friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6290434003
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatz_5.4.0.1/51/sec/secsslen.htm

86 lines
5.3 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Configure SSL connections between WebSphere Application Server - Express and an LDAP
server</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h4><a name="secsslen"></a>Configure SSL connections between WebSphere Application Server - Express and an LDAP server</h4>
<ol>
<li><p>Configure SSL in the LDAP server. The procedure varies with the LDAP server being used. Consult the documentation for your server for details. If you are using the i5/OS Directory Service, see the Directory Services documentation in the iSeries Information Center:</p>
<ul>
<li><a href="../../../icbase/rzahy/v5r2rzahyrzahywelpo.htm" target="_blank">For V5R2</a></li>
<li><a href="../../../icbase/rzahy/v5r3rzahyrzahywelpo.htm" target="_blank">For V5R3</a></li>
<li><a href="../../../rzahy/rzahyrzahywelpo.htm">For V5R4</a></li>
</ul>
</li>
<li><p>Update your WebSphere Application Server - Express trust store file. The trust store file is the repository for the WebSphere server's trust base. Because it needs to authenticate the LDAP server during SSL initialization, the trust store file must provide information about the LDAP server.</p>
<p>To validate the LDAP server's certificate, your server needs the public key of the CA that issued the LDAP server's certificate. This key is found in that CA's certificate, so you need to add the CA certificate
to your trust store file on the server.</p>
<p>To add the additional certificate to the trust store file, do the following:</p>
<ol type="a">
<li>Obtain the certificate of the CA that issued the LDAP server's certificate. For example, if your LDAP server's certificate was issued by the Local CA on your iSeries system, extract the Local CA's certificate by using the Digital Certificate Manager (DCM):
<ol>
<li><a href="secdcmstr.htm">Start the Digital Certificate Manager (DCM)</a>
<p><strong>Note</strong>: Procedures vary depending on the release of DCM you have installed on your iSeries system. The release of DCM that is used in this topic is V5R1M0.</p></li>
<li>In the left pane, click <strong>Install CA certificate on your PC</strong>.</li>
<li>In the right pane, click <strong>Copy and paste certificate</strong>.</li>
<li>Create a text file on your PC, then paste the CA certificate into <em>myLocalCA.txt</em> and save the file. Ensure that the copy of the CA certificate ends with the new line character.</li>
<li>Click the <strong>Done</strong> button.</li>
</ol><p></p></li>
<li>Add the CA certificate to the server's trust store file:
<ol>
<li><p>Start iKeyman on your workstation. For more information, see <a href="ikeyman.htm">The iKeyman utility</a>.</p></li>
<li>Click <strong>Key Database File</strong> and select <strong>Open</strong>.</li>
<li>Using the browser, navigate to the directory containing the trust store file for your WebSphere server instance, and open the file. For example: <em>USER_INSTALL_ROOT</em>/etc/DummyServerTrustFile.jks.</li>
<li>Click <strong>Personal Certificates</strong> and select <strong>Signer Certificates</strong>.</li>
<li>Click <strong>Add</strong>.</li>
<li>Specify settings:
<ul>
<li><strong>Data Type</strong>: Base64-encoded ASCII data</li>
<li><strong>Certificate file name</strong>: myLocalCA.txt</li>
<li><strong>Location</strong>: the path to the directory containing myLocalCA.txt</li>
</ul></li>
<li>Click <strong>OK</strong>.</li>
<li>Enter LocalCA for the label and click <strong>OK</strong>.</li>
<li>Click <strong>Key Database File</strong>.</li>
<li>Select <strong>Exit</strong>.</li>
</ol></li>
</ol><p></p></li>
<li>Enable the SSL connection in WebSphere. Use the WebSphere administrative console to modify your LDAP configuration (under <strong>Security --&gt; User Registries --&gt; LDAP</strong>):
<ul>
<li>Set the port to 636. (If you used a different port number, set the port to that number.)</li>
<li>Select <strong>SSL Enabled</strong>.</li>
<li>Select <strong>DefaultSSLSettings</strong>.</li>
</ul><p></p></li>
<li><p>Click <strong>OK</strong>.</p></li>
<li><p>Save your changes.</p></li>
<li><p>Stop and restart the application server, then start the administrative console. You are prompted to login to the LDAP registry.</p></li>
</ol>
<p><strong>Tips</strong></p>
<p>If your SSL connection does not work, try the following:</p>
<ul>
<li>Verify that your LDAP server is listening to port 636 (or the other port
specified in the settings).</li>
<li>Verify that the LDAP server's certificate is still valid.</li>
<li>If you need to export the certificate for the LDAP server's CA from keyring or other type of file, look for an option that lets you export the certificate in DER binary format or Base64-encoded ASCII. The tools you have can vary with the LDAP server.</li>
<li>If you transfer a certificate file from a remote host by using file transfer protocol (FTP), be sure to set the transfer mode to binary.</li>
</ul>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink