Overview
In this article, I will show you how to setup a secured LDAP server, and how to configure it as a directory service on My webMethods Server.
Configure External LDAP
Prepare Apache Directory Service
Install and start Apache DS according to online document https://directory.apache.org/apacheds/basic-ug/1.3-installing-and-starting.html. After you start the Apache DS, it is listening port 10636 for secured request by default.Prepare Apache Directory Studio
Install Apache Directory Studio according to online document https://directory.apache.org/studio/downloads.html. After you start the Apache Directory Studio, switch to LDAP perspective and create a secured connection as below.
Replace Apache DS Certificate
Because the default certificate can't be recognized correctly, so we need to replace it by using an external key store file described here https://directory.apache.org/apacheds/basic-ug/3.3-enabling-ssl.html#in-case-you-want-to-use-an-external-keystore.Prepare LDAP User
Save the content below as file with name xiaowei.ldif.
# File xiaowei.ldif
dn: cn=Xiaowei Wang,ou=users,ou=system
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
cn: Xiaowei Wang
sn: Wang
uid: xiaowei
givenName: Xiaowei
mail: dingago@gmail.com
userpassword: xiaowei
Right click on the connection you just created and click "Import" -> "LDIF Import" -> "Browse..." to select the file xiaowei.ldif, then click "Finish" to import. Now you're supposed to see a new entry under users.
Configure MWS
Prepare Certificates
We need to export Apache DS certificate first. One easy way to do that is to use command "openssl s_client -showcerts -connect hostname:port". You will need to replace hostname with host name or IP address of the server Apache DS is running on, and replace port to port number which listener is listening for secured request(for example 10636).This command will print the certificate chain, so you could copy anything between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" and save them into individual file. Remember to copy these two lines as well.
Import Certificates to Trust Store
Now we need to import these certificates into MWS' trust store if they're self-signed.
According to document <Administering_My_webMethods_Server> (I'm looking at version 9.9), MWS is using trust store file located at <SAG_Dir>/jvm/jvm/jre/lib/security/cacerts. But that's not true. What you need to look at is MWS' custom_wrapper.conf, which is located under <SAG_Dir>/profiles/MWS_default/configuration in my environment. It could be different based on different version or different instance name.
Find the property "set.JAVA_TRUSTSTORE" in custom_wrapper.conf file, and this is the trust store MWS is using. You could either import these certificates into current trust store, or create your own trust store file and change the property value to point to your trust store.
To import into current trust store, if the file is sagdemoca.jks, then the password to import certificate is "manage".
To use your own trust store which password is not "manage", you will have to also change the property "set.JAVA_TRUSTSTORE_PASSWORD" as well. To generate encrypted password, change directory to <SAG_Dir>/common/lib and run the command below "java -cp wm-caf-common.jar;ext/log4j.jar com.webmethods.caf.common.CipherUtil your_password".
Configure Directory Service
Now start your MWS, and once it's ready login as Administrator then navigate to "Administration" -> "My webMethods" -> "Directory Service". Click "Create New Directory Service" and choose Directory Type "LDAP" then click "Next".
In my case, I have the Connection Information as below:
Provider URL : ldaps://localhost:10636
Base DN : ou=system
Security Principal : uid=admin,ou=systemSecurity Credentials : secret
And User Attributes as below, you could see it's matching the LDAP entry.
Once this Directory Service is created, you should be good to search LDAP user on MWS.
No comments:
Post a Comment