Troubleshooting IBM WebSphere LDAP Security

Created:
Last Update:
Author: Christoph Stoettner
Read in about 2 min · 406 words
websphere security ldap sdi ad ldaps hcl hclcnx

Smartphone being diagnosed with a stethoscope.

Photo by Bermix Studio | Unsplash

Most of the LDAP connections from IBM WebSphere Application Server are configured with TLS. So you need to have the root certificate in the WebSphere truststore to connect.

In the past I had several issues where MS Active Directory certificates for LDAPS are only valid for one year. They were automatically recreated on the AD side, and the certificate is not using the domain root certificate but a self-signed one.

Like https://help.claritysecurity.com/docs/enable-ldaps-on-an-ad-domain-controller , the instructions create a certificate template.

I couldn’t reproduce in my demo servers the issue that some customers have with only self-signed certificates for AD LDAPS which are only valid for one year, but I tested certificates with and without templates.

So the certificate which is used for LDAPS after just installing the Certificate Authority looks like this:

20250409-212138.png

The certificate created with the described LDAPS Template (inherited from Kerberos):

20250409-212041.png

From my point of view, the certificate with the template has no server name in the certificate, while the one without touching templates looks promising and works as expected.

You need to reimport the certificate every 11-12 months to have a trusted connection.

There is one setting in WebSphere which can help you, ensuring that the filebased user (for example wasadmin) is always able to login.

Allow operations if some of the repositories are down

This option is disabled by default and you can enable it in ISC (https://websphere-fqdn:9043/ibm/console) or wsadmin.sh.

  • ISC

    • Open Security > Global Security > Federated Repositories (Configure)
    • Enable Allow operations if some of the repositories are down

      20250409-174040.png

  • wsadmin.sh

cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin
./wsadmin.sh -lang jython
AdminTask.updateIdMgrRealm('[-name defaultWIMFileBasedRealm -allowOperationIfReposDown true]')
AdminConfig.save()

To activate the setting you need to restart the Deployment Manager.

Now at least the file-based WebSphere admin user (e.g. wasadmin) can always login, even when the LDAP connection is down or fails because of missing certificates.

Disable Security to update truststore

If it is already too late to set this option, you can disable the WebSphere security with wsadmin:

cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin
./wsadmin.sh -lang jython -conntype NONE

securityoff()
AdminConfig.save()

Restart the Deployment Manager and open the login page on https://dmgr-fqdn:9043/ibm/console - it will just ask for a username.

20250409-175218.png

Login with any username.

Now you can change any setting.

To finish the thoughts from above, import the new LDAP certificate for example.

SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates > Retrieve from port

20250409-213704.png

In the end, enable application security again:

20250409-175422.png

and restart the Deployment Manager.

Comments
Error
There was an error sending your comment, please try again.
Thank you!
Your comment has been submitted and will be published once it has been approved.
Success!
Your comment has been posted successfully.

Comments

Loading comments...

Leave a Comment

Your email address will not be published. Required fields are marked with *

Suggested Reading
Card image cap

Security Directory Integrator connecting to Active Directory LDAPS

I had one Connections’ environment that I wanted to switch from OpenLDAP to Active Directory LDAP. The old OpenLDAP environment used LDAPS to connect, and so I assumed that the change was done quickly.

The first step was to make a copy of the tdisol folder I used for OpenLDAP and start changing the configuration files for the new LDAP server.

Created: Read in about 4 min
Card image cap

CVE-2024-23557 - HCL Connections Security Update for User Enumeration Vulnerability

Some time back, I stumbled upon a flaw in HCL Connections 7 and 8 that allowed for user enumeration. This flaw could be exploited by anonymous users.

Created: Read in about 2 min
Card image cap

Better Navigation in Connections Scripts

I haven’t touched the Connections scripts for a long time, but I recently made some minor updates to fix compatibility issues with newer versions and added small scripts to speed up configuration. I also got the documentation script running from the menu.

Created:
Last Update: Read in about 2 min