Topic
  • 1 reply
  • Latest Post - ‏2014-08-28T14:44:56Z by FrankBrandt
AbhiSri
AbhiSri
1 Post

Pinned topic itim to ad integration over SSL issue

‏2014-08-26T12:27:52Z |
Hi,
 
I am trying to integrate ITIM with AD in Secure mode i.e. over SSL. As per the IBM docs I have done the following configurations:-
 
1:- change the AD Adapter > DAML protocol > use_SSL value from FALSE to TRUE
 
2:- PORT is still the same i.e. 45580
 
3:- Currently using the Self-signed certificate on both the servers, so generated the self-signed certificate from AD Domain Controller (AD adapter is installed on the Domain Controller itself) and imported to ITIM server and Exported the certificate from ITIM server (by using iKeyman utility) and imported to Domain Controller server and registered by using the certMgr utility.
 
4:- Added the certificate to WAS_HOME\ java\jre\lib\security\cacerts and set the following four properties file in WAS :- javax.net.ssl.trustStore,javax.net.ssl.trustStorePassword,javax.net.ssl.keyStore,javax.net.ssl.keyStorePassword and then RESTARTED the WAS (Non-clusted i.e. single server)
 
Now, when I am trying to create a AD service with the URL as :- https://<AD DC>:45580 and passing the IP and password, it is showing the error that unable to connect. Even TELNET from ITIM server and from AD DOMAIN Controller i.e. localhost is not able to connect when "USE_SSL" is TRUE.
 
When I am changing the "USE_SSL" parameter from "TRUE" to "FALSE" i.e. NON_SSL mode then AD connection is successful with URL as :- http://<AD DC>:45580. And telnet is successful on the same port.
 
Please help me here. If I have done anything wrong in the configuration OR I have missed something?
 
Many thanks in advance...
 
  • FrankBrandt
    FrankBrandt
    18 Posts

    Re: itim to ad integration over SSL issue

    ‏2014-08-28T14:44:56Z  

    Hi,

    the Certificate for the adapter is not using Windows certificate storage but brings its own tool CertTool.exe in the bin directory of the adapter. Check the Adapter PDFs how to use the tool. If you use Windows 2008+ make sure you start the cmd where you call the CertTool.exe as Administrator.

    The rest of your steps look ok, but at least with a proper signed certificate you dont need to set javax.net.ssl* settings. Adding the CA certificate or in your case the self-signed certificate to WebSphere java cacerts file is enough.

    Best Regards,

    Frank