Lab Websphere Application Server Session 8

WebSphere Security

Table of Contents
Security configuration Tivoli Directory Server 6.1 with Websphere 6.1.....................................................2
1.1
Configure Federated Repository in Websphere Network Deployment Manager..........................2
1.2
Create definition for the LDAP Repository...................................................................................2
1.3
Adding Repository to Realm........................................................................................................ 4
1.4
Assign Administrative role............................................................................................................ 6
1.5
Restart the server........................................................................................................................ 7
1.6
Test the Configuration.................................................................................................................. 9
2. Sample LDIF file................................................................................................................................ 10
3. SSL digital certificates and WebSphere Application server................................................................14
3.1
Browser Web Server............................................................................................................. 14
3.2
WebSphere WebSphere [between Nodes]............................................................................14
3.3
Web Server WebSphere [through Plug-in]............................................................................19

By
Ayyanar Jeyakrishnan

Lab Websphere Application Server Session 8

WebSphere Security

Security configuration Tivoli Directory Server 6.1 with

Websphere 6.1
____ 1.

Security Configuration in Websphere Application Server.

Websphere 6.1 supports Federated Repositories, wherein, multiple repositories can be
configured under a single realm. The default file based repository can also be part of the list of
repositories. In this sample, we shall configure the federated repository in Websphere to
include an additional LDAP (TDS) registry apart from the default file based registry.

1.1

Configure Federated Repository in Websphere Network

Deployment Manager

1. Start the Websphere Network Deployment if the server not started.

2. Login to Websphere admin console with administrative privileged user. Default Username admin
and password admin is created during the installation on WAS.
3. From admin console navigate to Security > Secured administration, application and
infrastructure.

1.2 Create definition for the LDAP Repository

This task shows how to create and configure a repository that links to LDAP registry.
1. In User account repository option select Federated repositories and click on Configure.

Lab Websphere Application Server Session 8

WebSphere Security

2. In the configuration window click on Manage Repositories link. This is used to list the already
configured repositories for that server. This link also has options for creating and deleting the
repositories. As per our requirement, we need to create a repository for the LDAP registry
structure available (TDS).

3. Click on ADD button. Enter the following details highlighted in the image belowa. Repository Identifier: Any unique identifier which is used to identify the repository, say,
TDS6
b. Directory type: Choose the appropriate LDAP server to be used. In our case, it would be
IBM Tivoli Directory Server Version 6
c. Primary Host Name: LDAP server hostname or IP address will work.
d. Bind distinguished name: The DN used to bind with the LDAP server, say, cn=root.
e. Bind Password: Appropriate password for the bind DN used.
f. Login Properties: The property which the users use to login to Process server. In this
case, the value would be uid
Note:
I. In the below screen shot, we have used the Bind Name as the LDAP admin user. It is
mandatory to state in the format cn=root. We are using this to connect (bind) to the LDAP
server.
II. In Login properties, we are using uid which says that the users at the LDAP registry are
recognized with this property at login to server. The admin has the choice of using 1 or
more properties while configuring.
III. Rest of the fields are left as default.

Lab Websphere Application Server Session 8

WebSphere Security

4. Click Apply. This operation gets back to Manage Repository. Here verify for the entry you just
created. Save the changes to the repository

1.3 Adding Repository to Realm

This Task adds the repository created in the previous task to the Realm. Here it lists all the registry
entrys created using the previous task.
1. Go back to Federated repositories page if not already open. Click on the button Add Base
entry to Realm . This you can get to by clicking on the link (crumb line) on Manage
Repository.

Lab Websphere Application Server Session 8

WebSphere Security

2. Choose the repository (TDS6) you want to add to the realm. This lists the repository Identity.
3. Add the DN for base entry as dc=ibm,dc=com
Note: This refers to the unique registry tree with in the LDAP server which you want to connect to
get the user and/or groups details.

4. Click Apply. And Save the changes to the master configuration. Verify that the entry is made at
the Configuration in Federated repositories section.

Lab Websphere Application Server Session 8

WebSphere Security

5. Enter the Realm name. This can be any name that would represent the security realm.
6. Enter the Primary administrative user name. This is the admin user for WAS.
7. Click Apply. And Save the changes to the master configuration. This brings us back to the main
page Secure administration, applications, and infrastructure
8. Here make sure that Federated repositories is chosen under Available realm definitions
and then click on Set as Current button.
We have now completed the task of adding the LDAP registry into the federated repository configuration
for WAS security.

1.4 Assign Administrative role

This task is used to assign the administrative role to the user(s) in LDAP.
1. Make sure that Administrative security is enabled.
2. Click on Administrative user roles. This link is assigned to assign privileges to users

3. Enter an existing username & assign appropriate role.

4. Click Apply & Save the changes to the master configuration.
5. In this example, we have assigned 1 user wpsadmin from LDAP as an administrator.

