Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SSL Configuration on IBM Websphere 6.1.0.23

Posted on 2011-02-28
13
Medium Priority
?
1,393 Views
Last Modified: 2013-12-11
I want to install a trusted 3rd party certificate for my app running on IBM Websphere 6.1.0.23? Can anyone please tell me the detailed steps for this?
0
Comment
Question by:supreeths84
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 9

Expert Comment

by:jeremycrussell
ID: 35009076
Are you using a webserver with the WAS plugin to "front-end" the application server, and if so, do you require SSL communication all the way from the client to the WAS server, or can you terminate SSL traffic at the Web Server?  Further, do you plan to provider another layer or load balancing or caching devices?
0
 

Author Comment

by:supreeths84
ID: 35009991
@Jeremycrussell: I am not using WAS plugin to front end app server. My WAS is running securely on port 443 on Windows Server 2003 machine..My app is a very small one and I don't need to do any load balancing. I want SSL communication all the way from the client to the WAS Server. I used the iKeyman utility to generate CSR and obtained a .pem file from digicert. I want to know where I need to install this on WAS to run my app securely.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 41

Expert Comment

by:HonorGod
ID: 35010143
 It sounds like you've gotten a certificate for you web server, which is great.  That means that your web server certificate keystore should be updated using iKeyman.  Is this what you have done?

  It is highly unlikely that you would actually need to purchase a certificate for the WebSphere Application Server.  When you created the application server profile, a "self-signed" certificate was created for this Application Server.

  You can then use the iKeyman utility to copy the public portion of the certificate out of the WebSphere Application Server keystore, and then import it into the IHS keystore.  This way IHS will be able to authenticate the AppServer.  You will also need to copy the public portion of the web server certificate out of the IHS keystore, and import it into the AppServer keystore.  This will allow the AppServer to authenticate the web server.

  Since ONLY the web server (IHS) will have the AppServer public key, and the AppServer will ONLY have the web server key, they will be able to mutually authenticate for the SSL connection to be established.

  Does this make sense?
0
 
LVL 9

Expert Comment

by:jeremycrussell
ID: 35010163
Did you generate the CSR through WAS?  I.E. Was Console > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates > New
0
 

Author Comment

by:supreeths84
ID: 35010221
I used the iKeyMan utility to generate CSR for WAS...The steps are given here...
http://www.digicert.com/csr-creation-ibm-websphere.htm

After I generated the CSR and obtained the .pem from them, I followed
http://www.digicert.com/ssl-certificate-installation-ibm-websphere.htm

The only thing that is left is to configure my app to use the trusted certificate I obtained from digicert. Can anyone please help me with this?
0
 
LVL 9

Expert Comment

by:jeremycrussell
ID: 35010380
Ok, assuming you've imported the cert back into the keystore, you can do one of two things.

You can add the keystore you've created with iKeyMan to WAS and use it to provide the cert, or import the new cert/key pair into the WAS default keystores.

To add your newly created keystore, go to "SSL certificate and key management > Key stores and certificates" in WAS console and click "New", enter the appropriate information.

Next, create a new SSL config to use you're new keystore (or change an existing SSL config to use the new keystore).   Go to SSL certificate and key management > SSL configurations then click New.  Enter a Name for it, then change the Keystore Name to the keystore you just added.  Change the Default Server certificate alias to the new cert you had signed by Digicert.  Click OK and save.

Next go to SSL certificate and key management > Manage endpoint security configurations and navigate to WC_defaulthost_secure under your application server.  Under "Specific SSL configuration for this endpoint" select your newly created SSL configuration, Click Ok and Save.

You'll probably have to restart WAS for the changes to take effect, and you may have to import the Digicert Signer Cert into the CellDefaultTrustStore (SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates)  I would test before assuming this is required.

Look through the documentation shalabhsharma posted above, it will possibly help explain what you are doing as you go through this process.
0
 

Author Comment

by:supreeths84
ID: 35022425
The description is very vague. I wasn't able to access my app when I followed the above steps. The files I got from digicert include 3 files: DigiCert.crt, my domain name.crt and trustedroot.crt. Can you please tell me what I need to do using these 3 files to configure my app on WAS. If you can use the file name and be more descriptive, it would help.
0
 

Accepted Solution

by:
supreeths84 earned 0 total points
ID: 35023372
I solved it with the help of digicert employee. I had to use the .jks file to create a new key. This was the missing piece
0
 

Author Closing Comment

by:supreeths84
ID: 36202694
DigiCert employee helped me in the detailed configuration
0
 

Author Comment

by:supreeths84
ID: 36176925
Digicert employee helped me with this
0

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What You Need to Know when Searching for a Webhost Provider
When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question