Click OK then Save then OK.<\/p>\n<p>We are now ready to enable LDAP over SSL communication to LDAP server<\/p>\n<p>Go back to the repository.<\/p>\n<p>Click Security -> Global Security -> Configure (drop down bar should point to &#8220;Federated repositories&#8221;)<\/p>\n<p>When the page refreshed, Click &#8220;Manage repositories&#8221;<\/p>\n<p>Fill up the following<br \/>\n&#8211; Port (change to 636)<\/p>\n<p>Check the &#8220;Require SSL communication&#8221;<\/p>\n<p>Choose the radio button &#8220;use specific SSL alias&#8221; and select LDAPSSLSettings from the drop down menu.<\/p>\n<p>Click Apply when you are done. Then Click Save. Wait for sync to finish and click OK<\/p>\n<p>Add the Base DN<\/p>\n<p>Here, we need to configure from where in LDAP server we should make the queries.<\/p>\n<p>Click Security -> Global Security -> Configure (drop down bar should point to &#8220;Federated repositories&#8221;)<\/p>\n<p>Click the &#8220;Add base entry to realm&#8221; button<\/p>\n<p>Fill up the following<br \/>\n&#8211; Repository (Put in the name you used for &#8220;Repository identifier&#8221;)<br \/>\n&#8211; OU (Put in the Base DN here)<\/p>\n<p>Click Apply when you are done. Then Click Save. Wait for sync to finish and click OK  <\/p>\n<p>A little housekeeping<\/p>\n<p>Removethe base DN for the old LDAP server.<\/p>\n<p>Click on the base DN -> remove<br \/>\nThen Click Save. Wait for sync to finish and click OK  <\/p>\n<p>Click on Manage repositories<br \/>\nCheck the old repository -> delete<br \/>\nThen Click Save. Wait for sync to finish and click OK   <\/p>\n<p>Restart AppSvr, NodeMgr and Dmgr<\/p>\n<p>To be safe, i would prefer to restart everything and make sure i still can log in as administrator and the application would have no problem working with the new LDAP server.<\/p>\n<p>Check the Dmgr logs, AppSvr logs for signs of errors.<\/p>\n<p>A small test<\/p>\n<p>Click on &#8220;users and groups&#8221; -> manage users<br \/>\nSearch for some valid users and verify that they come from the new LDAP server.<br \/>\nGet the software team to verify too in case the problem is subtle enough not to be caught in the application logs.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>his is to record the steps i used to switch LDAP repository in Websphere Application Server 7 and enabled LDAP over SSL.<\/p>\n<p>Lets Start<\/p>\n<p>Point your browser to the WAS console and login using admin account.<\/p>\n<p>Add in the new LDAP server configurations<\/p>\n<p>As i use a few repositories in my environment, i would be [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3713"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3713"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3713\/revisions"}],"predecessor-version":[{"id":3714,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3713\/revisions\/3714"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3713"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3713"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3713"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}