Running the LDAP configuration scripts

Run the LDAP configuration scripts to easily integrate IBM Security Key Lifecycle Manager with LDAP for configuring IBM Security Key Lifecycle Manager users in any of the LDAP repositories, such as IBM Security Directory Server or Microsoft Active Directory.

About this task

Procedure

  1. In the config.py properties, update the ip, port, LDAP_server_type, and other properties for your environment.
    For the description of properties in the config.py file, see LDAP integration by using configuration scripts.
    Windows
    SKLM_INSTALL_HOME\bin\LDAPIntegration\config.py
    C:\Program Files\IBM\SKLMV301\bin\LDAPIntegration\config.py
    Linux
    SKLM_INSTALL_HOME/bin/LDAPIntegration/config.py
    opt/IBM/SKLMV301/bin/LDAPIntegration/config.py
    Note: To run the scripts with default configuration, you just need to set the ip and port properties.
  2. Create the database for LDAP configuration.
    1. Open the DB2 command window.
    2. Run the following command to create the database.
      db2  create database USERDB31 using codeset UTF-8 territory US
  3. Update the data source from the WebSphere Integrated Solutions Console with jndi name jdbc/wimXADS. For the instructions, see Updating a data source from WebSphere Integrated Solutions Console.
  4. Create database-based repository to hold all the IBM Security Key Lifecycle Manager application groups.
    1. Go to the <WAS_HOME>\bin folder.
      Windows
      C:\Program Files\IBM\WebSphere\AppServer\bin
      Linux
      /opt/IBM/WebSphere/AppServer/bin
    2. Open a command prompt and run the following commands.
      wsadmin.bat -user <wasadmin user> -password <wasadmin passwd> -lang jython -f 
<SKLM_INSTALL_HOME>\bin\LDAPIntegration\createDBRepos.py <WAS_HOME> <LDAP_DBNAME> 
<SKLM_DBUSER> <SKLM_DBUSERPASSWD> <SKLM_DBPORT#>
      Notes: On Linux platforms, use wsadmin.sh instead of wsadmin.bat
      During IBM Security Key Lifecycle Manager installation, if you use the defaults, 
      LDAP_DBNAME = USERDB31
SKLM_DBUSER = sklmdb31
SKLM_DBPORT# = 50050
      SKLM_DBUSERPASSWD is the IBM Security Key Lifecycle Manager database password that you specified during the installation.
  5. Run the configuration scripts sklmLDAPConfigure and addLDAPUserToGroup.
    Windows
    Go to the SKLM_INSTALL_HOME\bin\LDAPIntegration directory and run the following scripts:
    • Run sklmLDAPConfigure.bat by using the following command:
      sklmLDAPConfigure.bat WAS_HOME SKLM_INSTALL_HOME WAS_ADMIN WASAdmin_PASSWORD SKLM_ADMIN SKLM_ADMIN_PASS DB2_install_directory

      For example:

      sklmLDAPConfigure.bat "c:\Program Files\IBM\WebSphere\AppServer" "c:\Program Files\IBM\SKLMV31" wasadmin WAS@admin123 sklmadmin SKLM@admin123 "c:\Program Files\IBM\DB2SKLMV31"
    • Run addLDAPUserToGroup.py by using the following command:
      wsadmin.bat -user WAS_ADMIN -password WASAdmin_PASSWORD -lang jython -f addLDAPUserToGroup.py USER_UNIQUE_NAME GROUP_NAME

      For an LDAP user who needs IBM Security Guardium Key Lifecycle Manager admin access, the user must be added to the klmGUICLIAccessGroup and klmSecurityOfficerGroup.

