SSL on ISC, Part 2: Configuring and enabling SSL on the Integrated Solutions Console 5.1/6.0.1

Document options Document options requiring JavaScript are not displayed Discuss Rate this page Help us improve this content

Level: Introductory

Bimal Shah (bimal@us.ibm.com), Advisory Software Engineer, IBM
Aya Zaghloul (ayazag@us.ibm.com), Software Engineer, IBM

01 May 2007

Achieve data security over open communications channels with Secure Sockets Layer (SSL), which provides encryption, certificate-based authentication, and security negotiations. In part one of this three-part series, you learned what SSL is and why you should implement it on your Integrated Solutions Console. In this article, learn step-by-step how to implement SSL on version 5.1 and 6.0.1 of the Integrated Solutions Console.

Data security over open communication networks such as the Internet will always be a strong concern for developers and customers. Therefore, it is extremely important for any product you use to be able to achieve a secure environment.

Secure Sockets Layer (SSL), developed jointly by Netscape Communications and RSA Data Security, can accomplish this security in an efficient manner. SSL provides encryption, certificate-based authentication, and security negotiations over an established network connection, and many companies and products have adopted SSL as their communication protocol of choice.

In this series, we concentrate on two main topics:

1. Detailed information of how SSL works
2. How versions 5.1 and 6.0.1 of the Integrated Solutions Console enable SSL in its environment

In this article, we explore the implementation issues when deploying SSL on your Integrated Solutions Console version 5.1 and 6.0.1 environments.

Recapping the types of certificates

SSL uses certificates to verify the connection. These SSL certificates sit on a secure server and are used to encrypt the data and to identify the Web site. The SSL certificate helps to prove the site belongs to who it says it belongs to and contains information about the certificate holder, the domain that the certificate was issued to, and the name of the Certificate Authority who issued the certificate.

There are three ways of obtaining an SSL certificate:

1. Use a dummy certificate
2. Use a self-signed certificate
3. Use a Certificate Authority (CA) certificate

Use a Dummy Certificate

No, this isn't a less-intelligent version. Generally, dummy certificates contain "dummy" information that serves as placeholders to be temporarily used to set up SSL and test its functions in a specific environment. The Integrated Solutions Console provides a dummy certificate along with server and client trust and key files.

See how to enable for version 5.1/version 6.0.1.

Use a self-signed certificate

A self-signed certificate is a certificate that is created by the user himself. When using a self-signed certificate, the issuer of the certificate is the same as the subject. The beauty of this solution is that it takes less time to create a self-signed server certificate than it does to obtain a CA-signed server certificate. However, the self-signed certificate requires that any client that connects to the server that installs this certificate over an SSL connection be configured to trust the signer of this certificate. Because the certificate has been self-signed, the signature is not likely to be in the client's trust file and so must be added. If it is impractical to access to every client's trust file, do not use this configuration; obtain a CA-signed certificate instead. Self-signed certificates are only useful when each client interacting with the server can be configured to trust the certificate.

See how to enable for version 5.1/version 6.0.1.

Use a Certificate Authority (CA) certificate

Certificate Authorities are organizations that are trusted by the industry as a whole and whose business is the issuing of Internet certificates. An example as to where this can be obtained is from VeriSign. To obtain a CA-signed certificate, you must provide enough information to the CA so that the CA can validate your identity. The CA creates a new certificate, digitally signs it, and then delivers it to you. Popular Web browsers are pre-configured to trust certificates that are signed by certain CAs; no further client configuration is necessary in order for a client to connect, through SSL, to the server to which the certificate has been issued.

See how to enable for version 5.1/version 6.0.1.

Back to top

Enabling 5.1 with a dummy certificate

Following is an overview of how to enable SSL for Integrated Solutions Console 5.1 using dummy certificates.

The dummy certificates that the Integrated Solutions Console ships with are located in the <isc_root>/AppServer/etc directory. The key/trust files are called:

• DummyClientKeyFile.jks
• DummyClientTrustFile.jks
• DummyServerKeyFile.jks
• DummyServerTrustFile.jks

To enable SSL:

1. Edit the virtualhosts.xml file with a host alias port.
2. Edit the ConfigService.properties file with True values for the redirect login/logout parameters.
3. Edit the web.xml with a security constraint set to None.
4. Update the wpconfig.properties with relevant passwords.
5. Run the WPSconfig command.
6. Remove the passwords from wpconfig.properties.
7. Restart the ISC_Portal.

The following sections describe each of the steps above in greater detail.

Step 1. Edit the virtualhosts.xml file

Open the virtualhosts.xml file located in the <isc_root>/AppServer/config/cells/DefaultNode directory and add the following element before the ending element </host:Virtualhost> for the virtual host named default_host. Add the element to the list of aliases:

<aliases xmi:id= " HostAlias_x" hostname="*" port="alias_port"/>

In this case, x is the next number in the HostAlias sequence and alias_port is the value specified by the -W generalConfig.httpsPort="port" during the Integrated Solutions Console installation. (By default, it is 8422.)

Save the file.

Step 2. Edit the ConfigService.properties file

Open the ConfigService.properties file located in the <isc_root>/PortalServer/shared/app/config/services directory and set the following parameters to true:

redirect.login.ssl=true
redirect.logout.ssl=true

Make sure your https port is set correctly:

host.port.https=alias_port (where alias_port is the port number used for the virtual host alias.