Lab Websphere Application Server Session 8

WebSphere Security

Note: Its Not Active as that user is not logged in.

1.5 Restart the server

1. For the new security configuration to take effect, the WAS deployment Manager and nodeagents
and Cluster server needs to be restarted. Refer the below steps for restarting the server.
____ 1.
Log into the Administrative Console.
__ a. Enter the following URL in a Web browser:
http://localhost:9060/ibm/console/
Enter admin for user ID and admin for the password
____ 2.

Stop the cluster -MyCluster.

__ a. Click Servers > Clusters.

__ b. Check MyCluster, and then click Stop.

Lab Websphere Application Server Session 8

WebSphere Security
Wait for the Status to change to solid red. Continually refresh the Status and verify that the MyCluster
status is solid red, indicating Stopped.

____ 3.

Stopping the deployment Manager and two nodeagents

__ a. Return to the DOS command shell on system B that you used to start and stop the
Application Server (if you closed the shell the directory is
C:\IBM\WebSphere\AppServer\profiles\AppSrv02\bin)
__ b. Enter the command
stopNode.bat
Make sure that node is stopped
__ c. Return to the DOS command shell on system A that you used to start and stop the
Application Server (if you closed the shell the directory is
C:\IBM\WebSphere\AppServer\profiles\AppSrv01\bin)
__ d. Enter the command
stopNode.bat
Make sure that node is stopped
__ e. Return to the DOS command shell on system A that you used to start and stop the
Application Server (if you closed the shell the directory is
C:\IBM\WebSphere\AppServer\profiles\DMgr01\bin)
__ f. Enter the command
stopManager.bat username admin password admin
Make sure that deployment manager is stopped

____ 1.

Start the Deployment Manager and two nodeagents

__ a. From a DOS command prompt on System A, execute the following:
cd c:\IBM\WebSphere\AppServer\profiles\Dmgr01\bin
startManager.bat
Wait until the Deployment Manager has been started,
__ b. Start the Node Agent on System A
From a DOS command prompt on System A, execute the following:
cd c:\IBM\WebSphere\AppServer\profiles\AppSrv01\bin
startNode.bat
__ c. Start the Node Agent on System B
From a DOS command prompt on System A, execute the following:
cd c:\IBM\WebSphere\AppServer\profiles\AppSrv02\bin
startNode.bat

2. After the server restarts, you should be able to login to the admin console with the wpsadmin
user (password : wpsadmin)

Lab Websphere Application Server Session 8

WebSphere Security

1.6 Test the Configuration

1. To verify the list of users from LDAP, click on User and Groups > Manage Users. Click on
Search. All the users, including wpsadmin user from the LDAP registry would be listed.

2. To verify the user groups, click on Manage groups and click on Search. Groups from the file
based repository as well as the LDAP repository are listed in the results.

3. To Verify the users in the groups click the group name links in the above image and then click on
Members.

Lab Websphere Application Server Session 8

WebSphere Security

2. Sample LDIF file

Save below lines in a file with an extension of .ldif (for example, wpsusers.ldif) so it can be imported into
an LDAP server. Before you import the file, remember to create a suffix in the LDAP server of
dc=ibm,dc=com.
version: 1
dn: cn=crypto,cn=localhost
cn: crypto
objectclass: ibm-cryptoConfig
objectclass: ibm-slapdConfigEntry
objectclass: top
ibm-slapdCryptoSync: 40FPUFV7gPGzp7Gy0A==
ibm-slapdCryptoSalt: AY`b%CV7K3|m
ibm-entryuuid: ced0a52c-6099-4525-b717-44ce4e6a695f
dn: dc=ibm,dc=com
dc: ibm
objectclass: domain
objectclass: top
ibm-entryuuid: d3ffabac-ac6a-4607-9340-31932f70a24d
dn: cn=John,dc=ibm,dc=com
objectclass: inetOrgPerson
objectclass: person
objectclass: top
objectclass: organizationalPerson
sn: Play
cn: John
uid: John

