Installing LDAP certificate in AD LDS instance

1. Identify the AD LDS service instance in Services
   • LSF
2. Launch MMC (Microsoft Management Console)
3. Choose File > Add/Remove Snap-In
4. Add the certificates Snap-In
5. Choose “Service” account and click “Next”
6. Choose “Local Computer” and click “Next”
7. Choose the Service Account for your AD LDS service and click “Finish”
   

   

8. Right-click on the service that was added and select “All Tasks > Import”
9. Click next and browse to the .pfx certificate file. Click “Next”
10. Enter the private key password
11. Place the certificate in the <AD LDS service>\Personal store
12. Click Next then Finish

Export the certificate for Java OS & Java WebSphere

13. Right click the certificate > All Tasks > Export and click Next
14. Do not export the private key
15. Choose Base-64 encoded X.509 (.cer) and click Next
16. Choose a location to save the file for later use
17. Click finish

Grant Permissions to Certificate Container

1. Run command “certutil -store MY’
2. Find the container with your AD LDS certificate using the thumbprint to identify it
3. Give NETWORK SERVICE read & execute permissions on the key container file AND the key container directory (C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys)
4. Stop the AD LDS environment service
5. Restart the AD LDS service

Smoke Test

6. Open the ldp.exe tool
7. Type the server FQDN > SSL port and check the SSL box
8. Click “OK”
9. Successful connection to LDAPS
   

Update the LDAP Certificate in WebSphere

Cell Trust Store

1. Access the WAS Admin Console and navigate to: Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates
2. Click the Retrieve from port button.
3. Host: <your AD LDS host>
4. Port: 636
5. Alias: give it a meaningful name
6. Click Retrieve signer information.
7. Click OK & save changes.

Node Trust Store

1. Access the WAS Admin Console and navigate to: Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore (for the LSF server) > Signer certificates
2. Click the Retrieve from port button.
3. Host: <your AD LDS host>
4. Port: 636
5. Alias: give it a meaningful name
6. Click Retrieve signer information.
7. Click OK & save changes.

Perform these same steps in the Landmark websphere instance.

Update LDAP Certificate in OS Java

Do this in both Lawson and Landmark

1. Open a command line and set environment variables
2. Run command “where java” to determine where LAW_JAVA_HOME is located
3. Back up <LAW_JAVA_HOME>/jre/lib/security/cacerts
4. Copy the cert that you exported from the LSF service from the Lawson server to the Landmark server
   • This is the cert you will be importing into cacerts
5. Run the ikeyman utility at WAS_HOME/bin
6. Open the LAW_JAVA_HOME/jre/lib/cacerts file and select the Key database type of JKS
   
7. Type password “changeit” (default)
   
8. Select “Signer Certificates”
9. Delete the existing certificate, then re-add it
   
10. Click “add” and navigate to the ldap certificate exported earlier
11. Give it a meaningful name
    

Update LDAP Certificate in WebSphere Java

1. WebSphere Java directory is WAS_HOME/Java
2. Back up files WAS_HOME/java/jre\security/cacerts
3. Peform the same steps as OS Java using iKeyman for both Java instances