Save the file.

Step 3. Edit the web.xml file

Open the web.xml file located in the <isc_root>/AppServer/config/cells/DefaultNode/applications/wps.ear/deployment/wps/wps.war/WEB-INF directory.

Find the <security-constraint> element and replace

<transport-guarantee>NONE</transport-guarantee>

with

<transport-guarantee>CONFIDENTIAL</transport-guarantee>.

Save the file.

Step 4. Edit the wpconfig.properties file

Open the wpconfig.properties located in the <isc_root>/PortalServer/config directory and update the following parameters with the appropriate passwords:

• WasPassword
• PortalAdminPwd
• DbPassword (db2admin is the default)
• WmmDbPassword (db2admin is the default)
• LTPAPassword (Set this if you are using dbonly security)
• LDAPAdminPwd (Set this if you are using LDAP)
• LDAPBindPassword (Set this if you are using LDAP)
• WmmSystemIdPassword (Set this if you are using WMM)

Save the file.

Step 5. Run the WPSconfig command

Run the WPSconfig.bat script located in the <isc_root>/PortalServer/config directory.

WPSconfig.bat/.sh init action-deploy-setupisc-ssl

Note: This command replaces the current version of the login portlet with a secure version of the login portlet.

Step 6. Remove the passwords

Remove the passwords that you added to the wpconfig.properties file during Step 4 (this is for security purposes) and save the file.

Step 7. Restart ISC_Portal

If the Integrated Solutions Console server is running, stop the server by typing:

<isc_root>/PortalServer/bin/stopISC.bat|.sh ISC_Portal <userid> <password>

After the Integrated Solutions Console server has been stopped successfully, start the ISC_Portal:

<isc_root>/PortalServer/bin/startISC.bat|.sh ISC_Portal

Back to top

Enabling 5.1 with a self-signed certificate

This section provides a brief overview of the steps needed to enable SSL for the Integrated Solutions Console using self-signed certificates. You simply:

1. Create the four SSL key/trust files using self-signed certificates.
2. Create the JACL script in the <isc root>\AppServer\bin directory.
3. Modify the wsadmin.properties file to reflect the correct SOAP port.
4. Run wsadmin on the JACL script.
5. Modify the ConfigService.properties and virtualhosts.xml files.
6. Modify the web.xml file.
7. Stop the ISC_Portal.
8. Modify the the soap.client.props file.
9. Start the ISC_Portal.
10. Test your changes.

The following sections cover each of these steps in full detail.

Step 1. Create the four SSL key files using self-signed certificates

The four key files are:

• Server key file
• Client key file
• Server trust file
• Client trust file

Creating the server key file
The server key file is created using the Ikeyman utility. Ikeyman can be found in the <isc_root>/AppServer /bin directory. On Windows® systems, the file is called ikeyman.bat and on UNIX®/Linux® systems, the file is called ikeyman.sh.

1. Create a new jks file by selecting Key Database File > New....
2. Enter the following information to create the key file and click OK:
   File Name: ISCServerKeyFile.jks
Location Name: <isc root>\AppServer\etc
3. Enter a password for your key file and click OK. Note: Be sure to remember this password -- you will need it in the future to access the files.
4. Select Create > New Self-Signed Certificate....
5. Enter the following information to create the certificate and click OK:
   Key Label: ISCIntSec
Common Name: ISCsrv01
Organization: ISC
6. Select Extract Certificate....
7. Enter the following information to extract the public certificate and click OK:
   Certificate File Name: ISCServerKeyFile.arm
Location: <isc root>\AppServer\etc
8. Select Key Database File > Close.

Creating the client key file
The client key file is also created using the Ikeyman utility:

1. Create a new jks file by selecting Key Database File > New....
2. Enter the following information to create the key file and click OK:
   File Name: ISCClientKeyFile.jks
Location Name: <isc root>\AppServer\etc
3. Enter a password for your key file and click OK. Note: Be sure to remember this password as you will need it in the future to access the files.
4. Select Create > New Self-Signed Certificate....
5. Enter the following information to create the certificate and click OK:
   Key Label: ISCIntSecClientKey
Common Name: ISCsrv01
Organization: ISC
6. Select Extract Certificate....
7. Enter the following information to extract the public certificate and click OK:
   Certificate File Name: ISCClientKeyFile.arm
Location: <isc root>\AppServer\etc
8. Select Key Database File > Close.

Creating the server trust file
The server trust file is also created using the Ikeyman utility (do you sense a pattern?):

1. Create a new jks file by selecting Key Database File > New.
2. Enter the following information to create the key file and click OK:
   File Name: ISCServerTrustFile.jks
Location Name: <isc root>\AppServer\etc
3. Enter a password for your key file and click OK. Note: Be sure to remember this password as you will need it in the future to access the files.
4. Select Add....
5. Enter the following information to add the client's public certificate and click OK:
   Certificate File Name: ISCClientKeyFile.arm
Location: <isc root>\AppServer\etc
6. Enter a label for the client key public certificate and click OK. Enter a label for the certificate: ISCIntSecClientKey CA .
7. Select Add....
8. Enter the following information to add the server's public certificate and click OK:
   Certificate File Name: ISCServerKeyFile.arm
Location: <isc root>\AppServer\etc
9. Enter a label for the server key public certificate and click OK. Enter a label for the certificate: ISCIntSec CA .
10. Select Key Database File > Close.

