Setting up LDAP over SSL

You can configure WebSphere Application Server and HCL Commerce to access your LDAP directory over SSL. Using SSL ensures the confidentiality of the data, for example passwords, exchanged between WebSphere Application Server, the HCL Commerce Server, and your LDAP server. This is mandatory for some LDAP servers, for example Microsoft Active Directory and NetIQ eDirectory. Configuring LDAP over SSL is a separate operation from configuring the HTTP Server to accept incoming browser requests over HTTPS.

Procedure

Generate or import certificates as necessary and activate SSL on the directory server. This step varies depending on the LDAP server you are using.
IBM Directory Server
IBM Directory Server can use either self-signed certificates or signing certificates signed by a Certificate Authority (CA) to enable LDAP over SSL. IBM Directory Server includes a security key management utility, such as GSKCapicmd, which can be used to generate a self-signed certificate or to import purchased certificates into the IBM Directory Server keystore. You should consult the IBM Directory Server documentation for the details of how to import a CA certificate. Alternatively, you can create a self-signed certificate in a key database file and extract that certificate so that it can be moved to the WebSphere Application Server and HCL Commerce.

To create a self-signed certificate:

  1. Activate the security key management utility. For example, GSKCapicmd.
  2. Open an existing CMS Key Database file, if your directory server is already configured for SSL, or create a new CMS Key Database file.

    If you open an existing file, you must provide the password for that file. If you create a new file, you are required to supply a password to secure access to that file. Remember this password.

  3. Within that CMS Key Database file, create a new self-signed certificate, using X.509 Version 3 format and 1024-bit key size. Give the certificate a label. Remember this label.
  4. Extract the new self-signed certificate as a certificate file using Base64-encoded ASCII data as the data type. This will save the certificate to a filename of your choice with an extension of .arm.
  5. If it is not already configured, set up IBM Directory Server for LDAP over SSL using the CMS Key Database file containing the self-signed certificate and server authentication. For details on this step, see the IBM Directory Server documentation.