Secure integration of an LDAP user registry with WebSphere Lombardi Edition

This article shows how you can use an existing user registry, such as an enterprise user directory in LDAP, with WebSphere® Lombardi Edition. You'll learn how to register an LDAP provider with the Lombardi application server, manage access for the LDAP users and groups, and secure the LDAP connection using SSL.

Share:

Shili Yang (shiliy@ca.ibm.com), Advisory Software Developer, IBM

Shili Yang photoShili Yang is a member of the IBM Software Services for WebSphere team working with customers on BPM and SOA solutions. Before joining IBM Software Services for WebSphere, she worked on the BPM SWAT team and the BPM Architecture and Development team.



29 June 2011

Introduction

IBM WebSphere Lombardi Edition (Lombardi) includes an internal security provider for user access management. However, you may need to leverage an existing user registry, such as an enterprise user directory in LDAP, instead of re-creating and maintaining the users and groups in the Lombardi internal user service. Furthermore, it's often desirable or even mandatory to secure the communication between Lombardi and the LDAP server to protect personal information such as user id and password that's both sensitive and confidential. In this article, I will demonstrate how to:

  1. Register an LDAP provider with the embedded application server in Lombardi
  2. Manage access for the LDAP users and groups, and
  3. Secure the LDAP connection using Secure Sockets Layer (SSL) communication

The instructions and screen shots in this article are captured with Lombardi version 7.2 and the IBM employee Directory known as IBM BluePages that runs on a Tivoli Directory Server. But they are not specific to the Tivoli implementation and apply to other standard LDAP servers.


Securing communication between Lombardi and LDAP

IBM Websphere Lombardi Edition (Lombardi) comes with an internal security provider for user access management and a set of default users and groups to run and administer Lombardi environments and enable you to get up and running quickly. You can create and maintain additional users and groups in the internal user system.

However, in some cases the internal user registry alone may not be sufficient. For example, you may need to leverage an existing user registry outside of Lombardi, such as an enterprise user directory in an LDAP server, to authenticate users and authorize access, rather than re-creating and maintaining the users and groups in the internal system. Because Lombardi is now hosted on WebSphere Application Server and configured with a single federated repository containing only the internal provider, you can add an LDAP directory to the federated repository to achieve this type of integration. The Installation and Configuration Guide in the product documentation contains detailed set-up information. For the sake of comleteness and ease of use, this article repeats those step-by-step instructions and supplements them with screen captures.

What's not included in the product documentation, but is often desirable or even mandatory, especially in an enterprise or production environment, is information on how to secure the communication between Lombardi and the LDAP server to protect sensitive personal information such as user IDs and passwords. The Secure Sockets Layer (SSL) provides an industry standard protocol for transmitting data in a secure manner over an insecure network. SSL defines methods for authentication, data encryption, and message integrity for a reliable transport protocol. The focus of this article is how to set up a secure connection between Lombardi and an LDAP directory over SSL. Without the protection, the data exchanged between the servers is sent in clear text, and thus exposes the environment, application and its users to significant risk of security attacks.


Register an LDAP user directory with WebSphere Application Server

Note: You need to make sure no duplicate users exist in the Lombardi internal security provider and the security provider that you add in this section. If duplicate users exist, you will get exceptions when you run WebSphere Lombardi Edition product components.

  1. Start the WebSphere administrative console for Lombardi from the Start menu, as shown in Figure 1.
    Figure 1. Start the administrative console
    Start the administrative console
  2. Log on as tw_user. The default password for the tw_user account is tw_user.
  3. Select Security => Global security, as shown in Figure 2.
    Figure 2. Select Global Security
    Select Global Security
  4. Under User account repository, click Configure next to the Federated repositories option, which is already set as the default for Lombardi.
  5. Under Related items, click Manage repositories, as shown in Figure 3.
    Figure 3. Manage respositories
    Manage respositories
  6. Click Add and enter parameters for the LDAP provider that you want to add, as shown in Figure 4.
    Figure 4. Add repositories
    Figure 4. Add repositories

    For example, to add the IBM BluePages server, you would specify the following values:

    Figure 5. Sample configuration for IBM Bluepages
    Sample configuration for IBM Bluepages
  7. Click OK, then click Save.
  8. Click on the IBM BluePages repository you've just created. Under Additional Properties, click LDAP entity types, and then Group, as shown in Figure 6.
    Figure 6. Select LDAP entity types
  9. Specify the following settings, the click OK and Save.
    Figure 7. Specify entity type properties
    Specify entity type properties
  10. Under LDAP entity types, click OrgContainer, and specify the settings, as shown in Figure 8, then click OK and Save:
    Figure 8. Specify properties for OrgContainer
    Specify properties for OrgContainer
  11. Still under LDAP entity types, click PersonAccount, and specify the settings, as shown in Figure 9, then click OK and Save:
    Figure 9. Specify properties for PersonAccount
  12. Go back to the Federated repositories page (Step 5), and click Add Base entry to Realm, as shown in Figure 10.
    Figure 10. Add base entry to realm
  13. Provide values for the LDAP server, as shown in Figure 11, then click OK and Save
    Figure 11. Specify LDAP server properties
    Specify LDAP server properties
  14. Shut down and restart all Lombardi servers.

Grant access to LDAP Users and Groups

Once you've configured the LDAP directory, as well as the internal Lombardi security provider, the users and groups from both providers are available for selection throughout Lombardi. An LDAP user or group can be added to a default group in the exact same way as you would add a user or group that exists in the Lombardi internal user registry. Following is an example of how to do this.

  1. In the Add User and Groups dialog under User Management on the Lombardi Process Admin console, enter the name of the LDAP user or group, such as the AIM_BPM_SWAT group or shiliy@ca.ibm.com for an individual user that exists in the BluePages directory. Once the search results are returned, select the users or groups to add, as shown in Figures 12 and 13, then click Add Selected.
    Figure 12. Add groups
    Add groups
    Figure 13. Add users
    Add users

Configure SSL connection to LDAP Server

The WebSphere Application Server embedded in Lombardi provides several methods to secure communication between a server and a client, including support for SSL. The two main steps required to enable SSL with an LDAP server are to add the digital certificate of the LDAP server to the trusted key store, and to switch to the secure port for encrypted data exchange.

Import the LDAP server certificate

To import the LDAP server certificate, do the following:

  1. Log on to the WebSphere administrative console as tw_user. The default password for the tw_user account is tw_user.
  2. Select Security => SSL certificate and key management, as shown in Figure 14.
    Figure 14. Select SSL certificate and key management
    Select SSL certificate and key management
  3. Click Key stores and certificates, as shown in Figure 15.
    Figure 15. Select key stores and certificates
    Select key stores and certificates
  4. Click NodeDefaultTrustStore, as shown in Figure 16.
    Figure 16. Select NodeDefaultTrustStore
    Select NodeDefaultTrustStore
  5. Click Signer Certificates, as shown in Figure 17.
    Figure 17. Select Signer Certificates
    Select Signer Certificates
  6. Click Retrieve from port, as shown in Figure 18.
    Figure 18. Select Retrieve from port
    Select Retrieve from portNote: Per APAR PM37795 (fix available in WebSphere Application Server V7.0.0.17), the Retrieve from Port action only gets the server certificate, not the signing certificate, which will cause an issue when the signing certificate expires, which is within a year for the default self-signed certificate used in the example. Please apply the fix before using this action.
  7. Specify the information for your LDAP server on the General Properties page. For instance, as shown in Figure 19, the information for the IBM BluePages server would be:
    • Host: bluepages.ibm.com
    • Port: 636, which is the default for SSL secure port for LDAP servers
    • Alias: bluepages
    Figure 19. Sample BluePages server information
    Sample BluePages server information
  8. Click Retrieve Signer information.
  9. The details of the signer certificate are retrieved and populated, as shown in Figure 20. Click OK and then Save.
    Figure 20. Signer certifcate details
    Signer certifcate details

The LDAP server certificate is now successfully added to the trusted store, as shown in Figure 21.

Figure 21. LDAP server signer certifcate listed
LDAP server signer certifcate listed

Switch to using the SSL connection to LDAP server

It's quite straightforward to switch to use SSL once the certificate is added to the store. To do this, complete the following steps:

  1. Repeat steps 1 to 6 in Register an LDAP user directory with WebSphere Application Server.
  2. Instead of the non-security port of 389, enter the security / SSL port of the LDAP server (the default is 636), and check Require SSL Communications, as shown in Figue 22.
    Figure 22. Specify LDAP configuration
    Specify LDAP configuration
  3. Click OK, then Save.
  4. Shut down and restart all Lombardi servers.

Users can access and work with Lombardi as usual once the servers are restarted. The data is now exchanged securely over the SSL connection behind the scenes, with no impact to user experience.

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into WebSphere on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=WebSphere
ArticleID=681499
ArticleTitle=Secure integration of an LDAP user registry with WebSphere Lombardi Edition
publish-date=06292011