Creating the client trust file
The client trust file is also created using the Ikeyman utility:

1. Create a new jks file by selecting Key Database File > New."
2. Enter the following information to create the key file and click OK:
   File Name: ISCClientTrustFile.jks
Location Name: <isc root>\AppServer\etc
3. Enter a password for your key file and click OK. Note: Be sure to remember this password as you will need it in the future to access the files.
4. Select Add....
5. Enter the following information to add the client's public certificate and click OK:
   Certificate File Name: ISCClientKeyFile.arm
Location: <isc root>\AppServer\etc
6. Enter a label for the client key public certificate and click OK. Enter a label for the certificate: ISCIntSecClientKey CA .
7. Select Add....
8. Enter the following information to add the server's public certificate and click OK:
   Certificate File Name: ISCServerKeyFile.arm
Location: <isc root>\AppServer\etc
9. Enter a label for the server key public certificate and click OK. Enter a label for the certificate: ISCIntSec CA .
10. Select Key Database File > Close.

Step 2. Create the JACL script

Create an addSSLentry.jacl script in the <isc_root>/AppServer/bin directory to run using the wsadmin command to enable the Integrated Solutions Console to use the keys from the previous step. The sample script shown in Listing 1 creates a new SSL entry. Note that the file names and passwords are hard coded in the file; you must modify the values in bold to reflect your environment. Copy the following lines into your newly created addSSLentry.jacl script and save it. (Pay special attention to the four comments that note which lines MUST be in a single line.)

                
# new SSL entry in the SSL repertoire
# setting the security object
set security_root [$AdminConfig list Security]
# setting the variables for the entry
set ssl_alias "DefaultNode/DefaultSSLSettings"
set ssl_clientAuthentication [list clientAuthentication false]

# this next line should be on ONE line
set ssl_enableCryptoHardwareSupport [list enableCryptoHardwareSupport false]

set ssl_keyFileFormat [list keyFileFormat "JKS"]

# this next code section should be on ONE line
set ssl_keyFileName [list keyFileName 
    "<isc_root>/AppServer/etc/ISCServerKeyFile.jks"]

set ssl_keyFilePassword [list keyFilePassword "<isc_password>"]
set ssl_securityLevel [list securityLevel "HIGH"]
set ssl_trustFileFormat [list trustFileFormat "JKS"]

# this next code section should be on ONE line
set ssl_trustFileName [list trustFileName 
    "<isc_root>/AppServer/etc/ISCServerTrustFile.jks"]

set ssl_trustFilePassword [list trustFilePassword "<isc_password>"]

# this next code section (set ssl def) should be on ONE line
set ssl_def [list $ssl_clientAuthentication $ssl_enableCryptoHardwareSupport 
    $ssl_keyFileFormat $ssl_keyFileName $ssl_keyFilePassword $ssl_securityLevel 
    $ssl_trustFileFormat $ssl_trustFileName $ssl_trustFilePassword]

# defining the whole SSL object
set ssl_entry [list [list alias $ssl_alias] [list setting $ssl_def] ]
# remove existing dummy SSL entry
set sslList [$AdminConfig list SSLConfig]
$AdminConfig remove [lindex $sslList 0]
# creating the new entry
$AdminConfig create SSLConfig $security_root $ssl_entry repertoire
# setting variables using the new entry
set sslList [$AdminConfig list SSLConfig]
set default_ssl [list [list defaultSSLSettings [lindex $sslList 0]]]
# modifying the security object to use new entry
$AdminConfig modify $security_root $default_ssl
# saving the configuration
$AdminConfig save

Step 3. Modify wsadmin.properties to reflect the correct SOAP port

First you must retrieve the correct port being used for SOAP. To do this, open the serverindex.xml file in the <isc root>/AppServer/config/cells/DefaultNode/nodes/DefaultNode directory.

Look for the serverEntry with serverName = ISC_Portal. Under that serverEntry, find the port number specified under the endPointName="SOAP_CONNECTOR_ADDRESS". Make note of this port number.

Now, open the wsadmin.properties file in the <isc root>/AppServer/properties directory. Change the com.ibm.ws.scripting.port setting to the port number you just found.

Save the file.

Step 4. Run the wsadmin command on the JACL script

Open a command prompt and navigate to the <isc root>/AppServer/bin directory. Run the following command:

wsadmin.bat/sh -f addSSLentry.jacl -user <userid> -password <password>

Note: the userid and password are equivalent to the the userid and password of the Integrated Solutions Console Administrator.

Step 5. Modify the ConfigService.properties and virtualhosts.xml files

Open the ConfigService.properties file in the <isc root>/PortalServer/shared/app/config/services/ directory. Change the values for redirect.login.ssl and redirect.logout.ssl from false to true:

redirect.login.ssl = true 
redirect.logout.ssl = true

Save the file.

Open the virtualhosts.xml file located in the <isc_root>/AppServer/config/cells/DefaultNode directory by adding the following line:

<aliases xmi:id="HostAlias_x" hostname="*" port="8422"/>

Where x is the next number in the series (in most cases, 4).

Step 6. Modify the web.xml file

Open the web.xml file in the <isc_root>/AppServer/config/cells/DefaultNode/applications/wps.ear/deployments/wps/wps.war/WEB-INF/ directory.

Look for the <security-constraint> element. Change the following line:

<transport-guarantee>NONE</transport-guarantee>

to

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

Save the file.

