Configuring IBM P8 to use LDAP over SSL with Active Directory

Question

I am hoping someone can help me out with a frustrating configuration problem I'm having with IBM FileNet Content Manager 5.2.1 (aka P8 5.2.1).

We have an existing system setup that uses Microsoft Active Directory as our LDAP directory service for P8 and that has worked fine to date. That said, we are now wanting our .NET apps to talk to P8 (via the Content Platform Engine .NET API) using WCF instead of legacy (and now deprecated) WSE but we have run into a problem. WCF requires that all communication occur over SSL - on the surface, not a problem. If you want to talk to the IBM Content Platform Engine (CPE) over SSL however, according to IBM's documentation, you must also change the underlying default LDAP connection from unsecured to SSL as well (in the process, changing LDAP to use port 636 instead of 389).

Following both Microsoft's and IBM's docs, I first enabled LDAP over SSL on Active Directory and tested accordingly. Using Microsoft's LDAP utility, ldp.exe , I can successfully connect and bind to Active Directory on port 636 over SSL.

The next step however is where I hit a wall - Enabling SSL for Content Platform Engine . I followed all the steps involving adding the Active Directory Server's CA certificate to the CPE's application server keystore - no problem. The next step in the configuration instructions however asks you to start the Administration Console for CPE (ACCE) and reconfigure the directory configuration properties - telling it to use SSL on port 636 and... KABOOM! When I attempt to save the configuration, the save fails , stating

An unexpected exception occurred. Message was: Failed connecting to ldap://ad1.domain.com:636

Unfortunately, I can't find any additional info as to why it failed to connect - I assumed it was due to something minor, such as a port conflict. To test that theory, I installed Microsoft's LDAP test utility on the CPE server and attempted to connect to the Active Directory Server over SSL on port 636. Much to my surprise, that worked just fine - grrrr...

I am now at something of a loss as to what to look at next. Anybody out there with experience configuring CPE to use SSL in an Active Directory environment?

Thanks in advance for any-and-all assistance.

Answer 1

WCF requires that all communication occur over SSL - on the surface, not a problem. If you want to talk to the IBM Content Platform Engine (CPE) over SSL however, according to IBM's documentation, you must also change the underlying default LDAP connection from unsecured to SSL as well

This is not true. FileNet can work with non-secure LDAP, while at the same time working with WCF.

Now, if you would like to solve why FileNet will not connect to a secure LDAP, then you should start with your WebSphere Check WebSphere's Keystore s to ensure that the AD's key is contained. Follow @M.Tamboli's advice and restart WebSphere. Also make sure that you check WebSphere's SystemOut.log logs, as you may find more info in there.

I'm not sure if it is necessary, but you may also want to add/change the LDAP config that is setup within WebSphere itself.