Topic
  • 1 reply
  • Latest Post - ‏2013-07-25T14:41:07Z by claudef
claudef
claudef
7 Posts

Pinned topic LDAP SSL Signer Info / How to Download and Install a Key under Liberty?

‏2013-07-24T18:13:24Z |

Dear colleagues, 

Could you please clarify how to download and install the SSL certificate for LDAP servers, like for example IBM bluepages, using the WAS Liberty profile, a function that previously was part of the wsadmin console and command "retrieve signer information".

Is this task covered by a utility or by manual Java keytool command executed under the folder ./wlp/usr/servers/defaultServer ?

Please explain how to configure the KeyStore and TrustStore.

Thanks for feedback.

 

 

  • claudef
    claudef
    7 Posts

    Re: LDAP SSL Signer Info / How to Download and Install a Key under Liberty?

    ‏2013-07-25T14:41:07Z  

    Below my solution to define SSL Security in WAS 8.5.5 Liberty (without using WSADMIN tool wizards part of WAS 7). The section below shows the commands how to create the Key and Trust store to setup the SSL security for LDAP authentication using imported certificates without support of WAS WSADMIN tools, using standard Java command line commands:  

    To generate XOR protected key truststore password: /opt/liberty/wlp/bin/securityUtility encrypt  my_password

    At WAS Liberty install directory, run the following commands to create the keystore and truststore (the command is part of the Java JRE Version 6):

    cd:  /opt/liberty/wlp/usr/servers/defaultServer (might be different according to the WAS product installation directory chosen at install)

    Commands to generate the key and trust store:

    The trust store os used to record the trusted partner servers (like LDAP), the key store is used for our own server identity. 


    keytool -genkeypair -alias certificatekey -keyalg RSA -validity 7 -keystore LdapSSLKeyStore.jks keytool -list -v -keystore LdapSSLKeyStore.jks

    keytool -list -v -keystore LdapSSLKeyStore.jks     Enter keystore password:  ....

    keytool -export -alias certificatekey -keystore LdapSSLKeyStore.jks -rfc -file selfsignedcert.cer   ..  Enter keystore password:  

    keytool -import -alias certificatekey -file selfsignedcert.cer -keystore LdapSSLTrustStore.jks

    keytool -list -v -keystore LdapSSLTrustStore.jks

    Download copy certificate from the LDAP server https://your_ldap_server/xxxxxx.com:xxx  using the browser and save it as file name: trusted.cer

    . Point to the "locker:  favicon in front of the browsers URL
    . more information
    . view certificate
    . details
    . export
    . save certificate as exported file named: trusted.cer

    Import the "ldap_server" servers certificate into the TrustStore (external servers directory)

    keytool -import -alias ldap_server -file trusted.cer -keystore LdapSSLTrustStore.jks

    Now correct the server setup using the following configuration in file: server.xml


    <server description="new server">

        <!-- Enable features -->
        <featureManager>
            <feature>jsp-2.2</feature>
            <feature>localConnector-1.0</feature>
            <feature>appSecurity-2.0</feature>
            <feature>ldapRegistry-3.0</feature>     
            <feature>ssl-1.0</feature>
        </featureManager>
       
       
          <httpEndpoint host="*" httpPort="9080" httpsPort="9443" id="defaultHttpEndpoint" tcpOptionsRef="${server.config.dir}">
          </httpEndpoint>            
     
          <keyStore id="defaultKeyStore" password="{xor}xxxxxxxxxxxx" />  
       
        <applicationMonitor updateTrigger="mbean"/>

        <application id="project_name"
            location="project_name.war" name="project_name"
            type="war">
        <application-bnd>
         <security-role name="AllAuthenticated" id="AllAuthenticated">
             <special-subject type="ALL_AUTHENTICATED_USERS" />             
         </security-role>
         </application-bnd>          
         </application>
     <ldapRegistry id="ldap" realm="LDAPPages" ignoreCase="true"
        host="ldap_server.xxxxxx.com" port="xxx"
        baseDN="ou=ldapservice,o=xxxxxx.com"
        ldapType="IBM Tivoli Directory Server"
        sslEnabled="true" sslRef="LDAPSSLSettings">
            <idsFilters
                 userFilter="(&amp;(emailAddress=%v)(objectclass=xxxxxxPerson))"
                 groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))"
                 userIdMap="*:emailAddress"
                 groupIdMap="*:cn"
                 groupMemberIdMap="mycompany-allGroups:member;mycompany-allGroups:uniqueMember;
                          groupOfNames:member;groupOfUniqueNames:uniqueMember"/>          
                 </ldapRegistry>     
    <sslDefault sslRef="LDAPSSLSettings" />
    <ssl id="LDAPSSLSettings" keyStoreRef="LDAPKeyStore" trustStoreRef="LDAPTrustStore" />
    <keyStore id="LDAPKeyStore" location="${server.config.dir}/LdapSSLKeyStore.jks"
              type="JKS" password="{xor}xxxxxxxxxx" />
    <keyStore id="LDAPTrustStore" location="${server.config.dir}/LdapSSLTrustStore.jks"
              type="JKS" password="{xor}xxxxxxxxxx" />           
            
    </server>
     

    Hope this is helpful for setup of a secure SSL based LDAP lookup and authentication process.

    According to the LDAP servers characteristics, some adjustment at the LDAP filter level is required.