Configuring SSL between IBM security Identity manager and IBM TDS

There are 4 main concepts in doing this configuration.

Before doing this configuration first have the SSL configured on the IBM TDS LDAP instance…..if you refer my previous post of enabling ssl in IBM TDS LDAP instance you will be able to configure SSL on the TDS LDAP Instance.

First …..

Add the TDS certificate to Websphere CA Certs:

1. Start the ikeyman utility. The utility (ikeyman.bat or ikeyman.sh) is in the WAS_HOME\bin.
2. From the Key Database File menu, select Open.
3. In the key database type, select JKS.
4. In the File Name field, type cacerts.
5. In the Location field, type WAS_HOME\java\jre\lib\security\.
6. In the Password Prompt window, type the password for the keystore in the Password and Confirm Password window. The default password is changeit.
7. Click OK.
8. Add the certificate you created for the LDAP server into this certificate store.
1. In the main window, in the Key database content area, select Signer Certificates from the list.
2. Click Add.
3. In the Certificate file name field, browse and locate the server certificate file that was created for the LDAP server, which is in Binary Der data. Verify that the appropriate directory is displayed in the Location field.
4. Click OK.
5. In the prompt, type a label for this certificate. For example, type LDAPCA.
6. Click OK.

Secondly…..

Enabling ISIM to Communicate with LDAP using SSL Communication..

1. Edit the enRoleLDAPConnection.properties file. This file is in the ISIM_HOME\data directory.
1. Set the port value on the java.naming.provider.url property to the SSL port number configured on directory server [LDAP]. For example,

java.naming.provider.url=ldaps://localhost:636

2. Set the value of the java.naming.security.protocol property to ssl. This setting directs the IBM Security Identity Manager Server to use SSL to communicate to LDAP.Alternately you can change the protocol in java.naming.provider.url from ldap to ldaps. For example,

java.naming.security.protocol=ssl

2. Save the changes.

Thirdly……

Defining Custom JVM Properties in WebSphere

1. Select Servers > Application Servers > server_name > Process Definition > Java Virtual Machine > Custom Properties > New.
2. Define the name of the javax properties that you changed by using the ikeyman key management tool. You can create your own certificate store location, for which you must define some additional properties.

javax.net.ssl.trustStore – WebSphere jre_install_dir\lib\security\cacerts

eg: C:\Program Files\WebSphere\AppServer\java\jre\lib\security\cacerts

javax.net.ssl.trustStorePassword – changeit

javax.net.ssl.trustStoreType -- jks

Fourthly …..

Running LDAP Upgrade….

1. Before running the ldapUpgrade utility, verify that enRoleLDAPConnections.properties, has java.naming.security.protocol set to ssl.
2. Edit ISIM_HOME\bin\ldapUpgrade.lax file.

Add this property, which is one line:

lax.nl.java.option.additional=-Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStore=/opt/IBM/WebSphere/AppServer/java/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djava.ext.dirs=/opt/IBM/WebSphere/AppServer/java/jre/lib/ext:/opt/IBM/WebSphere/AppServer/plugins:/opt/IBM/WebSphere/AppServer/lib:/opt/IBM/WebSphere/AppServer/lib/ext

For example, on the Windows operating system:

lax.nl.java.option.additional=-Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStore=C:\Progra~1\IBM\WebSphere\AppServer\java\jre\lib\security\cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djava.ext.dirs= C:\Progra~1\IBM\WebSphere\AppServer\java\jre\lib\ext; C:\Progra~1\IBM\WebSphere\AppServer\plugins;
C:\Progra~1\IBM\WebSphere\AppServer\lib;
C:\Progra~1\IBM\WebSphere\AppServer\lib\ext

Note: On the UNIX systems, the delimiter for the list of directories in java.ext.dirs must be a colon. On the Windows systems, the delimiter for these directories must be a semi-colon. Also, on Windows systems, use 8.3 notation for the directory names as there can be no spaces in the list.

3. Test if this property is set correctly.
1. Copy the property into the ISIM_HOME\bin\ldapConfig.lax file.
2. Click Test on the ldapConfig screen. If the test returns a success message, the property is set correctly.

Note: Do not click Continue on the ldapConfig screen. Click Cancel to exit.

Now Restart the complete WebSphere including nodes, clusters and DMGR.
with this you configuration is complete….

SSL Configuration on IBM TDS LDAP server

Configuring SSL for IBM TDS Instance is it possible.....

Yes below are the steps to do it....

Steps to enable SSL communication using self-signed certificates.

1. Login to LDAP server
2. Take a backup of ibmslapd.conf  file.
3. Run the below command to create a key database (CMS) to contain the server certificates as well as the server’s private and public keys.gsk8capicmd_64.exe -keydb -create -db E:\serverkey -pw password -type cms –stash
4. On successful completion of the above command, four files will be created: serverkey.kdb, serverkey.rdb, serverkey.crl, serverkey.sth
5. Create a self-signed certificate using the below command:gsk8capicmd_64.exe -cert -create -db E:\serverkey.kdb -pw password -label label_name -dn "cn=ldapcert,dc=com" -default_cert yes -expire 999
6. Create an ldif file to configure TDS server to use this certificate.

   dn: cn=SSL,cn=Configuration

   changetype: modify

   replace: ibm-slapdSslAuth

   ibm-slapdSslAuth: serverAuth

   -

   replace: ibm-slapdSecurity

   ibm-slapdSecurity: SSL

   dn: cn=SSL,cn=Configuration

   changetype: modify

   replace: ibm-slapdSSLKeyDatabase

   ibm-slapdSSLKeyDatabase: E:\serverkey.kdb

   -

   replace:ibm-slapdSslCertificate

   ibm-slapdSslCertificate: label_name

   -

   replace: ibm-slapdSSLKeyDatabasePW

   ibm-slapdSSLKeyDatabasePW: password

7.       Run ldapmodify command to update TDS server with SSL configuration:

ldapmodify -D cn=root -w bind_pwd -p port -i “ldif_file”

8.       Restart LDAP instance and admin server.