IBM Tivoli Federated Identity Manager, Version 6.2.1

SSL configuration task for a Kerberos junctions deployment

For optimal security, configure SSL communication between servers in a Kerberos junction deployment.

This topic provides an overview of the steps to configure a WebSphere® cluster environment to use SSL to communicate between WebSEAL, IBM® HTTP Server (IHS), WebSphere Application Server Plug-in, WebSphere Application Server and Tivoli® Federated Identity Manager. These steps do not address SSL communication between the client and WebSEAL or to the back-end Web server. No changes to these standard SSL configurations are necessary for Kerberos junction support.

Tip: Consider deploying a working configuration without SSL prior to adding SSL.

For each component, create a public/private key pair, and extract the public key to a known location.

On the WebSEAL server:

  1. Copy the IHS public key to the WebSEAL system
  2. Use the ikeyman utility to add the IHS public key. When there is more then one IHS proxy in the environment, complete this task for each IHS server.
  3. Configure appropriate values for the following [tfim-cluster:cluster] variables: server, ssl-keyfile, ssl-keyfile-stash. Optionally configure the ssl-valid-server-dn variable if applicable.

    For more information, see Planning WebSEAL Kerberos junction configuration.

  4. Restart WebSEAL to activate the changes made to the WebSEAL configuration file.

On the IBM HTTP Server:

  1. Copy the WebSEAL public key to the IHS system.
  2. Use the ikeyman utility on IHS to add the WebSEAL public key.
  3. Copy the WebSphere public key from the WebSphere Deployment Manager (dmgr) system to the IHS system.
  4. Use the ikeyman utility on IHS to add the WebSphere public key.
  5. Update the httpd.conf file to configure or add a virtual host to support SSL connections.
  6. Restart IHS to activate the changes.
  7. When your deployment includes multiple IHS proxies, repeat the above steps for each IHS proxy.

On the WebSphere plug-in located on the IHS server:

  1. Copy the WebSphere public key to the plug-in system.
  2. Use the ikeyman utility for the plug-in to add the WebSphere public key.
  3. Copy the WebSphere node public key from the WebSphere node to the plug-in server.
  4. Use the ikeyman utility for the plug-in to add the WebSphere node public key.
  5. When your deployment includes multiple plug-ins, repeat the above steps for each plug-in.

On the WebSphere Network Deployment Manager (dmgr):

  1. Ensure that the public key for the plug-in is located in a file path that can be accessed through the WebSphere administration console.
  2. Use the WebSphere console to add the public key for the plug-in to the CellDefaultTrustStore.
  3. When your deployment includes multiple plug-ins, repeat the above steps for each plug-in.
  4. Ensure that the public key for Node is located in a file path that can be accessed through the WebSphere administration console.
  5. Use the WebSphere console to add the public key for the Node to the CellDefaultTrustStore.
  6. When your deployment includes multiple nodes, repeat the above steps for each nodes.
  7. Configure client authentication if appropriate for your deployment.

On the WebSphere Node:

  1. Ensure that the public key for the Deployment Manager (dmgr) is located in a file path that can be accessed through the WebSphere administration console.
  2. Use the WebSphere console to add the dmgr public key to the NodeDefaultTrustStore.
  3. When your deployment includes multiple nodes, repeat the above steps for each nodes.
Parent topic: Configuring

Feedback