Professional Documents
Culture Documents
Session 7 Lab
Session 7 Lab
WebSphere Security
Table of Contents
Security configuration Tivoli Directory Server 6.1 with Websphere 6.1.....................................................2
1.1
Configure Federated Repository in Websphere Network Deployment Manager..........................2
1.2
Create definition for the LDAP Repository...................................................................................2
1.3
Adding Repository to Realm........................................................................................................ 4
1.4
Assign Administrative role............................................................................................................ 6
1.5
Restart the server........................................................................................................................ 7
1.6
Test the Configuration.................................................................................................................. 9
2. Sample LDIF file................................................................................................................................ 10
3. SSL digital certificates and WebSphere Application server................................................................14
3.1
Browser Web Server............................................................................................................. 14
3.2
WebSphere WebSphere [between Nodes]............................................................................14
3.3
Web Server WebSphere [through Plug-in]............................................................................19
By
Ayyanar Jeyakrishnan
1.1
2. In the configuration window click on Manage Repositories link. This is used to list the already
configured repositories for that server. This link also has options for creating and deleting the
repositories. As per our requirement, we need to create a repository for the LDAP registry
structure available (TDS).
3. Click on ADD button. Enter the following details highlighted in the image belowa. Repository Identifier: Any unique identifier which is used to identify the repository, say,
TDS6
b. Directory type: Choose the appropriate LDAP server to be used. In our case, it would be
IBM Tivoli Directory Server Version 6
c. Primary Host Name: LDAP server hostname or IP address will work.
d. Bind distinguished name: The DN used to bind with the LDAP server, say, cn=root.
e. Bind Password: Appropriate password for the bind DN used.
f. Login Properties: The property which the users use to login to Process server. In this
case, the value would be uid
Note:
I. In the below screen shot, we have used the Bind Name as the LDAP admin user. It is
mandatory to state in the format cn=root. We are using this to connect (bind) to the LDAP
server.
II. In Login properties, we are using uid which says that the users at the LDAP registry are
recognized with this property at login to server. The admin has the choice of using 1 or
more properties while configuring.
III. Rest of the fields are left as default.
4. Click Apply. This operation gets back to Manage Repository. Here verify for the entry you just
created. Save the changes to the repository
2. Choose the repository (TDS6) you want to add to the realm. This lists the repository Identity.
3. Add the DN for base entry as dc=ibm,dc=com
Note: This refers to the unique registry tree with in the LDAP server which you want to connect to
get the user and/or groups details.
4. Click Apply. And Save the changes to the master configuration. Verify that the entry is made at
the Configuration in Federated repositories section.
5. Enter the Realm name. This can be any name that would represent the security realm.
6. Enter the Primary administrative user name. This is the admin user for WAS.
7. Click Apply. And Save the changes to the master configuration. This brings us back to the main
page Secure administration, applications, and infrastructure
8. Here make sure that Federated repositories is chosen under Available realm definitions
and then click on Set as Current button.
We have now completed the task of adding the LDAP registry into the federated repository configuration
for WAS security.
____ 3.
____ 1.
2. After the server restarts, you should be able to login to the admin console with the wpsadmin
user (password : wpsadmin)
2. To verify the user groups, click on Manage groups and click on Search. Groups from the file
based repository as well as the LDAP repository are listed in the results.
3. To Verify the users in the groups click the group name links in the above image and then click on
Members.
Security SSL certificate and key management Key stores and certificates
CellDefaultKeyStore Personal certificates Create a self-signed certificate. Enter the
required attributes
Go to SSL certificate and key management > Key stores and certificates.
Select CellDefaultKeyStore and CellDefaultTrustStore and click Exchange signers
B. Node Certificates
Go to Security > SSL certificate and key management > Manage endpoint
security configurations.
Under Inbound, click the link for the node, node_name(NodeDefaultSSLSettings,null).
Go to Security > SSL certificate and key management > Manage endpoint
security configurations.
Under Inbound, click the link for the node, node_name(NodeDefaultSSLSettings,null) and
select
Key stores and certificates.
Select NodeDefaultKeyStore and CellDefaultTrustStore and then Click Exchange signers.
Go to SSL certificate and key management > Key stores and certificates >
CellDefaultTrustStore > Signer certificates
Select all of the old signer certificates and click Delete. If you are not sure, you can compare
the Fingerprint and/or the Expiration dates with the personal certificate in the keystores.
Select one of the new certificates. Click Extract.
Enter a File Name that corresponds to the certificate. For example, node1.arm. Click Ok.
For each of the new certificates making sure you have done this for the cell signer and all
of the node signers. These files are saved to the profile_root/Dmgr/etc directory
Note: If you have multiple nodes You need to do the Node Certificate section for all nodes separately.
Now, Restart the DMGR and sync the nodes using syncnode command. Then start Node Agents and
Application Servers.
Click Manage keys and certificates under Additional Properties, click Signer certificates
and then click Add, Enter a unique Alias Name and then specify the File Name that you
exported as .arm file.
Repeat this for each of the new certificates making sure you have done this for the cell
signer and all of the node signers.
Manually copy the plugin-key.kdb from the local configuration to the Web server. [
default locations:
profile_root\Dmgr\config\cells\cell-name\nodes\nodename\servers\web-server- name\plugin-key.kdb to Web-server-root\Plugins\config\webserver-name\plugin-key.kdb]
Start the Web server