Configuring a directory server with load balancer or multiple domain controllers

If your LDAP server uses load balancer or multiple domain controllers that dynamically change the list of hosts, and the connection between LDAP and the License Metric Tool server is secure, perform advanced configuration of the License Metric Tool server. The LDAP server can be already configured in License Metric Tool.

Before you begin

Starting from application update 9.2.32, this procedure is performed automatically and no manual steps are required.

• For application update 9.2.9 or higher, perform the following steps to permanently configure the directory server.
  1. Contact your LDAP server administrator to obtain a public certificate from the certificate authority (CA) that issues server certificates for LDAP. The certificate file should be in the PEM format, and should contain one or more certificates (full chain of trust).
     For example:

     -----BEGIN CERTIFICATE-----
     MIIHZjCCBk6gAwIBAgISKESJLWXAAAACTANBgkqhkiG9w0BAQUFADBNMRMwEQYK
     CRWmyVBwPWQBBUNdilPKJRQwpeYKCZImiZPyLGQBGRYEQ354jTEgGG7GA1UEAiU5
     .
     .
     .
     MTAzMzQxWjBZMRMwEQYKCZImiZPJVGQBGRYDbmV0MRkwFwYKCZImiZPyLGQBGRYJ
     bnNyb290ZGV2MScwJQYDVQQDEx5DaXRXAEludGVybmFsIERldmljZSBDQSAwMyBM
     -----END CERTIFICATE-----
     

  2. To create a custom truststore and import the public certificate for the LDAP server to that truststore, run the following command.

     <install_dir>/jre/jre/bin/keytool -import -file <path_to_certificate> -alias ldapCA 
     -keystore <install_dir>/wlp/usr/servers/server1/resources/security/<keystore> 
     -storepass <password> -storetype <type>

     Where:

     <path_to_certificate>

     Is the path to the public certificate of the LDAP server.

     <keystore>

     For application updates up to 9.2.25, the name of the LDAP keystore is ldap_truststore. Starting from application update 9.2.26, it is ldap_truststore.p12.

     <password>

     Is the password that you want to set for the truststore.

     <type>

     For application updates from 9.2.9 to 9.2.25, the type is JKS. Starting from application update 9.2.26, the type is PKCS12.

  3. After you run the command, confirm it by typing yes in the following line.

     Trust this certificate? [no]: yes

  4. To encode the truststore password, perform the following steps.
     1. Set the JAVA_HOME variable.
        • export JAVA_HOME=<install_dir>/jre/jre
        • set JAVA_HOME=<install_dir>/jre/jre
     2. Run the following command.

        <install_dir>/wlp/bin/securityUtility encode --encoding=aes

     3. When prompted, enter and re-enter the password that you specified in step 2.
     4. Save the encoded password. You will need it to complete this procedure.
  5. Back up the server.xml file before you make any changes. Then, provide information about the location of the truststore and its password in the server.xml file.
     1. Open the server.xml file that is in the <install_dir>/wlp/usr/servers/server1 directory.
     2. Locate the keyStore entry that has the defaultKeyStore identifier.

        <keyStore id='defaultKeyStore'>

     3. Paste the following lines after that entry. In the password parameter, provide the encoded password from step 3.

        <keyStore id='ldapCustom' location='<install_dir>/wlp/usr/servers/server1/resources/security/<keystore>' password='{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxx' type="<type>"/>

        Where:

        <type>

        For application updates from 9.2.9 to 9.2.25, the type is JKS. Starting from application update 9.2.26, the type is PKCS12.

        <keystore>

        For application updates up to 9.2.25, the name of the LDAP keystore is ldap_truststore. Starting from application update 9.2.26, it is ldap_truststore.p12.

• For versions older than application update 9.2.9, perform the following steps to configure the directory server. This solution must be applied after each application upgrade, as the certificates that you add according to this procedure are not preserved.
  Note: Before you begin, contact the IBM Support for the password that is required during configuration.
  1. Contact your LDAP server administrator, and obtain the public certificate from certificate authority (CA) that issues the server certificates for LDAP. The certificate file should be in the PEM format, and should contain one or more certificates.
     For example:

     -----BEGIN CERTIFICATE-----
     MIIHZjCCBk6gAwIBAgISKESJLWXAAAACTANBgkqhkiG9w0BAQUFADBNMRMwEQYK
     CRWmyVBwPWQBBUNdilPKJRQwpeYKCZImiZPyLGQBGRYEQ354jTEgGG7GA1UEAiU5
     .
     .
     .
     MTAzMzQxWjBZMRMwEQYKCZImiZPJVGQBGRYDbmV0MRkwFwYKCZImiZPyLGQBGRYJ
     bnNyb290ZGV2MScwJQYDVQQDEx5DaXRXAEludGVybmFsIERldmljZSBDQSAwMyBM
     -----END CERTIFICATE-----

  2. Copy the certificate file to the directory from which you run the keytool command (current directory).
  3. Run the following command.

     <install_dir>/jre/jre/bin/keytool -import -trustcacerts -file <certificate_file_name> 
     -alias certAliasName -keystore cacerts -storepass <password>

     Where:

     <password>

     Is the password that was provided by the IBM Support.

     <certificate_file_name>

     Is the file name of the certificate copied in step 2.