supreeths84
asked on
SSL Configuration on IBM Websphere 6.1.0.23
I want to install a trusted 3rd party certificate for my app running on IBM Websphere 6.1.0.23? Can anyone please tell me the detailed steps for this?
shalabhsharma
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tsec_securecomm.html
Are you using a webserver with the WAS plugin to "front-end" the application server, and if so, do you require SSL communication all the way from the client to the WAS server, or can you terminate SSL traffic at the Web Server? Further, do you plan to provider another layer or load balancing or caching devices?
ASKER
@Jeremycrussell: I am not using WAS plugin to front end app server. My WAS is running securely on port 443 on Windows Server 2003 machine..My app is a very small one and I don't need to do any load balancing. I want SSL communication all the way from the client to the WAS Server. I used the iKeyman utility to generate CSR and obtained a .pem file from digicert. I want to know where I need to install this on WAS to run my app securely.
It sounds like you've gotten a certificate for you web server, which is great. That means that your web server certificate keystore should be updated using iKeyman. Is this what you have done?
It is highly unlikely that you would actually need to purchase a certificate for the WebSphere Application Server. When you created the application server profile, a "self-signed" certificate was created for this Application Server.
You can then use the iKeyman utility to copy the public portion of the certificate out of the WebSphere Application Server keystore, and then import it into the IHS keystore. This way IHS will be able to authenticate the AppServer. You will also need to copy the public portion of the web server certificate out of the IHS keystore, and import it into the AppServer keystore. This will allow the AppServer to authenticate the web server.
Since ONLY the web server (IHS) will have the AppServer public key, and the AppServer will ONLY have the web server key, they will be able to mutually authenticate for the SSL connection to be established.
Does this make sense?
It is highly unlikely that you would actually need to purchase a certificate for the WebSphere Application Server. When you created the application server profile, a "self-signed" certificate was created for this Application Server.
You can then use the iKeyman utility to copy the public portion of the certificate out of the WebSphere Application Server keystore, and then import it into the IHS keystore. This way IHS will be able to authenticate the AppServer. You will also need to copy the public portion of the web server certificate out of the IHS keystore, and import it into the AppServer keystore. This will allow the AppServer to authenticate the web server.
Since ONLY the web server (IHS) will have the AppServer public key, and the AppServer will ONLY have the web server key, they will be able to mutually authenticate for the SSL connection to be established.
Does this make sense?
Did you generate the CSR through WAS? I.E. Was Console > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates > New
ASKER
I used the iKeyMan utility to generate CSR for WAS...The steps are given here...
http://www.digicert.com/csr-creation-ibm-websphere.htm
After I generated the CSR and obtained the .pem from them, I followed
http://www.digicert.com/ssl-certificate-installation-ibm-websphere.htm
The only thing that is left is to configure my app to use the trusted certificate I obtained from digicert. Can anyone please help me with this?
http://www.digicert.com/csr-creation-ibm-websphere.htm
After I generated the CSR and obtained the .pem from them, I followed
http://www.digicert.com/ssl-certificate-installation-ibm-websphere.htm
The only thing that is left is to configure my app to use the trusted certificate I obtained from digicert. Can anyone please help me with this?
Ok, assuming you've imported the cert back into the keystore, you can do one of two things.
You can add the keystore you've created with iKeyMan to WAS and use it to provide the cert, or import the new cert/key pair into the WAS default keystores.
To add your newly created keystore, go to "SSL certificate and key management > Key stores and certificates" in WAS console and click "New", enter the appropriate information.
Next, create a new SSL config to use you're new keystore (or change an existing SSL config to use the new keystore). Go to SSL certificate and key management > SSL configurations then click New. Enter a Name for it, then change the Keystore Name to the keystore you just added. Change the Default Server certificate alias to the new cert you had signed by Digicert. Click OK and save.
Next go to SSL certificate and key management > Manage endpoint security configurations and navigate to WC_defaulthost_secure under your application server. Under "Specific SSL configuration for this endpoint" select your newly created SSL configuration, Click Ok and Save.
You'll probably have to restart WAS for the changes to take effect, and you may have to import the Digicert Signer Cert into the CellDefaultTrustStore (SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates) I would test before assuming this is required.
Look through the documentation shalabhsharma posted above, it will possibly help explain what you are doing as you go through this process.
You can add the keystore you've created with iKeyMan to WAS and use it to provide the cert, or import the new cert/key pair into the WAS default keystores.
To add your newly created keystore, go to "SSL certificate and key management > Key stores and certificates" in WAS console and click "New", enter the appropriate information.
Next, create a new SSL config to use you're new keystore (or change an existing SSL config to use the new keystore). Go to SSL certificate and key management > SSL configurations then click New. Enter a Name for it, then change the Keystore Name to the keystore you just added. Change the Default Server certificate alias to the new cert you had signed by Digicert. Click OK and save.
Next go to SSL certificate and key management > Manage endpoint security configurations and navigate to WC_defaulthost_secure under your application server. Under "Specific SSL configuration for this endpoint" select your newly created SSL configuration, Click Ok and Save.
You'll probably have to restart WAS for the changes to take effect, and you may have to import the Digicert Signer Cert into the CellDefaultTrustStore (SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates) I would test before assuming this is required.
Look through the documentation shalabhsharma posted above, it will possibly help explain what you are doing as you go through this process.
ASKER
The description is very vague. I wasn't able to access my app when I followed the above steps. The files I got from digicert include 3 files: DigiCert.crt, my domain name.crt and trustedroot.crt. Can you please tell me what I need to do using these 3 files to configure my app on WAS. If you can use the file name and be more descriptive, it would help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
DigiCert employee helped me in the detailed configuration
ASKER
Digicert employee helped me with this