LDAP and SSL configuration example

Ensure that the Java home variable is set to JAVA_HOME= /opt/IBM/SCALA/LogAnalysis/ibm-java/jre. For example, to set this variable, enter the following command:

export JAVA_HOME= /opt/IBM/SCALA/LogAnalysis/ibm-java/jre

Configure the properties of the LDAP registry helper script:

1. Edit the <HOME>/IBM/LogAnalysis/utilities/ldapRegistryHelper.properties file.
2. Ensure that you do not change the default LDAP type property:

   ldap_type_property=IBM Tivoli Directory Server

3. Specify the mandatory connection information:

   ldap_hostname_property=123.example.com
   ldap_port_property=636
   ldap_baseDN_property=o=example.com

4. Specify the optional connection properties for the target LDAP server. The following properties are optional. The ldap_bindPassword_property parameter is later encrypted by the ldapRegistryHelper_config.xml script and the encrypted version is written to the ldapRegistry.xml file. The password is automatically removed from the ldapRegistryHelper.properties file after the ldapRegistryHelper_config.xml script runs. The following example includes some default values:

   ldap_bindDN_property=
   ldap_bindPassword_property=
   ldap_realm_property=LdapRegistryRealm
   ldap_id_property=example
   ldap_ignoreCase_property=true

5. Specify the default LDAP filters for each vendor. The filter properties that are used by the ldapRegistryHelper_config.xml script. These properties are determined by the LDAP type that is specified in the ldap_type_property parameter in step 1.

   # IBM Tivoli Directory Server
   ldap_TDS_userFilter_property=(&(emailAddress=%v)(objectclass=person)) 
   ldap_TDS_groupFilter_property=(&(cn=%v)(|(objectclass=groupOfNames)
   (objectclass=groupOfUniqueNames)(objectclass=groupOfURLs))) 
   ldap_TDS_userIdMap_property=*:emailAddress 
   ldap_TDS_groupIdMap_property=*:cn 
   ldap_TDS_groupMemberIdMap_property=ibm-allGroups:member;
   ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:
   uniqueMember 

To run the LDAP registry helper script, enter the following command:

<HOME>/IBM/LogAnalysis/utilities/
ldapRegistryHelper.sh config

The script generates the ldapRegistry.xml based on the properties that are specified in the <HOME>/IBM/LogAnalysis/utilities/ldapRegistryHelper.properties file.

Next, you need to edit the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity/ldapRegistry.xml.

1. Edit the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity/ldapRegistry.xml
2. Add the following properties:

   sslEnabled="true"
   sslRef="LDAPSSLSettings">

   For example:

   <server>
   <ldapRegistry
   host="123.example.com"
   port="636"
   baseDN="o=example.com"
   realm="LdapRegistryRealm"
   id="example"
   ignoreCase="true"
   ldapType="IBM Tivoli Directory Server"
   sslEnabled="true"
   sslRef="LDAPSSLSettings">
   <idsFilters
   userFilter="(&amp;(emailAddress=%v)(objectclass=person))"
   groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfNames)
   (objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))"
   userIdMap="*:emailAddress"
   groupIdMap="*:cn"
   groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember;
   groupOfNames:member;groupOfUniqueNames:uniqueMember"/>
   </ldapRegistry>
   </server>
   

Next, you need to add the Log Analysis user information to your LDAP configuration information in Log Analysis:

1. Edit the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity/unityConfig.xml.
2. Specify the following attributes:

   <server>
   <application type="war" id="Unity" name="Unity"
   location="${server.config.dir}/apps/Unity.war">
   <application-bnd>
   <security-role name="UnityUser">
   <group name="UnityUsers" />
   <group name="UnityAdmins" />
   <group name="IGA_SCALA_ADMIN" />
   <group name="IGA_SCALA_USER" />
   </security-role>
   <security-role name="UnityAdmin">
   <group name="UnityAdmins" />
   <group name="IGA_SCALA_ADMIN" />
   </security-role>
   </application-bnd>
   </application>
   
   <oauth-roles>
   <authenticated>
   <group name="UnityUsers" />
   </authenticated>
   </oauth-roles>
   </server>

To create the JKS keystore file:

1. Go to the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity directory.
2. Run the keytool. For example:

   [scala@c25x0012 bin]$ /opt/IBM/SCALA/LogAnalysis/ibm-java/jre/bin/keytool 
   -genkeypair -alias scala -keyalg RSA -keystore LdapSSLKeyStore.jks 
   -keysize 2048 -validity 7300
   Enter keystore password:
   Keystore password is too short - must be at least 6 characters
   Enter keystore password:
   Keystore password is too short - must be at least 6 characters
   Enter keystore password:
   Re-enter new password:
   What is your first and last name?
   [Unknown]: <SCALA_SERVER_FQDN>
   What is the name of your organizational unit?
   [Unknown]: IGA
   What is the name of your organization?
   [Unknown]: IGA
   What is the name of your City or Locality?
   [Unknown]: US
   What is the name of your State or Province?
   [Unknown]: US
   What is the two-letter country code for this unit?
   [Unknown]: US
   Is CN=IGA, OU=IGA, O=IGA, L=US, ST=US, C=US correct? (type "yes" or "no")
   [no]: yes
   
   Enter key password for <scala>:
   (RETURN if same as keystore password):
   
