IBM WebSphere Lombardi Edition (Lombardi) includes an internal security provider for user access management. However, you may need to leverage an existing user registry, such as an enterprise user directory in LDAP, instead of re-creating and maintaining the users and groups in the Lombardi internal user service. Furthermore, it's often desirable or even mandatory to secure the communication between Lombardi and the LDAP server to protect personal information such as user id and password that's both sensitive and confidential. In this article, I will demonstrate how to:
- Register an LDAP provider with the embedded application server in Lombardi
- Manage access for the LDAP users and groups, and
- Secure the LDAP connection using Secure Sockets Layer (SSL) communication
The instructions and screen shots in this article are captured with Lombardi version 7.2 and the IBM employee Directory known as IBM BluePages that runs on a Tivoli Directory Server. But they are not specific to the Tivoli implementation and apply to other standard LDAP servers.
Securing communication between Lombardi and LDAP
IBM Websphere Lombardi Edition (Lombardi) comes with an internal security provider for user access management and a set of default users and groups to run and administer Lombardi environments and enable you to get up and running quickly. You can create and maintain additional users and groups in the internal user system.
However, in some cases the internal user registry alone may not be sufficient. For example, you may need to leverage an existing user registry outside of Lombardi, such as an enterprise user directory in an LDAP server, to authenticate users and authorize access, rather than re-creating and maintaining the users and groups in the internal system. Because Lombardi is now hosted on WebSphere Application Server and configured with a single federated repository containing only the internal provider, you can add an LDAP directory to the federated repository to achieve this type of integration. The Installation and Configuration Guide in the product documentation contains detailed set-up information. For the sake of comleteness and ease of use, this article repeats those step-by-step instructions and supplements them with screen captures.
What's not included in the product documentation, but is often desirable or even mandatory, especially in an enterprise or production environment, is information on how to secure the communication between Lombardi and the LDAP server to protect sensitive personal information such as user IDs and passwords. The Secure Sockets Layer (SSL) provides an industry standard protocol for transmitting data in a secure manner over an insecure network. SSL defines methods for authentication, data encryption, and message integrity for a reliable transport protocol. The focus of this article is how to set up a secure connection between Lombardi and an LDAP directory over SSL. Without the protection, the data exchanged between the servers is sent in clear text, and thus exposes the environment, application and its users to significant risk of security attacks.
Register an LDAP user directory with WebSphere Application Server
Note: You need to make sure no duplicate users exist in the Lombardi internal security provider and the security provider that you add in this section. If duplicate users exist, you will get exceptions when you run WebSphere Lombardi Edition product components.
- Start the WebSphere administrative console for Lombardi from the
Start menu, as shown in Figure 1.
Figure 1. Start the administrative console
- Log on as tw_user. The default password for the tw_user account is tw_user.
- Select Security => Global security, as shown in Figure 2.
Figure 2. Select Global Security
- Under User account repository, click Configure next to the Federated repositories option, which is already set as the default for Lombardi.
- Under Related items, click Manage repositories, as shown
in Figure 3.
Figure 3. Manage respositories
- Click Add and enter parameters for the LDAP provider that you
want to add, as shown in Figure 4.
Figure 4. Add repositories
For example, to add the IBM BluePages server, you would specify the following values:
Figure 5. Sample configuration for IBM Bluepages
- Click OK, then click Save.
- Click on the IBM BluePages repository you've just created. Under
Additional Properties, click LDAP entity types, and
then Group, as shown in Figure 6.
Figure 6. Select LDAP entity types
- Specify the following settings, the click OK and Save.
Figure 7. Specify entity type properties
- Under LDAP entity types, click OrgContainer, and specify
the settings, as shown in Figure 8, then click OK and
Figure 8. Specify properties for OrgContainer
- Still under LDAP entity types, click PersonAccount, and
specify the settings, as shown in Figure 9, then click OK and
Figure 9. Specify properties for PersonAccount
- Go back to the Federated repositories page (Step 5), and click
Add Base entry to Realm, as shown in Figure 10.
Figure 10. Add base entry to realm
- Provide values for the LDAP server, as shown in Figure 11, then click
OK and Save
Figure 11. Specify LDAP server properties
- Shut down and restart all Lombardi servers.
