Implementing LDAP-based JNDI binding

About LDAP-based JNDI binding

Installing LDAP

Installing WebSphere MQ 5.3 (Windows example)

Managing the WebSphere LDAP link

About LDAP-based JNDI binding

LDAP-based JNDI binding is an alternative to file-based binding when configuring WebSphere connectivity with an Integrator Server.

For the file-based binding configuration, refer to the Integrator / WebSphere deployment example.

Installing LDAP

1. Unzip to a selected folder the file: ldap.zip
2. Execute the command: install-openldap-windows.exe
3. Unselect the option Pre-configure TLS/SSL automatically.
4. Enter values for the following parameters:
   • Open Ldap Server Configuration:
   • ldap server bind URL: ldaps://hostname:389 (Where hostname = name of the host where the LDAP directory is installed)

   • ldap Server Suffix: dc=Test
   • Unselect the option Install as a system service
   • Directory Manager configuration:
     • Directory Manager DN: cn=Manager, dc=test
     • password: secret (or any suitable password)
5. Check that the file slapd.arg exists and that it contains the line:
6. C:\Program Files\OpenLDAP\slapd.exe -h ldap://hostname:389
7. If the file does not exist, you must create it.
6. Modify the file OpenLdap\slapd.conf.
7. Activate the line indicated in underlined characters in the following table:

# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # #ucdata-path "C:/Program Files/OpenLDAP/ucdata" include "C:/Program Files/OpenLDAP/schema/core.schema" include "C:/Program Files/OpenLDAP/schema/cosine.schema" include "C:/Program Files/OpenLDAP/schema/inetorgperson.schema" #include "C:/Program Files/OpenLDAP/schema/nis.schema" #include "C:/Program Files/OpenLDAP/schema/corba.schema" include "C:/Program Files/OpenLDAP/schema/java.schema" #include "C:/Program Files/OpenLDAP/schema/krb5-kdc.schema" #include "C:/Program Files/OpenLDAP/schema/openldap.schema" # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile "C:/Program Files/OpenLDAP/slapd.pid" argsfile "C:/Program Files/OpenLDAP/slapd.args" sasl-secprops none # Load dynamic backend modules: # modulepath %MODULEDIR% # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la # Enable TLS if port is defined for ldaps #TLSVerifyClient never #TLSCertificateFile "C:/Program Files/OpenLDAP/server.pem" #TLSCertificateKeyFile "C:/Program Files/OpenLDAP/serverkey.pem" #TLSCACertificateFile "C:/Program Files/OpenLDAP/CA.pem" # # Sample access control policy: # Allow read access of root DSE # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # #access to dn="" by * read #access to * # by self write # by users read # by anonymous auth # Directives needed to implement policy: #access to dn="" by dn="uid=update,ou=people,dc=ilex-si,dc=com" write #access to * by * none # # if no access controls are present, the default policy is: # Allow read by all # # rootdn can always write! ######################################################### # database backend definitions ######################################################### database ldbm suffix "dc=test" rootdn cn=Manager,dc=test # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA}/T5iznDzIWQKwpgf75iBAqZXg8kW+EqH # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd/tools. Mode 700 recommended. directory "C:/Program Files/OpenLDAP/data" # Indices to maintain index default pres,eq index uid,cn,sn index objectClass eq

Installing WebSphere MQ 5.3 (Windows example)

To install an instance of WebSphere MQ 5.3 in a Windows environment for interoperation with Integrator:

1. Select:
2. Custom installation > Installing the JAVA libraries > Installing the JAVA Message Service
2. Enter values in the fields:
   • Queue manager name: MQ
   • Network controllers: No
   • Error queue: MQERROR
   • Transmission queue: (nothing)
   • Max identifiers: 256
   • Start interval
   • Max invalid messages: 1000
   • Port number: 1414 (default value for the MQ listener port)
3. Create a Server connection channel:
   • Go to Start > Programs > IBM Websphere MQ > Websphere MQ Explorer
   • In the Queue Manager folder, navigate to Advanced\ channels\ new \ Server connection channel
   • In the General section enter:
     • Name: LDAP_CANAL1
     • Protocol: TCP
   • In the Advanced section, enter:
     • Max length: Default values
4. Modify the JMSAdmin.conf file.
5. This file is located at xxx\WebSphere MQ\Java\bin
5. Modify the content fo this file so that it corresponds to the LDAP dictionary characteristics. In the following example file, the lines in bold text are the lines that should be active and should contain a correct value.