Step 7. Stop the ISC_Portal

If the Integrated Solutions Console server is running at this time, stop the server by issuing the following command:

<isc root>/PortalServer/bin/stopISC.bat|sh ISC_Portal <userid> <password>

The userid and password are the Integrated Solution Console Administrator's userid and password.

Step 8. Modify the soap.client.props file

Open the soap.client.props file in the <isc root>/AppServer/properties directory. Change the following lines in the soap.client.props file to reflect the new SSL settings:

com.ibm.ssl.keyStore=<isc root>/AppServer/etc/ISCClientKeyFile.jks
com.ibm.ssl.keyStorePassword=<ClientKey.jks Password>
com.ibm.ssl.trustStore=<isc root>/AppServer/etc/ISCClientTrustFile.jks
com.ibm.ssl.trustStorePassword=<ClientTrust.jks Password>

Make sure your paths and passwords are updated to reflect your environment.

Save the file.

Step 9. Start the ISC_Portal

Start the Integrated Solutions Console for these changes to take effect by issuing the following command:

<isc root>/PortalServer/bin/startISC.bat/sh ISC_Portal

Step 10. Test your changes

Test your changes by launching the Integrated Solutions Console in a browser. Your session should be redirected to a secure connection and a browser security prompt appears with the certificate information. When redirected, the URL will be updated with the SSL port specified during the Integrated Solutions Console installation (default: 8422). You can also verify that SSL is enabled by confirming that there is a "lock" image in the lower left hand corner of an Internet Explorer browser (as seen in Figure 1).

Back to top

Enabling 5.1 with a CA Certificate

The following brief overview is of the steps to enable SSL for the Integrated Solutions Console using Official/Authorized Certificates (this section will be much like enabling with a self-signed certificate):

1. Create the SSL Server/Client key and trust files.
2. Create the JACL script in the <isc root>\AppServer\bin directory.
3. Modify the wsadmin.properties file to reflect the correct SOAP port.
4. Run wsadmin on the JACL script.
5. Modify the ConfigService.properties and virtualhosts.xml files.
6. Modify the web.xml file.
7. Stop the ISC_Portal.
8. Modify the soap.client.props file.
9. Start the ISC_Portal.
10. Test your changes.

The following sections cover each of these steps in full detail.

Step 1. Create the SSL server/client keys and trust files

Again, the four key files are:

• Server key file
• Client key file
• Server trust file
• Client trust file

Creating the server key file
First you need to create a new key and certificate request. You can start by launching ikeyman and following these steps:

1. Launch the ikeyman tool. It may be started from the command line in the bin directory as ikeyman.bat (on Windows platforms) or ikeyman.sh (on UNIX platforms).
2. From the menu bar, select Key Database File > New...."
3. Ensure that the key database type is set to "JKS." This section will use the following file names to represent the appropriate key stores.
4. Enter ISCServerKeyFile.jks as the file name.
5. Enter the directory that will hold the key file as the location. In this case: <isc_root>\AppServer\etc.
6. Click OK.
7. A password prompt appears. Enter a password and repeat to confirm. This password is required to read from or write to this file in the future, so don't forget it. The password strength is determined by the variety of the characters used in the password.
8. Click OK.
9. From the menu bar, select Create > New Certificate Request....
10. Enter a key label that will identify this key. It is recommended that you not use spaces. The value used in this section is ISCIntSec .
11. Select the appropriate key size. 1024 is an appropriate default value.
12. Enter a common name: ISCsrv01 .
13. Enter an Organization, for example: IBM .
14. The Organization Unit, Locality, and State/Province fields are optional, but it is recommended that values be provided, for example: ITSO , Raleigh , NC .
15. Select the appropriate country, in this case: US .
16. The file name in which the certificate request is to be stored should be entered in the last field. The value used in this section is <isc_root>\AppServer\etc\ISCServerKeyFile.arm .
17. Click OK. A message confirming the creation of the certificate request should be returned.

Note: Consult the documentation from your chosen CA prior to completing the certificate request fields. For example, VeriSign Server IDs stipulate that the Common Name (CN) must represent the fully qualified server name.

The contents of the certificate request file (ISCServerKeyFile.arm in this sample) show that a certificate has been generated.

                
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBmzCCAQQCAQAwXDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5DMRAwDgYDVQQHEwdSYWxlaWdo
MQwwCgYDVQQKEwNJQk0xDTALBgNVBAsTBElUU08xETAPBgNVBAMTCG1rYTJ2YWxvMIGeMA0GCSqG
SIb3DQEBAQUAA4GMADCBiAKBgHHsF7RWcLXGF6DPY3KnFJTHn0Nmf/Ni2lhURbJkgnSTl2x2vECe
rrQ5qhYI7mXX4v1zL4FSDM9TzMCz8V4P5FXAwjyJRlPODfSxMP9h/kIJWiAx2n1X2FnHiKcVAz17
EE27hVObMTfj47Ww4ydQ7JMQFy1C7pZnHuJL3Ga1qBZLAgMBAAGgADANBgkqhkiG9w0BAQQFAAOB
gQAmzZ+9bsrqLjCw8tsxkUJHG7SMCspv1UCmc447aRubkM717j6nnw0zr9QgCO8bxzvOD6C35Liv
MDPrc5ML+CT9KVHtXnV9mpOKx9+3d1A4YDAdEoQA0cPYXu9n6aDfG69ZIdwjBMlohsy7q8qPlnGd
yqfmhhEbFcn+PlW86bhnjg==
-----END NEW CERTIFICATE REQUEST-----

It is clear that the process of creating a certificate request actually creates the certificate. This means that the public/private key pair exists in the JKS file. The certificate request is actually requesting that this certificate be signed by the CA. This certificate request can be viewed in ikeyman by selecting Key database content > Personal Certificate Requests (Figure 3):

Note: Don't destroy this certificate request. It must be present in the key store in order for the certificate to be added after it has been signed by the CA.

