LDAP and SSL configuration example
Use this end to end example to help you to configure Lightweight Directory Access Protocol (LDAP) and secure socket layer (SSL) for Log Analysis.
The steps here are for exemplary purposes to help you to understand how to set up LDAP authentication with SSL. The exact steps required to set up your own implementation will differ.
Prerequisites
Ensure that the Java home
variable is set to
JAVA_HOME= /opt/IBM/SCALA/LogAnalysis/ibm-java/jre
.
For example, to set this variable, enter the following command:export JAVA_HOME= /opt/IBM/SCALA/LogAnalysis/ibm-java/jre
Configure the LDAP registry helper properties
Configure
the properties of the LDAP registry helper script:
- Edit the <HOME>/IBM/LogAnalysis/utilities/ldapRegistryHelper.properties file.
- Ensure that you do not change the default LDAP type property:
ldap_type_property=IBM Tivoli Directory Server
- Specify the mandatory connection information:
ldap_hostname_property=123.example.com ldap_port_property=636 ldap_baseDN_property=o=example.com
- Specify the optional connection properties for the target LDAP server. The following properties
are optional. The
ldap_bindPassword_property
parameter is later encrypted by theldapRegistryHelper_config.xml
script and the encrypted version is written to theldapRegistry.xml
file. The password is automatically removed from theldapRegistryHelper.properties
file after theldapRegistryHelper_config.xml
script runs. The following example includes some default values:ldap_bindDN_property= ldap_bindPassword_property= ldap_realm_property=LdapRegistryRealm ldap_id_property=example ldap_ignoreCase_property=true
- Specify the default LDAP filters for each vendor. The filter properties
that are used by the
ldapRegistryHelper_config.xml
script. These properties are determined by the LDAP type that is specified in theldap_type_property
parameter in step 1.# IBM Tivoli Directory Server ldap_TDS_userFilter_property=(&(emailAddress=%v)(objectclass=person)) ldap_TDS_groupFilter_property=(&(cn=%v)(|(objectclass=groupOfNames) (objectclass=groupOfUniqueNames)(objectclass=groupOfURLs))) ldap_TDS_userIdMap_property=*:emailAddress ldap_TDS_groupIdMap_property=*:cn ldap_TDS_groupMemberIdMap_property=ibm-allGroups:member; ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames: uniqueMember
Run the LDAP registry helper script
To run the LDAP registry helper script, enter the following
command:
<HOME>/IBM/LogAnalysis/utilities/
ldapRegistryHelper.sh config
The
script generates the ldapRegistry.xml
based on the properties that are specified in
the <HOME>/IBM/LogAnalysis/utilities/ldapRegistryHelper.properties file.Edit the ldapRegistry.xml
file
Next, you need to edit the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity/ldapRegistry.xml.
- Edit the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity/ldapRegistry.xml
- Add the following
properties:
For example:sslEnabled="true" sslRef="LDAPSSLSettings">
<server> <ldapRegistry host="123.example.com" port="636" baseDN="o=example.com" realm="LdapRegistryRealm" id="example" ignoreCase="true" ldapType="IBM Tivoli Directory Server" sslEnabled="true" sslRef="LDAPSSLSettings"> <idsFilters userFilter="(&(emailAddress=%v)(objectclass=person))" groupFilter="(&(cn=%v)(|(objectclass=groupOfNames) (objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))" userIdMap="*:emailAddress" groupIdMap="*:cn" groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember; groupOfNames:member;groupOfUniqueNames:uniqueMember"/> </ldapRegistry> </server>
Edit the unityConfig.xml
file
Next,
you need to add the Log Analysis user
information to your LDAP configuration information in Log Analysis:
- Edit the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity/unityConfig.xml.
- Specify the following attributes:
<server> <application type="war" id="Unity" name="Unity" location="${server.config.dir}/apps/Unity.war"> <application-bnd> <security-role name="UnityUser"> <group name="UnityUsers" /> <group name="UnityAdmins" /> <group name="IGA_SCALA_ADMIN" /> <group name="IGA_SCALA_USER" /> </security-role> <security-role name="UnityAdmin"> <group name="UnityAdmins" /> <group name="IGA_SCALA_ADMIN" /> </security-role> </application-bnd> </application> <oauth-roles> <authenticated> <group name="UnityUsers" /> </authenticated> </oauth-roles> </server>
Create the JKS keystore
To create the JKS
keystore file:
- Go to the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity directory.
