The following are the steps to configure SSL security for IBM Directory Server and WebSphere Commerce.
- Choose the steps appropriate for your platform.
Configuring WebSphere Commerce to work with the Directory Server



Setting up IBM Directory Server
To set up the IBM Directory Server:
- Install IBM Directory Server according to the IBM Directory Server product installation instructions. Ensure that you install the GSKit component.
- After the installation completes, invoke the IBM Key Manager by running the gsk5ikm executable.
- Create a new CMS Key database file. Make sure the stash password to file is selected (for example, ldap_key.kdb)
- Create a self-signed certificate using X509 V3 version and 1024 key size. (You can assign a meaningful label to the certificate, for example, your name.)
- Extract the certificate as a certificate file (for example, cert.arm) using the Base64-encoded ASCII data data type.
- Open a browser to the following address: http://host_name/ldap where host_name is your LDAP server machine name.
- Click Security --> SSL --> Settings and make the following changes:
- SSL status: SSL on or SSL only
- Authentication method: Server Authentication
- Secure port: 636
- Key database path and file name:
- Key label: your_label (The label of the certificate.)
- Key password: xxxxx (The password of the CMS Key database file. If you choose 'stash the password to a file', you do not need to input the password.)
- Click Update and restart IBM Directory Server.

Setting up IBM OS/400 Directory Services
To set up the IBM OS/400 Directory Services:
- Install IBM iSeries Access for Windows.
- Start the iSeries Navigator on a Windows machine by selecting Start --> Programs --> IBM iSeries Access for Windows --> iSeries Navigator.
- Create a connection to the target iSeries machine if no connection for the machine exists.
- Expand the target machine in the left panel, then expand Network -->Servers in the left panel.
- Click TCP/IP in the left panel.
- Right-click Directory in the right panel and select Properties from the popup menu.
- In the Directory Properties window, click the Network tab.
- Click Digital Certificate Manager to launch Digital Certificate Manager and assign a certificate to Application "Directory Services server".
- After assigning the certificate to the Directory Services server, click OK to close the Directory Properties window
- Re-open the Directory Properties window, and you will see that Secure Socket Layer (SSL) is enabled. You can accept the default settings:
- SSL status:
- Authentication Method: Server Authentication
- Secure port: 636
- Restart the Directory Services server.

Assigning and importing a self-signed certificate to WebSphere Application Server
If your SSL Certificate has not been issued by a Certificate Authority (CA), such as VeriSign or Thwate, you should export the local CA from an iSeries machine and import it to the default trust keystore on the WebSphere Commerce machine. To enable SSL with iSeries local certificate and export the local CA from an iSeries machine:
- Make sure the HTTP *Admin server is up. If it is not, run:
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
- Open the iSeries Task page by launching a browser to the following address: http://host name:2001/.
- Select Digital Certificate Manager.
- Click on Select a Certificate Store.
- From the Certificate Store, select *System.
- If you do not see the Install Local CA Certificate on Your PC link, then you need to create a local CA:
- a. Click Create a Certificate Authority (CA).
- Restart the *Admin HTTP Server on the iSeries machine.
- Create the new certificate as a Client or Server type.
- Select the newly created Local Certificate Authority.
- Assign this certificate to Directory Services server.
- Click Install Local CA Certificate on your PC.
- Click Install Certificate. Then save the certificate (.cer file) in a temporary folder.
- Import the certificate authority (.cer file) to Microsoft Internet Explorer and then export the certificate authority again to a .cer file (Binary 64 Encoding) in a temporary directory.
- Import the certificate (Binary 64 Encoding) into the WebSphere Application Server trust keystore. For example:
keytool -import -alias nck -file /temp_dir/nck.cer -keystore /qibm/proddata/java400/jdk13/lib/security/cacerts
Adding the certificate to WebSphere Application Server
In WebSphere Application Server:
- Launch the IKeyMan (IBM Key Manager) that is provided with WebSphere Application Server. (You can find it from the WebSphere Application Server menu or you can directly type ikeyman in a command window.)
Note: This IBM Key Manager is different from that provided by IBM Directory Server
The default password is 'changeit'.
- Open the WebSphere Application Server carcerts keystore (for example, WAS_installdir\AppServer\java\jre\lib\security\cacerts on Windows)
- Traverse to Signer Certificates, then click Add. Use 'Base64-encoded ASCII data' data type, and choose the certificate file you created in step 5 of the section Setting up IBM Directory Server.
- Enter a name for the certificate.
- Close IKeyMan.
Configuring WebSphere Commerce to work with the Directory Server
To set up WebSphere Commerce to work with IBM Directory Server you need to modify the instance.xml file:
- Add a new JNDI environment variable:
java.naming.security.protocol = ssl
- Change LdapPort to '636':
LdapPort = 636
for example:
<MemberSubSystem name="Member SubSystem" AuthenticationMode="LDAP" ProfileDataStorage="LDAP" > <Directory LdapAdminDN="cn=root" LdapAuthenticationMode="SIMPLE" LdapTimeOut="0" LdapVersion="3" EntryFileName="E:/WebSphere/WPS/xml/ldap/attributeMap.xml" LdapPort="636" LdapAdminPW="<adminpassword>" LdapHost="<hostname>" MigrateUsersFromWCSdb="OFF" JNDIEnvPropName1="java.naming.security.protocol" JNDIEnvPropValue1="ssl" display="false" LdapType="SECUREWAY" . . . . /> </MemberSubSystem>
- Restart the WebSphere Commerce Server.