Of course, the CA will need to validate the identity claimed by the certificate before signing it. The certificate request should be copied into the form provided by the CA, usually on their Web site, and submitted.

Another note: Be sure to submit the request in its original form. If the request is being pasted from a text editor, make sure that extra characters, such as spaces, have not been added to the end of the lines. If the request is not submitted correctly, the reply may not import correctly.

Some CAs offer a convenient service for generating test certificates (certificates that are valid for a short period of time like a month and are intended for testing purposes only). If the certificate request used in this section is submitted to Thawte, a well-known CA, the reply is in a Base64-encoded format.

                
-----BEGIN CERTIFICATE----- 
MIICgDCCAemgAwIBAgIDLqKsMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa 
...
..
.
XmYOnq8HX/fj0il6NQxW48bp3O8= 
-----END CERTIFICATE-----

This reply should be saved into a plain text file, then imported into the key store that created the original certificate request. (As with the request, ensure that the CA's reply is copied to a file correctly. Ensure there are no additional characters appended to the end of lines that would otherwise affect the import process.)

1. Ensure that ikeyman has the relevant key file open and select Key database content > Personal Certificates.
2. Click Receive.
3. Enter the file name of the reply from the CA.
4. The reply will probably be encoded with Base64, so ensure Base64-encoded ASCII data is selected from the datatype drop-down list.
5. Click OK.
6. Select Key Database File > Close.

Creating the client key file
The client key file is also created using the Ikeyman utility:

1. Create a new jks file by selecting Key Database File > New...."
2. Enter the following information to create the key file and click OK:
   File Name: ISCClientKeyFile.jks
Location Name: <isc root>\AppServer\etc
3. Enter a password for your key file and click OK. Note: Be sure to remember this password as you will need it in the future to access the files.
4. Select Create > New Self-Signed Certificate....
5. Enter the following information to create the certificate and click OK:
   Key Label: ISCIntSecClientKey
Common Name: ISCsrv01
Organization: ISC
6. Select Extract Certificate....
7. Enter the following information to extract the public certificate and click OK:
   Certificate File Name: ISCClientKeyFile.arm
Location: <isc root>\AppServer\etc
8. Select Key Database File > Close.

Creating the server trust file
The server trust file is also created using the Ikeyman utility (do you sense a pattern?):

1. Create a new jks file by selecting Key Database File > New."
2. Enter the following information to create the key file and click OK:
   File Name: ISCServerTrustFile.jks
Location Name: <isc root>\AppServer\etc
3. Enter a password for your key file and click OK. Note: Be sure to remember this password as you will need it in the future to access the files.
4. Select Add....
5. Enter the following information to add the client's public certificate and click OK:
   Certificate File Name: ISCClientKeyFile.arm
Location: <isc root>\AppServer\etc
6. Enter a label for the client key public certificate and click OK. Enter a label for the certificate: ISCIntSecClientKey CA .
7. Select Add....
8. Enter the following information to add the server's public certificate and click OK:
   Certificate File Name: ISCServerKeyFile.arm
Location: <isc root>\AppServer\etc
9. Enter a label for the server key public certificate and click OK. Enter a label for the certificate: ISCIntSec CA .
10. Select Key Database File > Close.

Creating the client trust file
The client trust file is created using the Ikeyman utility:

1. Create a new jks file by selecting Key Database File > New."
2. Enter the following information to create the key file and click OK:
   File Name: ISCClientTrustFile.jks
Location Name: <isc root>\AppServer\etc
3. Enter a password for your key file and click OK. Note: Be sure to remember this password as you will need it in the future to access the files.
4. Select Add....
5. Enter the following information to add the client's public certificate and click OK:
   Certificate File Name: ISCClientKeyFile.arm
Location: <isc root>\AppServer\etc
6. Enter a label for the client key public certificate and click OK. Enter a label for the certificate: ISCIntSecClientKey CA .
7. Select Add....
8. Enter the following information to add the server's public certificate and click OK:
   Certificate File Name: ISCServerKeyFile.arm
Location: <isc root>\AppServer\etc
9. Enter a label for the server key public certificate and click OK. Enter a label for the certificate: ISCIntSec CA .
10. Select Key Database File > Close.

Step 2. Create the JACL script

Create an addSSLentry.jacl script in the <isc_root>/AppServer/bin directory to run using wsadmin to enable the Integrated Solutions Console to use the keys from the previous step. The following sample script creates a new SSL entry. Note that the file names and passwords are hard coded in the file; you have to modify the values in bold to reflect your environment. Copy the following lines into your newly created addSSLentry.jacl script and save it. (Pay special attention to the four comments that note which lines MUST be in a single line.)

The code is the same as that in Listing 1.