Lab Websphere Application Server Session 8

WebSphere Security
userpassword: {AES256}4hoJTpmQH+fbmDhHd/g5iQ==
ibm-entryuuid: 8b576a34-c5ae-4486-9a01-ecf81157ce40
dn: cn=VicePresident,dc=ibm,dc=com
objectclass: groupOfNames
objectclass: top
member: CN=NULL
cn: VicePresident
ibm-entryuuid: f37f264f-ae1c-4005-add4-345d93d00523
member: cn=John,dc=ibm,dc=com
dn: cn=Ashish,dc=ibm,dc=com
objectclass: inetOrgPerson
objectclass: top
objectclass: person
objectclass: organizationalPerson
sn: V
cn: Ashish
userpassword: {AES256}vq6tY05iGvBLRjMEGsQUxA==
uid: Ashish
ibm-entryuuid: 1c8dfd61-1344-4378-9f82-e1370a06d739
dn: cn=Samay,dc=ibm,dc=com
objectclass: inetOrgPerson
objectclass: person
objectclass: top
objectclass: organizationalPerson
sn: K
cn: Samay
ibm-entryuuid: a8a4f0de-a8cf-4f2c-a474-f970ed681027
dn: cn=SeniorUnderwriters,dc=ibm,dc=com
objectclass: groupOfNames
objectclass: top
cn: SeniorUnderwriters
MEMBER: CN=NULL
ibm-entryuuid: 96bb8b07-4771-47a6-8fdd-a890ca4b080c
member: cn=Ashish,dc=ibm,dc=com
member: cn=Samay,dc=ibm,dc=ibm
dn: cn=Pawan,dc=ibm,dc=com
objectclass: inetOrgPerson
objectclass: top
objectclass: person
objectclass: organizationalPerson
sn: Negi
cn: Pawan
uid: Pawan
userpassword: {AES256}dQL3l3MjAV6kRZSG9rQQYQ==
ibm-entryuuid: 234be100-c742-44bb-9b1f-f8653a9becfb
dn: cn=Rohit,dc=ibm,dc=com
objectclass: inetOrgPerson
objectclass: person
objectclass: top
objectclass: organizationalPerson
sn: Garg

Lab Websphere Application Server Session 8

WebSphere Security
cn: Rohit
ibm-entryuuid: a7c853d0-100c-4327-ba6c-760e0cf41646
dn: cn=Astha,dc=ibm,dc=com
objectclass: inetOrgPerson
objectclass: top
objectclass: person
objectclass: organizationalPerson
sn: D
cn: Astha
uid: Astha
userpassword: {AES256}POGvGSQsIIHTs0bW3HY4Zw==
ibm-entryuuid: 43fac78c-d955-4350-a2bd-48e30604a04c
dn: cn=Parul,dc=ibm,dc=com
objectclass: inetOrgPerson
objectclass: person
objectclass: top
objectclass: organizationalPerson
sn: Khanna
cn: Parul
ibm-entryuuid: 0ddf6489-edcc-47df-a375-8aebfadd355a
dn: cn=LoanOfficers,dc=ibm,dc=com
objectclass: groupOfNames
objectclass: top
cn: LoanOfficers
member: CN=NULL
ibm-entryuuid: 35e1a199-f66c-48ae-9c4c-e3b59ca75440
member: cn=Astha,dc=ibm,dc=com
member: cn=Rohit,dc=ibm,dc=com
dn: cn=Underwriters,dc=ibm,dc=com
objectclass: groupOfNames
objectclass: top
cn: Underwriters
member: CN=NULL
ibm-entryuuid: 090de758-84bb-4288-b59c-7c523955ec21
member: cn=Parul,dc=ibm,dc=com
member: cn=Pawan,dc=ibm,dc=com
dn: cn=wpsadmin,dc=ibm,dc=com
userpassword: {AES256}89TV2XdclcsTSCuMrel2ww==
objectclass: inetOrgPerson
objectclass: person
objectclass: top
objectclass: organizationalPerson
cn: wpsadmin
sn: wpsadmin
uid: wpsadmin
ibm-entryuuid: f65f4a22-cdca-44e5-a852-5de7a06cf530
dn: cn=ldapadmin,dc=ibm,dc=com
objectclass: inetOrgPerson
objectclass: top
objectclass: person
objectclass: organizationalPerson

Lab Websphere Application Server Session 8

WebSphere Security
cn: ldapadmin
sn: ldapadmin
uid: ldapadmin
userpassword: {AES256}X0orOJNGImBnCo+CxJFjmg==
ibm-entryuuid: b360af8e-7585-4e8e-b740-501f31309350
dn: cn=admingroup,dc=ibm,dc=com
objectclass: groupOfNames
objectclass: top
cn: admingroup
MEMBER: CN=NULL
ibm-entryuuid: 5f00140d-e6e7-4f10-9607-7dcbaef0dd43
member: cn=wpsadmin,dc=ibm,dc=com
member: cn=ldapadmin,dc=ibm,dc=com
member: cn=John,dc=ibm,dc=com

Lab Websphere Application Server Session 8

WebSphere Security

3. SSL digital certificates and WebSphere Application

server
3.1 Browser Web Server
Covered in Session 4 Lab

3.2 WebSphere WebSphere [between Nodes]

For WAS 6.x
First lets talk v6.1 in this section. In WAS v6.1, when you install and create profile, default
certificates are created and you can use them. These certificates can be found under
Security SSL certificate and key management Key stores and certificates.
These certificates are used for communication between nodes and between dmgr and browser
when use https.
If you want to change these certificates or replace them, you can follow the below steps. The
steps shown below are using self-signed certificates. If you like to use certificates from a Certificate
Authority [CA], then you need to create the Certificate Signing Request [CSR], get it signed a CA
and then you can install them.
Replacing the DMGR Certificate