   [unity@nc9042037056 Unity]$ /home/unity/IBM/LogAnalysis/ibm-java/jre/bin/
   keytool -genkeypair -alias scala -keyalg RSA -keystore LdapSSLKeyStore.jks 
   -keysize 2048 -validity 7300
   Enter keystore password:
   Re-enter new password:
   What is your first and last name?
   [Unknown]: nc9042037056.tivlab.raleigh.ibm.com
   What is the name of your organizational unit?
   [Unknown]: IGA
   What is the name of your organization?
   [Unknown]: IGA
   What is the name of your City or Locality?
   [Unknown]: US
   What is the name of your State or Province?
   [Unknown]: US
   What is the two-letter country code for this unit?
   [Unknown]: US
   Is CN=nc9042037056.tivlab.raleigh.ibm.com, OU=IGA, O=IGA, L=US, ST=US, 
   C=US correct? (type "yes" or "no")
   [no]:

To create the JKS truststore:

1. Go to the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity directory.
2. Run the keytool. For example:

   [scala@c25x0012 ~]$ /opt/IBM/SCALA/LogAnalysis/ibm-java/jre/bin/
   keytool -genkeypair -alias scala -keyalg RSA -keystore 
   LdapSSLTrustStore.jks -keysize 2048 -validity 7300
   Enter keystore password:
   Re-enter new password:
   What is your first and last name?
   [Unknown]: <SCALA_SERVER_FQDN>
   What is the name of your organizational unit?
   [Unknown]: IGA
   What is the name of your organization?
   [Unknown]: IGA
   What is the name of your City or Locality?
   [Unknown]: US
   What is the name of your State or Province?
   [Unknown]: US
   What is the two-letter country code for this unit?
   [Unknown]: US
   Is CN=IGA, OU=IGA, O=IGA, L=US, ST=US, C=US correct? 
   (type "yes" or "no")
   [no]: yes
   
   Enter key password for <scala>:
   (RETURN if same as keystore password):

To add the root certificate to the truststore, run the keytool:

[scala@c25x0012 Unity]$ /opt/IBM/SCALA/LogAnalysis/ibm-java/jre/bin/keytool 
-import -trustcacerts -alias root -file bluepages.crt 
-keystore LdapSSLTrustStore.jks
Enter keystore password:
Certificate already exists in system-wide CA keystore 
under alias <equifaxsecureca>
Do you still want to add it to your own keystore? 
[no]: yes
Certificate was added to keystore

1. Go to the <HOME>/IBM/LogAnalysis/wlp/bin/.
2. Run the security utility tool. For example, the password that is used here, t1v011, is the same as the one used to create the trust and keystores in the previous step:

   [scala@c25x0012 bin]$ ./securityUtility encode t1v0l1
   {xor}K24pbzNu

To add the trust and keystore details to the server.xml file:

1. Go to the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity directory.
2. Edit the server.xml file.
3. Add the security settings before the defaultKeystore tag. For example:

   <sslDefault sslRef="LDAPSSLSettings" />
   
   <ssl id="LDAPSSLSettings" keyStoreRef="LDAPKeyStore" 
   trustStoreRef="LDAPTrustStore" />
   
   <keyStore id="LDAPKeyStore" location=
   "${server.config.dir}/LdapSSLKeyStore.jks"
   type="JKS" password="{xor}K24pbzNu" />
   <keyStore id="LDAPTrustStore" location=
   "${server.config.dir}/LdapSSLTrustStore.jks"
   type= "JKS" password="{xor}K24pbzNu" />
   
   
   <!-- default keystore for certificates. located in 
   <install home>/wlp/usr/servers/Unity/resources/security -->
   <!-- file name is key.jks . If it does not exist at startup 
   it will be automatically created. -->
   <keyStore id="defaultKeyStore" 
   password="{xor}MzA4PjE+MyYrNjws" />
   

1. Go to the <HOME>/IBM/LogAnalysis/UnityEIFReceiver/config/ directory.
2. Edit the unity.conf file. Specify the data collector ID and password. For example:

   unity.data.collector.userid=LVH8JF631@nomail.relay.example.com 
   unity.data.collector.password=pkhb67dg

   where LVH8JF631@nomail.relay.ibm.com is the application ID that your manager requested in the DRMS application.
3. Go to the <HOME>/IBM/LogAnalysis/utilities/datacollector-client directory.
4. Edit the javaDatacollector.properties file, specifying the data collector user ID and password:

   #The user ID to use to access the unity rest service
   userid=LVH8JF631@nomail.relay.example.com
   #The password to use to access the unity rest service
   password=pkhb67dg

To enable the LDAP configuration, go to the <HOME>/IBM/LogAnalysis/utilities directory and run the following command:

ldapRegistryHelper.sh enable

Finally, you need to import certificates from the LDAP keystore in Log Analysis

1. Export the certificate from LDAPSSLKeyStore.jks.

   <HOME>/IBM/LogAnalysis/ibm-java/bin/keytool -exportcert -keystore <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity/LdapSSLKeyStore.jks -alias scala -file <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity/ldap-clientcert.crt 

2. Import the ldap-clientcert.crt certificate file:

   <HOME>/IBM/LogAnalysis/ibm-java/bin/keytool -import -file <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity/ldap-clientcert.crt -keystore ../jre/lib/security/cacerts -alias scala