Configuring a directory server with load balancer or multiple domain controllers
If your LDAP server uses load balancer or multiple domain controllers that dynamically change the list of hosts, and the connection between LDAP and the License Metric Tool server is secure, perform advanced configuration of the License Metric Tool server. The LDAP server can be already configured in License Metric Tool.
Before you begin
Procedure
-
For application update 9.2.9 or higher, perform the following steps to permanently
configure the directory server.
-
Contact your LDAP server administrator to obtain a public certificate from the certificate
authority (CA) that issues server certificates for LDAP. The certificate file should be in the PEM
format, and should contain one or more certificates (full chain of trust).
For example:
-----BEGIN CERTIFICATE----- MIIHZjCCBk6gAwIBAgISKESJLWXAAAACTANBgkqhkiG9w0BAQUFADBNMRMwEQYK CRWmyVBwPWQBBUNdilPKJRQwpeYKCZImiZPyLGQBGRYEQ354jTEgGG7GA1UEAiU5 . . . MTAzMzQxWjBZMRMwEQYKCZImiZPJVGQBGRYDbmV0MRkwFwYKCZImiZPyLGQBGRYJ bnNyb290ZGV2MScwJQYDVQQDEx5DaXRXAEludGVybmFsIERldmljZSBDQSAwMyBM -----END CERTIFICATE-----
-
To create a custom truststore and import the public certificate for the LDAP server to that
truststore, run the following command.
Where:<install_dir>/jre/jre/bin/keytool -import -file <path_to_certificate> -alias ldapCA -keystore <install_dir>/wlp/usr/servers/server1/resources/security/<keystore> -storepass <password> -storetype <type>
- <path_to_certificate>
- Is the path to the public certificate of the LDAP server.
- <keystore>
- For application updates up to 9.2.25, the name of the LDAP keystore is
ldap_truststore
. Starting from application update 9.2.26, it isldap_truststore.p12
. - <password>
- Is the password that you want to set for the truststore.
- <type>
- For application updates from 9.2.9 to 9.2.25, the type is
JKS
. Starting from application update 9.2.26, the type isPKCS12
.
-
After you run the command, confirm it by typing
yes
in the following line.Trust this certificate? [no]: yes
-
To encode the truststore password, perform the following steps.
- Set the JAVA_HOME variable.
-
export JAVA_HOME=<install_dir>/jre/jre
-
set JAVA_HOME=<install_dir>/jre/jre
-
- Run the following
command.
<install_dir>/wlp/bin/securityUtility encode --encoding=aes
- When prompted, enter and re-enter the password that you specified in step 2.
- Save the encoded password. You will need it to complete this procedure.
- Set the JAVA_HOME variable.
-
Back up the server.xml file before you make any changes. Then, provide
information about the location of the truststore and its password in the
server.xml file.
- Open the server.xml file that is in the <install_dir>/wlp/usr/servers/server1 directory.
- Locate the keyStore entry that has the defaultKeyStore
identifier.
<keyStore id='defaultKeyStore'>
- Paste the following lines after that entry. In the password parameter,
provide the encoded password from step 3.
Where:<keyStore id='ldapCustom' location='<install_dir>/wlp/usr/servers/server1/resources/security/<keystore>' password='{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxx' type="<type>"/>
- <type>
- For application updates from 9.2.9 to 9.2.25, the type is
JKS
. Starting from application update 9.2.26, the type isPKCS12
. - <keystore>
- For application updates up to 9.2.25, the name of the LDAP keystore is
ldap_truststore
. Starting from application update 9.2.26, it isldap_truststore.p12
.
-
Contact your LDAP server administrator to obtain a public certificate from the certificate
authority (CA) that issues server certificates for LDAP. The certificate file should be in the PEM
format, and should contain one or more certificates (full chain of trust).
-
For versions older than application update 9.2.9, perform the following steps to configure the
directory server. This solution must be applied after each application upgrade, as the certificates
that you add according to this procedure are not preserved.
Note: Before you begin, contact the IBM Support for the password that is required during configuration.
-
Contact your LDAP server administrator, and obtain the public certificate from certificate
authority (CA) that issues the server certificates for LDAP. The certificate file should be in the
PEM format, and should contain one or more certificates.
For example:
-----BEGIN CERTIFICATE----- MIIHZjCCBk6gAwIBAgISKESJLWXAAAACTANBgkqhkiG9w0BAQUFADBNMRMwEQYK CRWmyVBwPWQBBUNdilPKJRQwpeYKCZImiZPyLGQBGRYEQ354jTEgGG7GA1UEAiU5 . . . MTAzMzQxWjBZMRMwEQYKCZImiZPJVGQBGRYDbmV0MRkwFwYKCZImiZPyLGQBGRYJ bnNyb290ZGV2MScwJQYDVQQDEx5DaXRXAEludGVybmFsIERldmljZSBDQSAwMyBM -----END CERTIFICATE-----
- Copy the certificate file to the directory from which you run the keytool command (current directory).
-
Run the following command.
Where:<install_dir>/jre/jre/bin/keytool -import -trustcacerts -file <certificate_file_name> -alias certAliasName -keystore cacerts -storepass <password>
- <password>
- Is the password that was provided by the IBM Support.
- <certificate_file_name>
- Is the file name of the certificate copied in step 2.
-
Contact your LDAP server administrator, and obtain the public certificate from certificate
authority (CA) that issues the server certificates for LDAP. The certificate file should be in the
PEM format, and should contain one or more certificates.