SSL Configuration on IBM Websphere

Posted on 2011-02-28
Last Modified: 2013-12-11
I want to install a trusted 3rd party certificate for my app running on IBM Websphere Can anyone please tell me the detailed steps for this?
Question by:supreeths84
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 35009076
Are you using a webserver with the WAS plugin to "front-end" the application server, and if so, do you require SSL communication all the way from the client to the WAS server, or can you terminate SSL traffic at the Web Server?  Further, do you plan to provider another layer or load balancing or caching devices?

Author Comment

ID: 35009991
@Jeremycrussell: I am not using WAS plugin to front end app server. My WAS is running securely on port 443 on Windows Server 2003 machine..My app is a very small one and I don't need to do any load balancing. I want SSL communication all the way from the client to the WAS Server. I used the iKeyman utility to generate CSR and obtained a .pem file from digicert. I want to know where I need to install this on WAS to run my app securely.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 41

Expert Comment

ID: 35010143
 It sounds like you've gotten a certificate for you web server, which is great.  That means that your web server certificate keystore should be updated using iKeyman.  Is this what you have done?

  It is highly unlikely that you would actually need to purchase a certificate for the WebSphere Application Server.  When you created the application server profile, a "self-signed" certificate was created for this Application Server.

  You can then use the iKeyman utility to copy the public portion of the certificate out of the WebSphere Application Server keystore, and then import it into the IHS keystore.  This way IHS will be able to authenticate the AppServer.  You will also need to copy the public portion of the web server certificate out of the IHS keystore, and import it into the AppServer keystore.  This will allow the AppServer to authenticate the web server.

  Since ONLY the web server (IHS) will have the AppServer public key, and the AppServer will ONLY have the web server key, they will be able to mutually authenticate for the SSL connection to be established.

  Does this make sense?

Expert Comment

ID: 35010163
Did you generate the CSR through WAS?  I.E. Was Console > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates > New

Author Comment

ID: 35010221
I used the iKeyMan utility to generate CSR for WAS...The steps are given here...

After I generated the CSR and obtained the .pem from them, I followed

The only thing that is left is to configure my app to use the trusted certificate I obtained from digicert. Can anyone please help me with this?

Expert Comment

ID: 35010380
Ok, assuming you've imported the cert back into the keystore, you can do one of two things.

You can add the keystore you've created with iKeyMan to WAS and use it to provide the cert, or import the new cert/key pair into the WAS default keystores.

To add your newly created keystore, go to "SSL certificate and key management > Key stores and certificates" in WAS console and click "New", enter the appropriate information.

Next, create a new SSL config to use you're new keystore (or change an existing SSL config to use the new keystore).   Go to SSL certificate and key management > SSL configurations then click New.  Enter a Name for it, then change the Keystore Name to the keystore you just added.  Change the Default Server certificate alias to the new cert you had signed by Digicert.  Click OK and save.

Next go to SSL certificate and key management > Manage endpoint security configurations and navigate to WC_defaulthost_secure under your application server.  Under "Specific SSL configuration for this endpoint" select your newly created SSL configuration, Click Ok and Save.

You'll probably have to restart WAS for the changes to take effect, and you may have to import the Digicert Signer Cert into the CellDefaultTrustStore (SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates)  I would test before assuming this is required.

Look through the documentation shalabhsharma posted above, it will possibly help explain what you are doing as you go through this process.

Author Comment

ID: 35022425
The description is very vague. I wasn't able to access my app when I followed the above steps. The files I got from digicert include 3 files: DigiCert.crt, my domain name.crt and trustedroot.crt. Can you please tell me what I need to do using these 3 files to configure my app on WAS. If you can use the file name and be more descriptive, it would help.

Accepted Solution

supreeths84 earned 0 total points
ID: 35023372
I solved it with the help of digicert employee. I had to use the .jks file to create a new key. This was the missing piece

Author Closing Comment

ID: 36202694
DigiCert employee helped me in the detailed configuration

Author Comment

ID: 36176925
Digicert employee helped me with this

Featured Post

Ready to get started with anonymous questions?

It's easy! Check out this step-by-step guide for asking an anonymous question on Experts Exchange.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question