      To add an LDAP user to the klmGUICLIAccessGroup, run the following command:

      wsadmin.bat -username wasadmin -password WAS@admin123 -lang jython -f addLDAPUserToGroup.py "CN=I743703,OU='Org-Sales',OU='Org-Finance',DC=NAEAST,DC=AD,DC=abc,DC=com" klmGUICLIAccessGroup

      To add an LDAP user to the klmSecurityOfficerGroup, run the following command:

      wsadmin.bat -username wasadmin -password WAS@admin123 -lang jython -f addLDAPUserToGroup.py "CN=I743703,OU='Org-Sales',OU='Org-Finance',DC=NAEAST,DC=AD,DC=abc,DC=com" klmSecurityOfficerGroup
    Note: In USER_UNIQUE_NAME, if the values for OU and DC have space or hyphen, enclose them within single quotes. For example, "CN=I743703,OU='Sales & Marketing',OU='SUPPLY-CHAIN',DC=NAEAST,DC=AD,DC=abc,DC=com".
    Linux®
    Go to the SKLM_INSTALL_HOME/bin/LDAPIntegration directory and run the following scripts:
    • Run sklmLDAPConfigure.sh by using the following command:
      sklmLDAPConfigure.sh WAS_HOME SKLM_INSTALL_HOME WAS_ADMIN WASAdmin_PASSWORD SKLM_ADMIN SKLM_ADMIN_PASS DB2_install_directory

      For example:

      sklmLDAPConfigure.sh "/opt/IBM/WebSphere/AppServer" "/opt/IBM/SKLMV31" wasadmin WAS@admin123 sklmadmin SKLM@admin123 "/opt/IBM/DB2SKLMV41"
    • Run addLDAPUserToGroup.py by using the following command:
      wsadmin.sh -user WAS_ADMIN -password WASAdmin_PASSWORD -lang jython -f addLDAPUserToGroup.py USER_UNIQUE_NAME GROUP_NAME

      For an LDAP user who needs IBM Security Guardium Key Lifecycle Manager admin access, the user must be added to the klmGUICLIAccessGroup and klmSecurityOfficerGroup.

      To add an LDAP user to the klmGUICLIAccessGroup, run the following command:

      wsadmin.sh -username wasadmin -password WAS@admin123 -lang jython -f addLDAPUserToGroup.py "CN=I743703,OU='Org-Sales',OU='Org-Finance',DC=NAEAST,DC=AD,DC=abc,DC=com" klmGUICLIAccessGroup

      To add an LDAP user to the klmSecurityOfficerGroup, run the following command:

      wsadmin.sh -username wasadmin -password WAS@admin123 -lang jython -f addLDAPUserToGroup.py "CN=I743703,OU='Org-Sales',OU='Org-Finance',DC=NAEAST,DC=AD,DC=abc,DC=com" klmSecurityOfficerGroup
    Note: In USER_UNIQUE_NAME, if the values for OU and DC have space or hyphen, enclose them within single quotes. For example, "CN=I743703,OU='Sales & Marketing',OU='SUPPLY-CHAIN',DC=NAEAST,DC=AD,DC=abc,DC=com".
    WAS_HOME
    The directory where WebSphere® Application Server for IBM Security Key Lifecycle Manager is installed.
    Windows
    drive:\Program Files\IBM\WebSphere\AppServer
    Linux
    path/IBM/WebSphere/AppServer
    SKLM_INSTALL_HOME
    The directory where IBM Security Key Lifecycle Manager is installed.
    Windows
    drive:\Program Files\IBM\SKLMV301
    Linux
    path/IBM/SKLMV301
    WAS_ADMIN
    User name of WebSphere Application Server for IBM Security Key Lifecycle Manager.
    WAS_PASS
    Password of WebSphere Application Server for IBM Security Key Lifecycle Manager.
    USER_UNIQUE_NAME
    The LDAP user for whom you want to assign IBM Security Key Lifecycle Manager administrator role.
    SKLM_ADMIN
    Administrator for IBM Security Key Lifecycle Manager.
    SKLM_ADMIN_PASS
    Password for IBM Security Key Lifecycle Manager administrator.
    DB2_install_directory
    The directory where DB2 is installed.
    Windows
    drive:\Program Files\IBM\DB2SKLMV301
    Linux
    path/IBM/DB2SKLMV301
    For non-root installation on Linux , the path is: <non_root_user_home _directory>/sqllib

What to do next

After the LDAP configuration, you must run the subsequent tasks. For the details, see Post-LDAP configuration tasks to support LDAP integration
Table 1. Topic change log
Date Change description
30 Nov 2021 Added a sentence saying that LDAP user needs to be added to the klmGUICLIAccessGroup and klmSecurityOfficerGroup for admin access.
09 Nov 2021 Corrected the commands for running the addLDAPUserToGroup script.
13 Dec 2018 Initial version.