Thursday, 19 March 2015

Configuring SSL between IBM security Identity manager and IBM TDS


There are 4 main concepts in doing this configuration.
Before doing this configuration first have the SSL configured on the IBM TDS LDAP instance…..if you refer my previous post of enabling ssl in IBM TDS LDAP instance you will be able to configure SSL on the TDS LDAP Instance.

First …..
Add the TDS certificate to Websphere CA Certs:
  1. Start the ikeyman utility. The utility (ikeyman.bat or ikeyman.sh) is in the WAS_HOME\bin.
  2. From the Key Database File menu, select Open.
  3. In the key database type, select JKS.
  4. In the File Name field, type cacerts.
  5. In the Location field, type WAS_HOME\java\jre\lib\security\.
  6. In the Password Prompt window, type the password for the keystore in the Password and Confirm Password window. The default password is changeit.
  7. Click OK.
  8. Add the certificate you created for the LDAP server into this certificate store.
    1. In the main window, in the Key database content area, select Signer Certificates from the list.
    2. Click Add.
    3. In the Certificate file name field, browse and locate the server certificate file that was created for the LDAP server, which is in Binary Der data. Verify that the appropriate directory is displayed in the Location field.
    4. Click OK.
    5. In the prompt, type a label for this certificate. For example, type LDAPCA.
    6. Click OK.

Secondly…..
Enabling ISIM to Communicate with LDAP using SSL Communication..
  1. Edit the enRoleLDAPConnection.properties file. This file is in the ISIM_HOME\data directory.
    1. Set the port value on the java.naming.provider.url property to the SSL port number configured on directory server [LDAP]. For example,
java.naming.provider.url=ldaps://localhost:636
    1. Set the value of the java.naming.security.protocol property to ssl. This setting directs the IBM Security Identity Manager Server to use SSL to communicate to LDAP.Alternately you can change the protocol in java.naming.provider.url from ldap to ldaps. For example,
java.naming.security.protocol=ssl
  1. Save the changes.
Thirdly……
Defining Custom JVM Properties in WebSphere
  1. Select Servers > Application Servers > server_name > Process Definition > Java Virtual Machine > Custom Properties > New.
  2. Define the name of the javax properties that you changed by using the ikeyman key management tool. You can create your own certificate store location, for which you must define some additional properties.
javax.net.ssl.trustStore – WebSphere jre_install_dir\lib\security\cacerts
eg: C:\Program Files\WebSphere\AppServer\java\jre\lib\security\cacerts
javax.net.ssl.trustStorePassword – changeit
javax.net.ssl.trustStoreType -- jks

Fourthly …..
Running LDAP Upgrade….
  1. Before running the ldapUpgrade utility, verify that enRoleLDAPConnections.properties, has java.naming.security.protocol set to ssl.
  2. Edit ISIM_HOME\bin\ldapUpgrade.lax file.
Add this property, which is one line:
lax.nl.java.option.additional=-Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStore=/opt/IBM/WebSphere/AppServer/java/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djava.ext.dirs=/opt/IBM/WebSphere/AppServer/java/jre/lib/ext:/opt/IBM/WebSphere/AppServer/plugins:/opt/IBM/WebSphere/AppServer/lib:/opt/IBM/WebSphere/AppServer/lib/ext
For example, on the Windows operating system:
lax.nl.java.option.additional=-Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStore=C:\Progra~1\IBM\WebSphere\AppServer\java\jre\lib\security\cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djava.ext.dirs= C:\Progra~1\IBM\WebSphere\AppServer\java\jre\lib\ext; C:\Progra~1\IBM\WebSphere\AppServer\plugins;
C:\Progra~1\IBM\WebSphere\AppServer\lib;
C:\Progra~1\IBM\WebSphere\AppServer\lib\ext
Note: On the UNIX systems, the delimiter for the list of directories in java.ext.dirs must be a colon. On the Windows systems, the delimiter for these directories must be a semi-colon. Also, on Windows systems, use 8.3 notation for the directory names as there can be no spaces in the list.
  1. Test if this property is set correctly.
    1. Copy the property into the ISIM_HOME\bin\ldapConfig.lax file.
    2. Click Test on the ldapConfig screen. If the test returns a success message, the property is set correctly.
Note: Do not click Continue on the ldapConfig screen. Click Cancel to exit.

Now Restart the complete WebSphere including nodes, clusters and DMGR.
with this you configuration is complete….


No comments:

Post a Comment