IBM Support

How to Configure TM1Web Application Server to Allow SSL LDAP when using KERBEROS Authentication

Troubleshooting


Problem

In a recent update from Microsoft, customers have been enabling/forcing SSL for LDAP connections to Active Directory.  The enabling/forcing of SSL is described in the following Microsoft document: https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
This document outlines the steps required to allow your TM1Web Application Server to communicate with the Active Directory LDAP using SSL.

Symptom

Incorrect configuration will often lead to the following error in the browser: Error 403: AuthenticationFailed

Resolving The Problem

How to Enable SSL LDAP Configuration in Server.XML
  1. Obtain the appropriate SSL Certificate(s) from your Domain Administrator and copy the file to the \install_dir\bin64\ssl\ folder
    *You want to obtain a file that contains both the root and intermediate certificates (entire chain of trust) in a single file
    **Example in this document uses a file named ca-chain.cert.pem (root and intermediate combined)
  2. Stop your IBM Planning Analytics / TM1Web Application Server
  3. Open/edit your \install_dir\wlp\usr\servers\tm1\server.xml file
  4. Ensure the featureManager tag include the following features:
         <feature>ssl-1.0</feature>
         <feature>appSecurity-2.0</feature>
  5. Ensure the ldapRegistry entry has been updated to reflect the correct SSL port (636 by default), and add the following two lines at the end of the ldapRegistry entry:
          sslEnabled="true"
          sslRef="LDAPSSLSettings"
          EXAMPLE: <ldapRegistry id="ldap" realm="PA.IBMSUPPORT.COM" host="PA.IBMSUPPORT.COM" port="636" ignoreCase="true" baseDN="CN=Users,DC=pa,DC=ibmsupport,DC=com" bindDN="CN=Fish SVCACCT,CN=Users,DC=pa,DC=ibmsupport,DC=com" bindPassword="PASupport!@" ldapType="Microsoft Active Directory" sslEnabled="true" sslRef="LDAPSSLSettings"/>
  6. At the bottom of the file, add the following just before the closing </server> tag:
    <sslDefault sslRef="LDAPSSLSettings" /> 
    <ssl id="LDAPSSLSettings" keyStoreRef="LDAPKeyStore" trustStoreRef="LDAPTrustStore" /> 
    <keyStore id="LDAPKeyStore" location="${wlp.user.dir}/../../bin64/ssl/tm1store" type="JKS" password="applix" /> 
    <keyStore id="LDAPTrustStore" location="${wlp.user.dir}/../../bin64/ssl/tm1store" type="JKS" password="applix" />  
  7. Save the file server.xml file
  8. In Command Prompt, as an Administrator, navigate to <install_dir>\tm1_64\jre\bin\
  9. Modify (as required) and execute the following command to import the Root Certificate Authority and Intermediate Certificate Authority (via the concatenated ca-chain.cert.pem file) in to your TM1Store:  keytool.exe -import -trustcacerts -file "..\..\bin64\ssl\ca-chain.cert.pem" -keystore "..\..\bin64\ssl\tm1store" -alias caChain -storepass applix
     

Additional Considerations:

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSD29G","label":"IBM Planning Analytics"},"ARM Category":[{"code":"a8m0z000000GoUlAAK","label":"Troubleshooting->TM1Web"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
22 June 2020

UID

ibm16233992