- Run the keytool. For example:
[scala@c25x0012 bin]$ /opt/IBM/SCALA/LogAnalysis/ibm-java/jre/bin/keytool -genkeypair -alias scala -keyalg RSA -keystore LdapSSLKeyStore.jks -keysize 2048 -validity 7300 Enter keystore password: Keystore password is too short - must be at least 6 characters Enter keystore password: Keystore password is too short - must be at least 6 characters Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: <SCALA_SERVER_FQDN> What is the name of your organizational unit? [Unknown]: IGA What is the name of your organization? [Unknown]: IGA What is the name of your City or Locality? [Unknown]: US What is the name of your State or Province? [Unknown]: US What is the two-letter country code for this unit? [Unknown]: US Is CN=IGA, OU=IGA, O=IGA, L=US, ST=US, C=US correct? (type "yes" or "no") [no]: yes Enter key password for <scala>: (RETURN if same as keystore password): [unity@nc9042037056 Unity]$ /home/unity/IBM/LogAnalysis/ibm-java/jre/bin/ keytool -genkeypair -alias scala -keyalg RSA -keystore LdapSSLKeyStore.jks -keysize 2048 -validity 7300 Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: nc9042037056.tivlab.raleigh.ibm.com What is the name of your organizational unit? [Unknown]: IGA What is the name of your organization? [Unknown]: IGA What is the name of your City or Locality? [Unknown]: US What is the name of your State or Province? [Unknown]: US What is the two-letter country code for this unit? [Unknown]: US Is CN=nc9042037056.tivlab.raleigh.ibm.com, OU=IGA, O=IGA, L=US, ST=US, C=US correct? (type "yes" or "no") [no]:
Create the JKS truststore
To create the
JKS truststore:
- Go to the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity directory.
- Run the keytool. For example:
[scala@c25x0012 ~]$ /opt/IBM/SCALA/LogAnalysis/ibm-java/jre/bin/ keytool -genkeypair -alias scala -keyalg RSA -keystore LdapSSLTrustStore.jks -keysize 2048 -validity 7300 Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: <SCALA_SERVER_FQDN> What is the name of your organizational unit? [Unknown]: IGA What is the name of your organization? [Unknown]: IGA What is the name of your City or Locality? [Unknown]: US What is the name of your State or Province? [Unknown]: US What is the two-letter country code for this unit? [Unknown]: US Is CN=IGA, OU=IGA, O=IGA, L=US, ST=US, C=US correct? (type "yes" or "no") [no]: yes Enter key password for <scala>: (RETURN if same as keystore password):
Add the related LDAP root certificate to the truststore
To
add the root certificate to the truststore, run the keytool:
[scala@c25x0012 Unity]$ /opt/IBM/SCALA/LogAnalysis/ibm-java/jre/bin/keytool
-import -trustcacerts -alias root -file bluepages.crt
-keystore LdapSSLTrustStore.jks
Enter keystore password:
Certificate already exists in system-wide CA keystore
under alias <equifaxsecureca>
Do you still want to add it to your own keystore?
[no]: yes
Certificate was added to keystore
Encode the trust and keystore passwords
- Go to the <HOME>/IBM/LogAnalysis/wlp/bin/.
- Run the security utility tool. For example, the password that
is used here,
t1v011
, is the same as the one used to create the trust and keystores in the previous step:[scala@c25x0012 bin]$ ./securityUtility encode t1v0l1 {xor}K24pbzNu
Edit the server.xml
file
To
add the trust and keystore details to the
server.xml
file:- Go to the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity directory.
- Edit the
server.xml
file. - Add the security settings before the
defaultKeystore
tag. For example:<sslDefault sslRef="LDAPSSLSettings" /> <ssl id="LDAPSSLSettings" keyStoreRef="LDAPKeyStore" trustStoreRef="LDAPTrustStore" /> <keyStore id="LDAPKeyStore" location= "${server.config.dir}/LdapSSLKeyStore.jks" type="JKS" password="{xor}K24pbzNu" /> <keyStore id="LDAPTrustStore" location= "${server.config.dir}/LdapSSLTrustStore.jks" type= "JKS" password="{xor}K24pbzNu" /> <!-- default keystore for certificates. located in <install home>/wlp/usr/servers/Unity/resources/security --> <!-- file name is key.jks . If it does not exist at startup it will be automatically created. --> <keyStore id="defaultKeyStore" password="{xor}MzA4PjE+MyYrNjws" />
Configure the example data collector application ID
- Go to the <HOME>/IBM/LogAnalysis/UnityEIFReceiver/config/ directory.
- Edit the
unity.conf
file. Specify the data collector ID and password. For example:
whereunity.data.collector.userid=LVH8JF631@nomail.relay.example.com unity.data.collector.password=pkhb67dg
LVH8JF631@nomail.relay.ibm.com
is the application ID that your manager requested in the DRMS application. - Go to the <HOME>/IBM/LogAnalysis/utilities/datacollector-client directory.
- Edit the javaDatacollector.properties file,
specifying the data collector user ID and password:
#The user ID to use to access the unity rest service userid=LVH8JF631@nomail.relay.example.com #The password to use to access the unity rest service password=pkhb67dg
Enable the LDAP configuration
To enable the LDAP configuration, go to the <HOME>/IBM/LogAnalysis/utilities directory and run the
following command:
ldapRegistryHelper.sh enable
Import certificates from the LDAP keystore in Log Analysis
Finally, you need to import certificates from the
LDAP keystore in Log Analysis
- Export the certificate from
LDAPSSLKeyStore.jks
.<HOME>/IBM/LogAnalysis/ibm-java/bin/keytool -exportcert -keystore <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity/LdapSSLKeyStore.jks -alias scala -file <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity/ldap-clientcert.crt
- Import the
ldap-clientcert.crt
certificate file:<HOME>/IBM/LogAnalysis/ibm-java/bin/keytool -import -file <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity/ldap-clientcert.crt -keystore ../jre/lib/security/cacerts -alias scala