Ldap certificates expired on a WebSphere application server initially configured with ldap - ssl

We are running WebSphere Application Server v8.5 on AIX 7, which we configured to use ldap security. Everything is working fine, but project went halt for some time and our WAS was down. Now we see that ldap cerficates were expired, hence we are unable to connect to dmgr & admin console. Can somebody help to resolve it?
We know how to configure ldap on WAS, but dont no how to change expired ldap cerficate with new cerficates. (We received new non-expiry certificates from ldap team but dont no how to configure it on WAS).

You need to disable security, restart dmgr, replace certificates and reenable security.
To disable security:
stop/kill the dmgr
run the following from the dmgr\bin folder:
wsadmin -conntype NONE
At the wsadmin prompt, type securityoff and then type exit.
Restart your dmgr.
UPDATE
Do you have Federated or Standalone Ldap configured? You should have in LDAP configuration link to SSL configuration. There you will need to add your new certificate to the Signers store (this is very simplified description as I'm not sure which repository you are using).

Related

Changed realm in Websphere Application Server now JVMs will not start

We're unable to start our JVMs after changing the LDAP server in the Security -> Global Security settings. We get "The user is from a foreign realm, XXXX:289, and this foreign realm is not trusted. Current realm is XXXX".
This error seems straightforward. Yet we cannot find anything wrong with our settings. The "Trusted authentication realms - inbound" looks correct. The settings in the Global Security looks right. The users have been recreated
The process we followed was to update the LDAP server. Remove and added back the Admin group roles so they have the new LDAP server. Then shutdown all the Websphere processes. Run the osgiCfgInit.sh and clearcasecache.sh scripts to clear the cache. Then started the processes back up.
Is there a file or cache we need to modify for our admin user?

Is Weblogic Node Manager SSL setup required while implementiing SSL for Application

In Weblogic, I have more than one Machines created using Node Manager. We have been told to setup SSL implementation for our Application which is deployed across created machines in a single Weblogic Admin Console.
So for the Application we had configured certificate using .jks file and configured SSL listen port by enabling it.
However we have been told to secure Node Manager machines in which application are deployed across as well. While enabling Node Manager type to SSL instead of Plain I am getting SSLException. By the fact we no need to secure Machines which were created using Node Manager, only securing Application is sufficient. Is am I right. Else is it required to Secure Machines -> Node Manager as well.
When I am turning SSL in Machines -> Node Manager, what are the things I have to consider to avoid SSLException. Is the Weblogic restart required If configure this or so. For now I do not have UNIX access, hence I couldn't do that at this moment.
Please advise on this situation. Without securing Machines -> Node Manager I am able run the application. But not able to access it using https. Only http for the Application is working.
Please advise on the situation.
SSL for node manager is optional as there's no application related sensitive data that flows in this layer.
You mention even after configuring jks you can't get the server and hence the application listening on https. Could you elaborate what steps did you follow. Note this has nothing to do with node manager

Configuring IBM P8 to use LDAP over SSL with Active Directory

I am hoping someone can help me out with a frustrating configuration problem I'm having with IBM FileNet Content Manager 5.2.1 (aka P8 5.2.1).
We have an existing system setup that uses Microsoft Active Directory as our LDAP directory service for P8 and that has worked fine to date. That said, we are now wanting our .NET apps to talk to P8 (via the Content Platform Engine .NET API) using WCF instead of legacy (and now deprecated) WSE but we have run into a problem. WCF requires that all communication occur over SSL - on the surface, not a problem. If you want to talk to the IBM Content Platform Engine (CPE) over SSL however, according to IBM's documentation, you must also change the underlying default LDAP connection from unsecured to SSL as well (in the process, changing LDAP to use port 636 instead of 389).
Following both Microsoft's and IBM's docs, I first enabled LDAP over SSL on Active Directory and tested accordingly. Using Microsoft's LDAP utility, ldp.exe, I can successfully connect and bind to Active Directory on port 636 over SSL.
The next step however is where I hit a wall - Enabling SSL for Content Platform Engine. I followed all the steps involving adding the Active Directory Server's CA certificate to the CPE's application server keystore - no problem. The next step in the configuration instructions however asks you to start the Administration Console for CPE (ACCE) and reconfigure the directory configuration properties - telling it to use SSL on port 636 and... KABOOM! When I attempt to save the configuration, the save fails, stating
An unexpected exception occurred. Message was: Failed connecting to ldap://ad1.domain.com:636
Unfortunately, I can't find any additional info as to why it failed to connect - I assumed it was due to something minor, such as a port conflict. To test that theory, I installed Microsoft's LDAP test utility on the CPE server and attempted to connect to the Active Directory Server over SSL on port 636. Much to my surprise, that worked just fine - grrrr...
I am now at something of a loss as to what to look at next. Anybody out there with experience configuring CPE to use SSL in an Active Directory environment?
Thanks in advance for any-and-all assistance.
WCF requires that all communication occur over SSL - on the surface, not a problem. If you want to talk to the IBM Content Platform Engine (CPE) over SSL however, according to IBM's documentation, you must also change the underlying default LDAP connection from unsecured to SSL as well
This is not true. FileNet can work with non-secure LDAP, while at the same time working with WCF.
Now, if you would like to solve why FileNet will not connect to a secure LDAP, then you should start with your WebSphere
Check WebSphere's Keystores to ensure that the AD's key is contained. Follow #M.Tamboli's advice and restart WebSphere.
Also make sure that you check WebSphere's SystemOut.log logs, as you may find more info in there.
I'm not sure if it is necessary, but you may also want to add/change the LDAP config that is setup within WebSphere itself.

Glassfish access control

I have web service deployed in my system under Glassfish server. When I try to access it from another system using my IP and port number it shows an access control origin error.
I tried to solve this by putting a accesscrossdomain.xml file in my Glassfish docroot folder, but the error still continues.
What can be done to solve this issue?
You are likely running into the default configuration, which disables remote administration by default for security reasons. This means no SSL while logging into the administration console, no admin password, etc.
GlassFish Server has excellent documentation. For this particular issue, this section of the Security Guide should help. Basically, you'll want to run "asadmin enable-secure-admin". To learn more about secure admin, read this section of the Security Guide.

WAS 7.0 LDAP configuration

All,
I'm trying to configure LDAP with Websphere. I'm doing settings in "Security" area when I click on 'Test settings' I'm getting connection exception (SECJ7340E). The Ip/host are all fine but I'm not able to connect to the server. Have you come across such a situation?? Do you know the solution to this?
I'm using WAS 7.0.
LDAP troubleshooting is not hard.
What LDAP server are you connecting too? Does it have any logging? Can you get an error message from the LDAP server admins? (I.e. If they see a bad bind DN, bad password error etc, then you have a much easier troubleshooting job to do).
I am sure you have the right IP. Now what port should you be connecting too? Clear text is 389, LDAP over SSL is 636, but they might have changed those values for some reason.
Does your LDAP server allow clear text connections at all?
Do you have SSL configured correctly? Generally this means that whatever system you are using, its trusted root keystore should include the public key of the CA that signed the server cert used by the LDAP server. (I.e. Versign, Thwate) Possibly it is using a self signed certificate, in which case you should get an export of the CA that minted its public key to import into your keystore.
Webshpere is Java based, so I imagine it is using the the Java Keystore facility. Use the keytool executable in the Java bin directory to add the trusted root to the keystore WebSphere is using. (That detail I leave to you).
What Bind DN are you using? Is it a real correct LDAP DN to connect with?
Use an LDAP browser like ApacheDS and see what it takes to connect to the LDAP server to validate the settings.