Step 3. Modify the wsadmin.properties file to reflect the correct SOAP port

First, you need to retrieve the correct port being used for SOAP. To do so, open the serverindex.xml file in the <isc root>/AppServer/config/cells/DefaultNode/nodes/DefaultNode directory.

Look for the serverEntry with serverName = ISC_Portal. Under that serverEntry, find the port number specified under the endPointName="SOAP_CONNECTOR_ADDRESS". Make note of this port number.

Now, open the wsadmin.properties file in the <isc root>/AppServer/properties directory. Change the com.ibm.ws.scripting.port setting to the port number you just found.

Save the file.

Step 4. Run wsadmin on the JACL script

Open a command prompt and navigate to the <isc root>/AppServer/bin directory. Run the following command:

wsadmin.bat/sh -f addSSLentry.jacl -user <userid> -password <password>

Note: userid and password are equivalent to the the userid and password of the Integrated Solutions Console Administrator.

Step 5. Modify the ConfigService.properties and virtualhosts.xml files

Open the ConfigService.properties file in the <isc root>/PortalServer/shared/app/config/services/ directory. Change the values for redirect.login.ssl and redirect.logout.ssl from false to true:

redirect.login.ssl = true 
redirect.logout.ssl = true

Save the file.

Open the virtualhosts.xml file located in the <isc_root>/AppServer/config/cells/DefaultNode directory by adding the following line:

<aliases xmi:id="HostAlias_x" hostname="*" port="8422"/>

where x is the next number in the series (in most cases, 4).

Step 6. Modify the web.xml file

Open the web.xml file in the <isc_root>/AppServer/config/cells/DefaultNode/applications/wps.ear/deployments/wps/wps.war/WEB-INF/ directory.

Look for the <security-constraint> element. Change the following line:

<transport-guarantee>NONE</transport-guarantee>

to

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

Save the file.

Step 7. Stop the ISC_Portal

If the Integrated Solutions Console server is running at this time, stop the server by issuing the following command:

Note: The userid and password are the Integrated Solutions Console Administrator's userid and password.

Step 8. Modify the soap.client.props

Open the soap.client.props file in the <isc root>/AppServer/properties directory. Change the following lines in the soap.client.props file to reflect the new SSL settings:

com.ibm.ssl.keyStore=<isc root>/AppServer/etc/ISCClientKeyFile.jks
com.ibm.ssl.keyStorePassword=<ClientKey.jks Password>
com.ibm.ssl.trustStore=<isc root>/AppServer/etc/ISCClientTrustFile.jks
com.ibm.ssl.trustStorePassword=<ClientTrust.jks Password>

Make sure your paths and passwords are updated to reflect your environment.

Save the file.

Step 9. Start the ISC_Portal

Start the Integrated Solutions Console for these changes to take effect by issuing the following command: <isc root>/PortalServer/bin/startISC.bat/sh ISC_Portal.

Step 10. Test your changes

Test your changes by launching the Integrated Solutions Console in a browser. Your session should be redirected to a secure connection and a browser security prompt appears with the certificate information. When redirected, the URL will be updated with the SSL port specified during Integrated Solutions Console installation (default: 8422). You can also verify that SSL is enabled by confirming that there is a "lock" image in the lower left hand corner of an IE browser (see Figure 1).

Back to top

Enabling 6.0.1 with a dummy certificate

Here is a brief overview of the steps to be taken in order to enable SSL for ISC 6.0.1 using dummy certificates.

The dummy certificates that the Integrated Solutions Console ships are located in the <isc_root>/AppServer/profiles/Default/etc directory. The key/trust files are called:

• DummyClientKeyFile.jks
• DummyClientTrustFile.jks
• DummyServerKeyFile.jks
• DummyServerTrustFile.jks

The steps you follow:

1. Edit the virtualhosts.xml file with a host alias port.
2. Edit the ConfigService.properties file with

   True

   
   values for the redirect login/logout parameter.
3. Edit the web.xml file with the security constraint set to NONE.
4. Update the wpconfig.properties file with relevant passwords.
5. Run the WPSconfig command.
6. Remove the passwords from the wpconfig.properties file.
7. Restart the ISC_Portal.

In other words, the same process you followed to enable dummy certificates in version 5.1. The following sections cover each of the above steps in full detail.

Step 1. Edit the virtualhosts.xml file

Open the virtualhosts.xml file located in the <isc_root>/AppServer/config/cells/DefaultNode directory. Add the following element before the ending element </host:Virtualhost> for the virtual host named default_host. Add the element to the list of aliases:

<aliases xmi:id= " HostAlias_x" hostname="*" port="alias_port"/>

where x is the next number in the HostAlias sequence and alias_port is the value specified by the -W generalConfig.httpsPort="port" during the Integrated Solutions Console installation. (By default, it is 8422.)

Save the file.

Step 2. Edit the ConfigService.properties file

Open the ConfigService.properties file located in the <isc_root>/PortalServer/shared/app/config/services directory.

Set the following parameters to true:

redirect.login.ssl=true
redirect.logout.ssl=true

Make sure your https port is set correctly:

host.port.https=alias_port
            

where alias_port is the port number used for the virtual host alias.

Save the file.

Step 3. Edit the web.xml file

Open the web.xml file located in the <isc_root>/AppServer/profiles/default/config/cells/DefaultNode/applications/wps.ear/deployment/wps/wps.war/WEB-INF directory.

Find the <security-constraint> element.