Grant access to LDAP Users and Groups
Once you've configured the LDAP directory, as well as the internal Lombardi security provider, the users and groups from both providers are available for selection throughout Lombardi. An LDAP user or group can be added to a default group in the exact same way as you would add a user or group that exists in the Lombardi internal user registry. Following is an example of how to do this.
- In the Add User and Groups dialog under User Management
on the Lombardi Process Admin console, enter the name of the LDAP user
or group, such as the AIM_BPM_SWAT group or firstname.lastname@example.org for an
individual user that exists in the BluePages directory. Once the
search results are returned, select the users or groups to add, as
shown in Figures 12 and 13, then click Add Selected.
Figure 12. Add groups
Figure 13. Add users
Configure SSL connection to LDAP Server
The WebSphere Application Server embedded in Lombardi provides several methods to secure communication between a server and a client, including support for SSL. The two main steps required to enable SSL with an LDAP server are to add the digital certificate of the LDAP server to the trusted key store, and to switch to the secure port for encrypted data exchange.
Import the LDAP server certificate
To import the LDAP server certificate, do the following:
- Log on to the WebSphere administrative console as tw_user. The default password for the tw_user account is tw_user.
- Select Security => SSL certificate and key management, as
shown in Figure 14.
Figure 14. Select SSL certificate and key management
- Click Key stores and certificates, as shown in Figure 15.
Figure 15. Select key stores and certificates
- Click NodeDefaultTrustStore, as shown in Figure 16.
Figure 16. Select NodeDefaultTrustStore
- Click Signer Certificates, as shown in Figure 17.
Figure 17. Select Signer Certificates
- Click Retrieve from port, as shown in Figure 18.
Figure 18. Select Retrieve from portNote: Per APAR PM37795 (fix available in WebSphere Application Server V220.127.116.11), the Retrieve from Port action only gets the server certificate, not the signing certificate, which will cause an issue when the signing certificate expires, which is within a year for the default self-signed certificate used in the example. Please apply the fix before using this action.
- Specify the information for your LDAP server on the General
Properties page. For instance, as shown in Figure 19, the
information for the IBM BluePages server would be:
636, which is the default for SSL secure port for LDAP servers
Figure 19. Sample BluePages server information
- Click Retrieve Signer information.
- The details of the signer certificate are retrieved and populated, as
shown in Figure 20. Click OK and then Save.
Figure 20. Signer certifcate details
The LDAP server certificate is now successfully added to the trusted store, as shown in Figure 21.
Figure 21. LDAP server signer certifcate listed
Switch to using the SSL connection to LDAP server
It's quite straightforward to switch to use SSL once the certificate is added to the store. To do this, complete the following steps:
- Repeat steps 1 to 6 in Register an LDAP user directory with WebSphere Application Server.
- Instead of the non-security port of 389, enter the security / SSL port
of the LDAP server (the default is 636), and check Require SSL
Communications, as shown in Figue 22.
Figure 22. Specify LDAP configuration
- Click OK, then Save.
- Shut down and restart all Lombardi servers.
Users can access and work with Lombardi as usual once the servers are restarted. The data is now exchanged securely over the SSL connection behind the scenes, with no impact to user experience.
- IBM WebSphere Lombardi Edition 7.2 Information Center
- WebSphere Lombardi Edition 7.2.0 Authoring Environment Installation and Configuration Guide
- IBM WebSphere Lombardi Edition 7.2 Information Center: Managing Lombardi Users
- IBM WebSphere Lombardi Edition 7.2 Documentation Library
- IBM WebSphere Application Server V7 Infomation Center: Securing applications and their Environment
- IBM WebSphere Developer Technical Journal: WebSphere Application Server V7 advanced security hardening, Part 1
- WebSphere Developer Technical Journal: WebSphere Application Server V7 advanced security hardening, Part 2
- developerWorks BPM zone: Get the latest technical resources on IBM BPM solutions, including downloads, demos, articles, tutorials, events, webcasts, and more.
- IBM BPM Journal: Get the latest articles and columns on BPM solutions in this quarterly journal, also available in both Kindle and PDF versions.