Configuring LDAP security option properties

If you installed Access Server in any LDAP mode or installed Management Console with the LDAP Embedded Access Server option, you must configure the ldap.properties file with your LDAP directory connection information as described in Configuring LDAP directory connection properties.

About this task

Some of these properties control the security configuration and must be compatible with the configuration of the LDAP directory. Several options are supported.

An SSL-enabled server often supports SSL in two ways. In the most basic way, the server supports SSL ports in addition to normal (unprotected) ports. The SSL parameter must be set to the appropriate true or false value accordingly. If an SSL port is used for the connection, use SSL=true . If an unprotected port is used, the setting is SSL=false.

The other way in which a server supports SSL is via the use of the Start TLS Extension. The configuration also needs to reflect whether the TLS extension is used or not by setting the useTLS parameter to the appropriate true or false value, for example useTLS=false.

One common practice is to use self-signed certificates. To do so requires additional steps to register the self-signed certificate with the JRE that both Access Server and or Management Console use.

Procedure

  1. Locate the LDAP directory connection properties file.

    For Access Server, the ldap.properties file is located in the user data folder, for example:

    Windows
    drive:\Users\userName\AppData\Local\IBM\InfoSphere Data Replication\Access Server\11.4\ldap.properties
    Linux®
    /opt/IBM/InfoSphereDataReplication/AccessServer/ldap.properties

    For Management Console, the ldap.properties file is located in the installation folder. The Windows file path is drive:\Program Files (x86)\IBM\InfoSphere Data Replication\Management Console\ldap.properties.

  2. Update the ldap.properties security parameters that are required for your LDAP directory configuration.

    For example, a secure SSL connection with a signed certificate requires the following parameter values:

    SSL=true
    useTLS=false
    

    In another example configuration, a non-secure connection with a self-signed certificate requires the following parameter values:

    SSL=false
    useTLS=true
    
    If you use a self-signed certificate, follow the instructions in Step 3.
  3. To use a self-signed certificate, you must register the certificate with the JRE that is installed with Access Server and Management Console so that the Access Server and Management Console clients trust the LDAP server.
    1. Locate the certificate file.
      This file should be supplied by your directory administrator. You must have administrator privileges on the computer to modify the JRE.
    2. Navigate to the appropriate folder:
      Windows
      c:\Program Files (x86)\IBM\InfoSphere Data Replication\Access Server\jre32\jre\lib\security
      Linux
      /installdirectorypath/jre32/jre/lib/security
    3. Run the following command on Windows or Linux to add the key certificate to the keystore:
      Note: The keytool command is located in the bin directory under jre, but to register the certificate to the proper store you must call the certificate from the directory in the example below.
      ../../keytool –import –file certificate-file -keystore cacerts