Replace

<transport-guarantee>NONE</transport-guarantee>

with

<transport-guarantee>CONFIDENTIAL</transport-guarantee>.

Save the file.

Step 4. Edit the wpconfig.properties file

Open the wpconfig.properties file located in the <isc_root>/PortalServer/config directory.

Update the following parameters with the appropriate passwords:

• WasPassword
• PortalAdminPwd
• DbPassword (db2admin is default)
• WmmDbPassword (db2admin is default)
• LTPAPassword (Set this if you are using dbonly security)
• LDAPAdminPwd (Set this if you are using LDAP)
• LDAPBindPassword (Set this if you are using LDAP)
• WmmSystemIdPassword (Set this if you are using WMM)

Save the file.

Step 5. Run the WPSconfig command

Run the WPSconfig.bat script located in the <isc_root>/PortalServer/config directory:

WPSconfig.bat/.sh init action-deploy-setupisc-ssl

Note: This command replaces the current version of the login portlet with a secure version of the login portlet.

Step 6. Remove the passwords

Remove the passwords that you added to wpconfig.properties during Step 4 (this is for security purposes).

Save the file.

Step 7. Restart ISC_Portal

If the Integrated Solutions Console server is running, stop the server:

<isc_root>/PortalServer/bin/stopISC.bat|.sh ISC_Portal <userid> <password>

After it's stopped successfully, start the ISC_Portal:

<isc_root>/PortalServer/bin/startISC.bat|.sh ISC_Portal

Back to top

Enabling 6.0.1 with a self-signed certificate

This section provides a brief overview of the steps to enable SSL for the Integrated Solutions Console using self-signed certificates. You simply:

1. Create the 4 SSL key/trust files using self-signed certificates.
2. Create the JACL script in <isc root>\AppServer\bin.
3. Modify the wsadmin.properties file to reflect the correct SOAP port.
4. Run wsadmin on the JACL script.
5. Modify the ConfigService.properties file.
6. Modify the web.xml file.
7. Stop the ISC_Portal.
8. Modify the soap.client.props file.
9. Start the ISC_Portal.
10. Test your changes.

The following sections will cover each of these steps in full detail.

Step 1. Create the 4 SSL key files using self-signed certificates

The four key files are:

• Server key file
• Client key file
• Server trust file
• Client trust file

Creating the server key file
The server key file is created using the Ikeyman utility. Ikeyman can be found in the <isc_root>/AppServer /bin directory. On Windows systems, the file is called ikeyman.bat and on UNIX/Linux systems, the file is called ikeyman.sh.

1. Create a new jks file by selecting Key Database File > New...."
2. Enter the following information to create the key file and click OK:
   File Name: ISCServerKeyFile.jks
Location Name: <isc root>\AppServer\etc
3. Enter a password for your key file and click OK. Note: Be sure to remember this password; you will need it in the future to access the files.
4. Select Create > New Self-Signed Certificate....
5. Enter the following information to create the certificate and click OK:
   Key Label: ISCIntSec
Common Name: ISCsrv01
Organization: ISC
6. Select Extract Certificate....
7. Enter the following information to extract the public certificate and click OK:
   Certificate File Name: ISCServerKeyFile.arm
Location: <isc root>\AppServer\etc
8. Select Key Database File > Close.

Creating the client key file
The client key file is also created using the Ikeyman utility:

1. Create a new jks file by selecting Key Database File > New...."
2. Enter the following information to create the key file and click OK:
   File Name: ISCClientKeyFile.jks
Location Name: <isc root>\AppServer\etc
3. Enter a password for your key file and click OK. Note: Be sure to remember this password; you will need it in the future to access the files.
4. Select Create > New Self-Signed Certificate....
5. Enter the following information to create the certificate and click OK:
   Key Label: ISCIntSecClientKey
Common Name: ISCsrv01
Organization: ISC
6. Select Extract Certificate....
7. Enter the following information to extract the public certificate and click OK:
   Certificate File Name: ISCClientKeyFile.arm
Location: <isc root>\AppServer\etc
8. Select Key Database File > Close.

Creating the server trust file
The server trust file is also created using the Ikeyman utility (do you again sense a pattern?):

1. Create a new jks file by selecting Key Database File > New."
2. Enter the following information to create the key file and click OK:
   File Name: ISCServerTrustFile.jks
Location Name: <isc root>\AppServer\etc
3. Enter a password for your key file and click OK. Note: Be sure to remember this password; you will need it in the future to access the files.
4. Select Add....
5. Enter the following information to add the client's public certificate and click OK:
   Certificate File Name: ISCClientKeyFile.arm
Location: <isc root>\AppServer\etc
6. Enter a label for the client key public certificate and click OK. Enter a label for the certificate: ISCIntSecClientKey CA .
7. Select Add....
8. Enter the following information to add the server's public certificate and click OK:
   Certificate File Name: ISCServerKeyFile.arm
Location: <isc root>\AppServer\etc
9. Enter a label for the server key public certificate and click OK. Enter a label for the certificate: ISCIntSec CA .
10. Select Key Database File > Close.

