Solved

SSL Configuration on IBM Websphere 6.1.0.23

Posted on 2011-02-28
13
1,366 Views
Last Modified: 2013-12-11
I want to install a trusted 3rd party certificate for my app running on IBM Websphere 6.1.0.23? Can anyone please tell me the detailed steps for this?
0
Comment
Question by:supreeths84
13 Comments
 
LVL 9

Expert Comment

by:shalabhsharma
ID: 35003801
0
 
LVL 9

Expert Comment

by:jeremycrussell
ID: 35009076
Are you using a webserver with the WAS plugin to "front-end" the application server, and if so, do you require SSL communication all the way from the client to the WAS server, or can you terminate SSL traffic at the Web Server?  Further, do you plan to provider another layer or load balancing or caching devices?
0
 

Author Comment

by:supreeths84
ID: 35009991
@Jeremycrussell: I am not using WAS plugin to front end app server. My WAS is running securely on port 443 on Windows Server 2003 machine..My app is a very small one and I don't need to do any load balancing. I want SSL communication all the way from the client to the WAS Server. I used the iKeyman utility to generate CSR and obtained a .pem file from digicert. I want to know where I need to install this on WAS to run my app securely.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 41

Expert Comment

by:HonorGod
ID: 35010143
 It sounds like you've gotten a certificate for you web server, which is great.  That means that your web server certificate keystore should be updated using iKeyman.  Is this what you have done?

  It is highly unlikely that you would actually need to purchase a certificate for the WebSphere Application Server.  When you created the application server profile, a "self-signed" certificate was created for this Application Server.

  You can then use the iKeyman utility to copy the public portion of the certificate out of the WebSphere Application Server keystore, and then import it into the IHS keystore.  This way IHS will be able to authenticate the AppServer.  You will also need to copy the public portion of the web server certificate out of the IHS keystore, and import it into the AppServer keystore.  This will allow the AppServer to authenticate the web server.

  Since ONLY the web server (IHS) will have the AppServer public key, and the AppServer will ONLY have the web server key, they will be able to mutually authenticate for the SSL connection to be established.

  Does this make sense?
0
 
LVL 9

Expert Comment

by:jeremycrussell
ID: 35010163
Did you generate the CSR through WAS?  I.E. Was Console > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates > New
0
 

Author Comment

by:supreeths84
ID: 35010221
I used the iKeyMan utility to generate CSR for WAS...The steps are given here...
http://www.digicert.com/csr-creation-ibm-websphere.htm

After I generated the CSR and obtained the .pem from them, I followed
http://www.digicert.com/ssl-certificate-installation-ibm-websphere.htm

The only thing that is left is to configure my app to use the trusted certificate I obtained from digicert. Can anyone please help me with this?
0
 
LVL 9

Expert Comment

by:jeremycrussell
ID: 35010380
Ok, assuming you've imported the cert back into the keystore, you can do one of two things.

You can add the keystore you've created with iKeyMan to WAS and use it to provide the cert, or import the new cert/key pair into the WAS default keystores.

To add your newly created keystore, go to "SSL certificate and key management > Key stores and certificates" in WAS console and click "New", enter the appropriate information.

Next, create a new SSL config to use you're new keystore (or change an existing SSL config to use the new keystore).   Go to SSL certificate and key management > SSL configurations then click New.  Enter a Name for it, then change the Keystore Name to the keystore you just added.  Change the Default Server certificate alias to the new cert you had signed by Digicert.  Click OK and save.

Next go to SSL certificate and key management > Manage endpoint security configurations and navigate to WC_defaulthost_secure under your application server.  Under "Specific SSL configuration for this endpoint" select your newly created SSL configuration, Click Ok and Save.

You'll probably have to restart WAS for the changes to take effect, and you may have to import the Digicert Signer Cert into the CellDefaultTrustStore (SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates)  I would test before assuming this is required.

Look through the documentation shalabhsharma posted above, it will possibly help explain what you are doing as you go through this process.
0
 

Author Comment

by:supreeths84
ID: 35022425
The description is very vague. I wasn't able to access my app when I followed the above steps. The files I got from digicert include 3 files: DigiCert.crt, my domain name.crt and trustedroot.crt. Can you please tell me what I need to do using these 3 files to configure my app on WAS. If you can use the file name and be more descriptive, it would help.
0
 

Accepted Solution

by:
supreeths84 earned 0 total points
ID: 35023372
I solved it with the help of digicert employee. I had to use the .jks file to create a new key. This was the missing piece
0
 

Author Closing Comment

by:supreeths84
ID: 36202694
DigiCert employee helped me in the detailed configuration
0
 

Author Comment

by:supreeths84
ID: 36176925
Digicert employee helped me with this
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Resolving Exchange 2013 FBA logon page "loop" 1 71
How to stress test an ASP.NET https website 3 73
SSL checker internal 4 75
SSL CERTIFIACTE, EXCHANGE 12 62
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question