Configuring a directory server with load balancer or multiple domain controllers

If your LDAP server uses load balancer or multiple domain controllers that dynamically change the list of hosts, and the connection between LDAP and the BigFix Inventory server is secure, perform advanced configuration of the BigFix Inventory server. The LDAP server can be already configured in BigFix Inventory.

About this task

The <install_dir> is the directory where the BigFix Inventory server is installed. By default, it is the following path.
  • Linux /opt/ibm/BFI
  • Windows C:\Program Files\ibm\BFI
Substitute <install_dir> in the procedure with the directory where the BigFix Inventory server is installed in your environment.

Procedure

  • 9.2.9 For application update 9.2.9 or higher, perform the following steps to permanently configure the directory server.
    1. Contact your LDAP server administrator to obtain a public certificate from the certificate authority (CA) that issues server certificates for LDAP. The certificate file should be in the PEM format, and should contain one or more certificates (full chain of trust).
      For example: 
      -----BEGIN CERTIFICATE-----
MIIHZjCCBk6gAwIBAgISKESJLWXAAAACTANBgkqhkiG9w0BAQUFADBNMRMwEQYK
CRWmyVBwPWQBBUNdilPKJRQwpeYKCZImiZPyLGQBGRYEQ354jTEgGG7GA1UEAiU5
.
.
.
MTAzMzQxWjBZMRMwEQYKCZImiZPJVGQBGRYDbmV0MRkwFwYKCZImiZPyLGQBGRYJ
bnNyb290ZGV2MScwJQYDVQQDEx5DaXRXAEludGVybmFsIERldmljZSBDQSAwMyBM
-----END CERTIFICATE-----
    2. To create a custom truststore and import the public certificate for the LDAP server to that truststore, run the following command. 
      <install_dir>/jre/jre/bin/keytool -import -file <path_to_certificate> -alias ldapCA 
-keystore <install_dir>/wlp/usr/servers/server1/resources/security/ldap_truststore 
-storepass <password>
      Where:
      -file
      Is the path to the public certificate of the LDAP server.
      -storepass
      Is the password that you want to set for the truststore.
    3. After you run the command, confirm it by typing yes in the following line. 
      Trust this certificate? [no]: yes
    4. To encode the truststore password, perform the following steps.
      1. Set the JAVA_HOME variable.
        • Linux export JAVA_HOME=<install_dir>/jre/jre
        • Windows set JAVA_HOME=<install_dir>/jre/jre
      2. Run the following command.
        <install_dir>/wlp/bin/securityUtility encode --encoding=aes
      3. When prompted, enter and re-enter the password that you specified in step 2.
      4. Save the encoded password. You will need it to complete this procedure.
    5. Back up the server.xml file before you make any changes. Then, provide information about the location of the truststore and its password in the server.xml file.
      1. Open the server.xml file that is in the <install_dir>/wlp/usr/servers/server1 directory.
      2. Locate the keyStore entry that has the defaultKeyStore identifier.
        <keyStore id='defaultKeyStore'>
      3. Paste the following lines after that entry. In the password parameter, provide the encoded password from step 3. 
        <keyStore id='ldapCustom' 
location='<install_dir>/wlp/usr/servers/server1/resources/security/ldap_truststore' 
password='{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxx'/>
  • For versions older than application update 9.2.9, perform the following steps to configure the directory server. This solution must be applied after each application upgrade, as the certificates that you add according to this procedure are not preserved.
    Note: Before you begin, contact the IBM Support for the password that is required during configuration.
    1. Contact your LDAP server administrator, and obtain the public certificate from certificate authority (CA) that issues the server certificates for LDAP. The certificate file should be in the PEM format, and should contain one or more certificates.
      For example:
      -----BEGIN CERTIFICATE-----
                        MIIHZjCCBk6gAwIBAgISKESJLWXAAAACTANBgkqhkiG9w0BAQUFADBNMRMwEQYK
                        CRWmyVBwPWQBBUNdilPKJRQwpeYKCZImiZPyLGQBGRYEQ354jTEgGG7GA1UEAiU5
                        .
                        .
                        .
                        MTAzMzQxWjBZMRMwEQYKCZImiZPJVGQBGRYDbmV0MRkwFwYKCZImiZPyLGQBGRYJ
                        bnNyb290ZGV2MScwJQYDVQQDEx5DaXRXAEludGVybmFsIERldmljZSBDQSAwMyBM
                        -----END CERTIFICATE-----
    2. Copy the certificate file to the following directory: <install_dir>/jre/jre/lib/security/.
    3. Run the following command: 
      <install_dir>/jre/jre/bin/keytool -import -trustcacerts -file <certificate_file_name> 
-alias certAliasName -keystore cacerts -storepass <password>

      Where <password> is the password that was provided by the BigFix Support.