Solved

SSL Configuration on IBM Websphere 6.1.0.23

Posted on 2011-02-28
13
1,361 Views
Last Modified: 2013-12-11
I want to install a trusted 3rd party certificate for my app running on IBM Websphere 6.1.0.23? Can anyone please tell me the detailed steps for this?
0
Comment
Question by:supreeths84
13 Comments
 
LVL 9

Expert Comment

by:shalabhsharma
ID: 35003801
0
 
LVL 9

Expert Comment

by:jeremycrussell
ID: 35009076
Are you using a webserver with the WAS plugin to "front-end" the application server, and if so, do you require SSL communication all the way from the client to the WAS server, or can you terminate SSL traffic at the Web Server?  Further, do you plan to provider another layer or load balancing or caching devices?
0
 

Author Comment

by:supreeths84
ID: 35009991
@Jeremycrussell: I am not using WAS plugin to front end app server. My WAS is running securely on port 443 on Windows Server 2003 machine..My app is a very small one and I don't need to do any load balancing. I want SSL communication all the way from the client to the WAS Server. I used the iKeyman utility to generate CSR and obtained a .pem file from digicert. I want to know where I need to install this on WAS to run my app securely.
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 35010143
 It sounds like you've gotten a certificate for you web server, which is great.  That means that your web server certificate keystore should be updated using iKeyman.  Is this what you have done?

  It is highly unlikely that you would actually need to purchase a certificate for the WebSphere Application Server.  When you created the application server profile, a "self-signed" certificate was created for this Application Server.

  You can then use the iKeyman utility to copy the public portion of the certificate out of the WebSphere Application Server keystore, and then import it into the IHS keystore.  This way IHS will be able to authenticate the AppServer.  You will also need to copy the public portion of the web server certificate out of the IHS keystore, and import it into the AppServer keystore.  This will allow the AppServer to authenticate the web server.

  Since ONLY the web server (IHS) will have the AppServer public key, and the AppServer will ONLY have the web server key, they will be able to mutually authenticate for the SSL connection to be established.

  Does this make sense?
0
 
LVL 9

Expert Comment

by:jeremycrussell
ID: 35010163
Did you generate the CSR through WAS?  I.E. Was Console > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates > New
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:supreeths84
ID: 35010221
I used the iKeyMan utility to generate CSR for WAS...The steps are given here...
http://www.digicert.com/csr-creation-ibm-websphere.htm

After I generated the CSR and obtained the .pem from them, I followed
http://www.digicert.com/ssl-certificate-installation-ibm-websphere.htm

The only thing that is left is to configure my app to use the trusted certificate I obtained from digicert. Can anyone please help me with this?
0
 
LVL 9

Expert Comment

by:jeremycrussell
ID: 35010380
Ok, assuming you've imported the cert back into the keystore, you can do one of two things.

You can add the keystore you've created with iKeyMan to WAS and use it to provide the cert, or import the new cert/key pair into the WAS default keystores.

To add your newly created keystore, go to "SSL certificate and key management > Key stores and certificates" in WAS console and click "New", enter the appropriate information.

Next, create a new SSL config to use you're new keystore (or change an existing SSL config to use the new keystore).   Go to SSL certificate and key management > SSL configurations then click New.  Enter a Name for it, then change the Keystore Name to the keystore you just added.  Change the Default Server certificate alias to the new cert you had signed by Digicert.  Click OK and save.

Next go to SSL certificate and key management > Manage endpoint security configurations and navigate to WC_defaulthost_secure under your application server.  Under "Specific SSL configuration for this endpoint" select your newly created SSL configuration, Click Ok and Save.

You'll probably have to restart WAS for the changes to take effect, and you may have to import the Digicert Signer Cert into the CellDefaultTrustStore (SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates)  I would test before assuming this is required.

Look through the documentation shalabhsharma posted above, it will possibly help explain what you are doing as you go through this process.
0
 

Author Comment

by:supreeths84
ID: 35022425
The description is very vague. I wasn't able to access my app when I followed the above steps. The files I got from digicert include 3 files: DigiCert.crt, my domain name.crt and trustedroot.crt. Can you please tell me what I need to do using these 3 files to configure my app on WAS. If you can use the file name and be more descriptive, it would help.
0
 

Accepted Solution

by:
supreeths84 earned 0 total points
ID: 35023372
I solved it with the help of digicert employee. I had to use the .jks file to create a new key. This was the missing piece
0
 

Author Closing Comment

by:supreeths84
ID: 36202694
DigiCert employee helped me in the detailed configuration
0
 

Author Comment

by:supreeths84
ID: 36176925
Digicert employee helped me with this
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Upgrading Tomcat – There are a couple of methods to upgrade Tomcat is to use The Apache Installer is to download and unzip and run the services.bat remove|install Tomcat6 Because of the App that we are working with, we can only use Tomcat 6.…
There are numerous questions about how to setup an IBM HTTP Server to be administered from WebSphere Application Server administrative console. I do hope this article will wrap things up and become a reference for this task. You need three things…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now