------------------------------------------------------------ # IBM Websphere MQ Support for Java Message Service # This is the default configuration file for the Websphere MQ Classes for # Java Message Service Administration Tool. # # Licensed Materials - Property of IBM # # 5648-C60 5724-B4 5655-F10 # # (c) Copyright IBM Corp. 2002. All Rights Reserved. # # US Government Users Restricted Rights - Use, duplication or # disclosure restricted by GSA ADP Schedule Contract with IBM Corp. # ----------------------------------------------------------- # # The following line specifies which JNDI service provider is in use. # It currently indicates an LDAP service provider. If a different # service provider is used, this line should be commented out and the # appropriate one should be uncommented. # INITIAL_CONTEXT_FACTORY=com.sun.jndi.ldap.LdapCtxFactory #INITIAL_CONTEXT_FACTORY=com.sun.jndi.fscontext.RefFSContextFactory #INITIAL_CONTEXT FACTORY=com.ibm.ejs.ns.jndi.CNInitialContextFactory #INITIAL_CONTEXT_FACTORY=com.ibm.websphere.naming.WsnInitialContextFactory # # The following line specifies the URL of the service provider's initial # context. It currently refers to an LDAP root context. Examples of a # file system URL and WebSphere's JNDI namespace are also shown, commented # out. # PROVIDER_URL=ldap://hostname:389/dc=test #PROVIDER_URL=file:/C:/JNDI-Directory #PROVIDER_URL=iiop://localhost/ # # The following line specifies the security authentication model in use, # and may be 'none' (for anonymous authentication), 'simple', or 'CRAM_MD5'. # SECURITY_AUTHENTICATION=simple # # If you don't have SECURITY_AUTHENTICATION=none, then JMSAdmin will # prompt you for the User DN and password. If you want to bypass these # prompts then you can specify one or both of the values here. Since # the password here is in cleartext this is not normally recommended # except for testing. You should replace these values with your own. # PROVIDER_USERDN=cn=Manager,dc=test PROVIDER_PASSWORD=secret # # # The following line determines whether to use an InitialDirContext, or an # InitialContext. Takes value of TRUE or FALSE. USE_INITIAL_DIR_CONTEXT=TRUE # # The following line specifies a prefix to add to names when carrying out operations # such as lookup/bind. NAME_PREFIX=cn= # # The following line specifies a marker at which names will be truncated when viewing # the contents of the Context. #NAME_READABILITY_MARKER=.. # # The three standard types of InitialContextFactory have the following defaults; # Note that these defaults will be set automatically if the flags are not present, # but will be overrided by including the flags. # # LDAP FSCONTEXT WEBSPHERE # ------------------------------------------------------------- # USE_INITIAL_DIR_CONTEXT TRUE FALSE FALSE # NAME_PREFIX cn= omitted omitted # NAME_READABILITY_MARKER omitted omitted .. #

Managing the WebSphere LDAP link

Windows

To update the LDAP directory with the correct definitions, from the Windows desktop:

1. Open the LDAP directory. Select Start \ Programs \ OpenLDAPs \ Launch OpenLDAP in application mode
2. Execute the file C:\Program Files\IBM\WebSphere MQ\Java\bin\JMSAdmin.bat
3. To display the content of InitCtx, enter: dis ctx
4. Enter values for the following attributes:
• DEFINE QCF(QueueConnectionFactory) QMANAGER(MQ) PORT(1414) HOSTNAME(hostname) CHANNEL(LDAP_CANAL1) TRANSPORT(CLIENT)
• Where:
  • QueueConnectionFactory: Same value as is used in Designer
  • MQ: Name of the MQ queue manager
  • 1414: Queue manager port
  • hostname: Queue Manager address
  • LDAP_CANAL1: Name of the Server connection channel
• DEFINE Q(Integrator_Queue1) QUEUE(Integrator_Queue1)

UNIX

To update the LDAP directory with the correct definitions in UNIX:

1. Select Start \ Programs \ OpenLDAPs\ Launch OpenLDAP in application mode, to open the LDAP directory;
2. Execute the file UNIX:/opt/mqm/java/bin/JMSAdmin
3. Enter the values for the following attributes:
   • DEFINE QCF(QueueConnectionFactory) QMANAGER(MQ2) PORT(1425) HOSTNAME(unix.unixhost) CHANNEL(LDAP_CANAL2) TRANSPORT(CLIENT)
   • Where:
     • QueueConnectionFactory = Same value as is used in Designer
     • MQ2 = Name of the MQ Queue Manager
     • 1425 = Queue manager port
     • unix.unixhost = Queue Manager address
     • LDAP_CANAL2 = Name of the Server connection channel
   • DEFINE Q(Integrator_Queue1) QUEUE(Integrator_Queue1)

Set the environment variables:

• PATH: /usr/j2sdk1.4.2/bin
• CLASSPATH: /opt/mqm/java/lib/com.ibm.mqjms.jar:.:/opt/mqm/java/lib/com.ibm.mq.jar:/was5/WebSphere/AppServer/lib/j2ee.jar:
• /opt/mqm/java/lib/jndi.jar

If you have problems with the JMSAdmin.config file:

1. Make a backup copy of the file.
2. Test the modifications in the backup file.
3. Test the modifications via the command /opt/mqm/java/bin/JMSAdmin –CFG <Configuration_file_name>