ShowTable of Contents
The Metrics application is one of the new components in IBM® Connections 4.0, providing clear business value to users, executives, and administrators by use of simple charts. Metrics is supported by IBM Cognos® Business Intelligence, which is installed as a part of a Connections deployment. So if you want to configure your Connections to use Secure Sockets Layer (SSL), you must deal with the Cognos part as well.
This article shows you how to configure SSL for a Connections server with Metrics installed, focusing on the SSL configuration for Cognos. In general, the process consists of configuring:
(1) the LDAP server's SSL certificate in the IBM WebSphere® Application Server (WAS) Administrative Console
(2) LDAP via SSL for Cognos
(3) HTTP for SSL (if HTTP server is deployed)
Configuring LDAP Server's SSL Certificate in WAS Administrative Console
First you must enable SSL communication between the LDAP server and WAS, which is hosting IBM Connections, by following these steps:
Figure 1. Manage endpoint security configurations window
- Log in to the WAS administrative console.
- Select Security --- SSL certificate and key management --- Manage endpoint security configurations.
- A list of Inbound and outbound endpoints displays; expand the Outbound cell and select (cellDefaultSSLSettings) as shown in figure 1.
4. Under "Related Items", select Key stores and certificates --- CellDefaultTrustStore.
5. Under "Additional Properties", select Signer certificates; all signer certificates are listed (see figure 2).
Figure 2. Signer certificates
6. Click the Retrieve from port button and enter the correct host name and port of your LDAP server (see figure 3).
7. Assign an alias (for example, idsldap) and then click the Retrieve signer information button.
Figure 3. Retrieve from port window
8. Save your configuration, and then select Security --- Global Security
9. For User account repository, Select Federated repositories, and click Configure.
10. Click “Manage Repositories” and open the repository you configured previously. Change the port number and select the "Require SSL communications" check box as shown in figure 4.
Figure 4. Manage repositories window
11. Save your changes and restart the server.
Configuring LDAPS (LDAP via SSL) for Cognos
When configuring IBM Cognos to communicate with an LDAP server by LDAP via SSL (LDAPS) you must provide an SSL Certificate Database. This section describes how to get an SSL Certificate Database and then configure SSL in Cognos.
Obtain the Network Security Services (NSS) toolkit
First, we need to download the most recent version of NSS from the Mozilla Web site
. Unfortunately Mozilla no longer provides binary releases, but we can use one of the most recent binaries that is known to work well (NSS 3.12.4).
Select the sub-folder representing your Operating System (msvc9 is suitable for all Microsoft® Windows® versions), choose the "OPT.OBJ" folder, and download the ZIP file.
NSS is used to generate the certificate database that is used by Cognos later. The server locating NSS need not to be the same OS as that of the Cognos server. For example, you can install NSS on a Windows machine, generate the database using it, and then copy the generated certificate database to the Cognos server on Linux or Windows OS.
Here, we use a Windows machine to install NSS, downloading the Windows version of NSS 3.12.4 from the following site:
Install the certutil tool
To do this:
- Unzip the downloaded files into a single folder.
- Add the NSPR libs to the environment so that certutil can pick them up by adding NSPR-/lib to the library path for your system. For example, on Windows, it's SET PATH=%PATH%;/lib.
Create the keystore
Cognos Business Intelligence can establish trust with a presented server certificate for LDAPS connection based on either the server certificate imported as a valid signer certificate or on the root CA certificate that signed the server certificate.
If you choose to proceed with the server certificate, it is sufficient to import only the server certificate; you don't necessarily need to import the CA certificate as well. Here we show how to import the server certificate on a Windows machine. If you want to import the CA certificate, refer to the Cognos Support Technote #1344083, “Configuring LDAPS (LDAP via SSL) for CRN/Cognos 8
- Acquire the certificate(s) to use in Base-64 encoded X.509 (PEM) format. The most straightforward approach is to ask the LDAP server administrator for the certificate. If you cannot get it by this way, you can use WAS to generate the certificate file instead:
a) Follow Steps 1--5 in Section 2, “Configuring LDAP SSL certificate in WAS Administrative Console” till you get to the Signer certificate window (see figure 5).Figure 5. Signer certificate window
b) Select the check box of the certificate created in the last section (that is, idsldap), and click the Extract button.