Securing communications between Process Federation Server and LDAP

Draft comment:
This topic only applies to BAW, and is located in the BAW repository. Last updated on 2025-03-13 12:15
Enable communication with an SSL-enabled Lightweight Directory Access Protocol (LDAP) server.

About this task

You can secure communications with an LDAP server by configuring the Secured Sockets Layer (SSL) protocol. The SSL signer certificate must be added to a truststore on Process Federation Server. You can use a dedicated truststore for the LDAP server, instead of reusing the Process Federation Server default truststore.

To manage the LDAP truststore, use your JVM’s keytool utility, or the IBM® HTTP Server IKEYMAN utility.

Procedure

  1. Create a new truststore or reuse the Process Federation Server default truststore and import the signer certificate for the LDAP server.
  2. Enable communication with an SSL-enabled LDAP server:
    1. Open the server.xml configuration file for editing.
      By default, the configuration file is in the pfs_install_root/usr/servers/server_name directory on Process Federation Server.
    2. Configure the keystore and ssl elements to refer to the truststore:
      <ssl id="LDAPSSLSettings" keyStoreRef="defaultKeyStore" trustStoreRef="LDAPTrustStore" />
      
      ...
      <keyStore id="LDAPTrustStore" 
        location="pfs_install_root/usr/servers/server_name/LdapSSLKeyStore.jks"
                type="JKS" 
        password="password" />
      
    3. Enable SSL on the ldapRegistry element, and refer to the ssl configuration element:
      <ldapRegistry ...
                    ...
                    sslEnabled="true" 
                    sslRef="LDAPSSLSettings">
                    ... 
        <ldapRegistry/>