Enabling SSL for a corporate LDAP directory server does
not require that you enable SSL for communications with the Master Data Engine.
About this task
These instructions describe the configuration
of one-way SSL, between your corporate LDAP server and the Master Data Engine.
Enabling SSL communications for LDAP directory servers that support
encryption requires that you configure values within the com.initiate.server.ldap.cfg and com.initiate.server.system.cfg files.
You can use these instructions to configure SSL for a corporate LDAP
server regardless of whether SSL is configured for the Master Data Engine.
If you enable SSL for the Master Data Engine after
you have enabled SSL for your corporate LDAP directory server, you
do not need to repeat the process of enabling SSL for the corporate
LDAP directory server. Instead add the corporate LDAP certificate
to the truststore used by the Master Data Engine.
SSL communication also requires that you specify a truststore
file. The Master Data Engine provides
a default truststore (ibmcorporationtrust.jks),
but you can choose to generate your own using the Java™ keytool utility. When generating a new
truststore, the certificate can be self-signed, though it is suggested
that you use a certificate from a trusted certificate authority (CA).
The certificate is used for the handshake between your corporate LDAP
server and the Master Data Engine.
- If you have not already done so, set the external.ldap.ssl.enabled property
to "true" within the com.initiate.server.ldap.cfg file.
- Also within the com.initiate.server.ldap.cfg file,
change the value of external.ldap.port.1 from “389”
to the port that your environment uses for encrypted LDAP. The default
port for LDAP is 389; encrypted LDAP typically uses port 636.
- If you do not want to use the default ibmcorporationtrust.jks as
the truststore, create a truststore file with keytool. Keytool is
the native Java key and certificate
management utility. Use the -import command to add
your corporate LDAP certificate to the truststore. For complete information
about the keytool utility, see the documentation at http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html.
After you have generated the truststore file,
copy it to the MAD_HOMEDIR\inst\mpinet_name\conf directory,
where MAD_HOMEDIR is the full path to the directory
created for the associated runtime instances (for example, prod or qa,
and name is the engine instance name.
- Edit the com.initiate.server.system.cfg file
within the MAD_HOMEDIR\inst\mpinet_name\conf directory:
javax.net.ssl.trustStore
javax.net.ssl.trustStorePassword
javax.net.ssl.trustStoreType
If you are using the default truststore, ibmcorporationtrust.jks,
set the values to:
javax.net.ssl.trustStore=${mad.root.dir}/conf/ibmcorporationtrust.jks
javax.net.ssl.trustStorePassword=rmi+ssl
javax.net.ssl.trustStoreType=JKS
If you are using a new truststore, set the properties
to the values you provided to the keytool utility.
In
addition to the trustStore properties, the com.initiate.server.system.cfg file
contains keyStore properties. Those properties are
not required for this configuration.
- Restart the Master Data Engine server
so that it reads the new values in the com.initiate.server.ldap.cfg and com.initiate.server.system.cfg files.