In the Administrative Console, go to

Security SSL certificate and key management Key stores and certificates
CellDefaultKeyStore Personal certificates Create a self-signed certificate. Enter the
required attributes

Lab Websphere Application Server Session 8

WebSphere Security

Click OK and Save the changes

Go back to Security > SSL certificate and key management > Key stores and
certificates > CellDefaultKeyStore > Personal certificates
Select the old DMGR certificate and click Replace.
On the next screen, you are able to choose which certificate will replace the old certificate.
Accept your new certificate. Do not select either Delete old certificate after replacement or
Delete old signers. Accept your new certificate and any browser prompts.
On the next screen, select the old certificate and click Delete. Click OK and Save the changes.
The certs need to be exchanged for establishing secure communication. So add the DMGR
cert to DefaultCellTrustStore

Go to SSL certificate and key management > Key stores and certificates.
Select CellDefaultKeyStore and CellDefaultTrustStore and click Exchange signers

Lab Websphere Application Server Session 8

WebSphere Security

Select the certificate in CellDefaultKeyStore personal certificates created in previous

step and click Add.

Click OK and Save the changes.

B. Node Certificates

Go to Security > SSL certificate and key management > Manage endpoint
security configurations.
Under Inbound, click the link for the node, node_name(NodeDefaultSSLSettings,null).

Lab Websphere Application Server Session 8

WebSphere Security

Click the Manage certificates button.

Click on create a self-signed certificate and Enter the required attributes.

Click OK and Save the changes
Go back to Security > SSL certificate and key management > Manage endpoint
security configurations, click node_name(NodeDefaultSSLSettings,null), click Manage
certificates.
Select the old certificate and click Replace.
On the next screen, you are able to choose which certificate will replace the old certificate.
Accept your new certificate. Do not select either Delete old certificate after replacement or
Delete old signers.
On the next screen, select the old certificate and click Delete. Click OK and save the changes.
Now Exchange the Node Signer cert with DefaultCellTrustStore

Go to Security > SSL certificate and key management > Manage endpoint
security configurations.
Under Inbound, click the link for the node, node_name(NodeDefaultSSLSettings,null) and
select
Key stores and certificates.
Select NodeDefaultKeyStore and CellDefaultTrustStore and then Click Exchange signers.

Lab Websphere Application Server Session 8

WebSphere Security

Select the certificate in NodeDefaultKeyStore personal certificates created in previous

step and click Add.

Click OK and Save the changes.

Delete the old signer certificates and extract

Lab Websphere Application Server Session 8

WebSphere Security
the newones.

Go to SSL certificate and key management > Key stores and certificates >
CellDefaultTrustStore > Signer certificates
Select all of the old signer certificates and click Delete. If you are not sure, you can compare
the Fingerprint and/or the Expiration dates with the personal certificate in the keystores.
Select one of the new certificates. Click Extract.
Enter a File Name that corresponds to the certificate. For example, node1.arm. Click Ok.

For each of the new certificates making sure you have done this for the cell signer and all
of the node signers. These files are saved to the profile_root/Dmgr/etc directory

Manually copy the trust store to each of the /etc directories.

Backup the trust.p12 in profile_root\Dmgr\etc

Copy the profile_root\Dmgr\config\cells\cell-name\trust.p12 to profile_root\Dmgr\etc
Backup the trust.p12 on each of the nodes profile_root\Appsrv\etc directories.
Copy the profile_root\Dmgr\config\cells\cell-name\trust.p12 to profile_root\Appsrv\etc

Note: If you have multiple nodes You need to do the Node Certificate section for all nodes separately.
Now, Restart the DMGR and sync the nodes using syncnode command. Then start Node Agents and
Application Servers.

3.3 Web Server WebSphere [through Plug-in]

Go to Servers > Web servers. Click webserver_name, and then under Additional Properties
click Plug-in properties.

Click Manage keys and certificates under Additional Properties, click Signer certificates
and then click Add, Enter a unique Alias Name and then specify the File Name that you
exported as .arm file.

Lab Websphere Application Server Session 8

WebSphere Security

Repeat this for each of the new certificates making sure you have done this for the cell
signer and all of the node signers.
Manually copy the plugin-key.kdb from the local configuration to the Web server. [
default locations:
profile_root\Dmgr\config\cells\cell-name\nodes\nodename\servers\web-server- name\plugin-key.kdb to Web-server-root\Plugins\config\webserver-name\plugin-key.kdb]
Start the Web server