Creating the client trust file
The client trust file is also created using the Ikeyman utility:

1. Create a new jks file by selecting Key Database File > New."
2. Enter the following information to create the key file and click OK:
   File Name: ISCClientTrustFile.jks
Location Name: <isc root>\AppServer\etc
3. Enter a password for your key file and click OK. Note: Be sure to remember this password as you will need it in the future to access the files.
4. Select Add....
5. Enter the following information to add the client's public certificate and click OK:
   Certificate File Name: ISCClientKeyFile.arm
Location: <isc root>\AppServer\etc
6. Enter a label for the client key public certificate and click OK. Enter a label for the certificate: ISCIntSecClientKey CA .
7. Select Add....
8. Enter the following information to add the server's public certificate and click OK:
   Certificate File Name: ISCServerKeyFile.arm
Location: <isc root>\AppServer\etc
9. Enter a label for the server key public certificate and click OK. Enter a label for the certificate: ISCIntSec CA .
10. Select Key Database File > Close.

Step 2. Create the JACL script

Create an addSSLentry.jacl script in the <isc_root>/AppServer/bin directory to run using wsadmin to enable the Integrated Solutions Console to use the keys from the previous step. The sample script in Listing 1 creates a new SSL entry. Note that the file names and passwords are hard coded in the file; you must modify the values in bold to reflect your environment. Copy the following lines into your newly created addSSLentry.jacl script and save it. (Pay special attention to the four comments that note which lines must be in a single line.)

Step 3. Modify the wsadmin.properties file to reflect the correct SOAP port

First you need to retrieve the correct port being used for SOAP. To do so, open the serverindex.xml file in the <isc root>/AppServer/profiles/default/config/cells/DefaultNode/nodes/DefaultNode directory.

Look for the serverEntry with serverName = ISC_Portal. Under that serverEntry, find the port number specified under the endPointName="SOAP_CONNECTOR_ADDRESS". Make note of this port number.

Now, open the wsadmin.properties file in the <isc root>/AppServer/profiles/default/properties directory. Change the com.ibm.ws.scripting.port setting to the port number you just found.

Save the file.

Step 4. Run wsadmin on the JACL script

Open a command prompt and navigate to the <isc root>/AppServer/bin directory. Run the following command:

wsadmin.bat/sh -f addSSLentry.jacl -user <userid> -password <password>

Note: userid and password are equivalent to the the userid and password of the Integrated Solutions Console Administrator.

Step 5. Modify the ConfigService.properties file

Open the ConfigService.properties file in the <isc root>/PortalServer/shared/app/config/services/ directory. Change the values for redirect.login.ssl and redirect.logout.ssl from false to true:

redirect.login.ssl = true 
redirect.logout.ssl = true

Save the file.

Step 6. Modify the web.xml file

Open the web.xml file in the <isc_root>/AppServer/profiles/default/config/cells/DefaultNode/applications/wps.ear/deployments/wps/wps.war/WEB-INF/ directory.

Look for the <security-constraint> element. Change the following line:

<transport-guarantee>NONE</transport-guarantee>

to

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

Save the file.

Step 7. Stop the ISC_Portal

If the Integrated Solutions Console server is running at this time, stop the server by issuing the following command: <isc root>/PortalServer/bin/stopISC.bat|sh ISC_Portal <userid> <password>. The userid and password are the Integrated Solutions Console administrator's userid and password.

Step 8. Modify the soap.client.props file

Open the soap.client.props file in the <isc root>/AppServer/profiles/default/properties directory. Change the following lines in the soap.client.props file to reflect the new SSL settings:

com.ibm.ssl.keyStore=<isc root>/AppServer/etc/ISCClientKeyFile.jks
com.ibm.ssl.keyStorePassword=<ClientKey.jks Password>
com.ibm.ssl.trustStore=<isc root>/AppServer/etc/ISCClientTrustFile.jks
com.ibm.ssl.trustStorePassword=<ClientTrust.jks Password>

Make sure your paths and passwords are updated to reflect your environment.

Save the file.

Step 9. Start the ISC_Portal

Start the Integrated Solutions Console for these changes to take effect by issuing the following command: <isc root>/PortalServer/bin/startISC.bat/sh ISC_Portal.

Step 10. Test your changes

Test your changes by launching the Integrated Solutions Console in a browser. Your session should be redirected to a secure connection and a browser security prompt appears with the certificate information. When redirected, the URL is updated with the SSL port specified during Integrated Solutions Console installation (default: 8422). You can also verify SSL is enabled by confirming that there is a "lock" image in the lower left hand corner of an IE browser (see Figure 1).

Back to top

Enabling 6.0.1 with a CA Certificate

The following brief overview is of the steps to be taken in order to enable SSL for ISC using Official/Authorized Certificates:

1. Create the SSL Server/Client key and trust files.
2. Create the JACL script in the <isc root>\AppServer\bin directory.
3. Modify the wsadmin.properties file to reflect the correct SOAP port.
4. Run wsadmin on the JACL script.
5. Modify the ConfigService.properties file.
6. Modify the web.xml file.
7. Stop the ISC_Portal.
8. Modify the the soap.client.props file.
9. Start the ISC_Portal.
10. Test your changes.

The following sections cover each of these steps in full detail.

Step 1. Create the SSL server/client keys and trust files

One last time. The four key files are the:

• Server key file
• Client key file
• Server trust file
• Client trust file

Creating the server key file
First you need to create a new key and certificate request. You can start by launching ikeyman and following these steps:

1. Launch the ikeyman tool. It may be started from the command line in the bin directory as ikeyman.bat (on Windows platforms) or ikeyman.sh (on UNIX platforms).
2. From the menu bar, select Key Database File > New....
3. Ensure that the key database type is set to "JKS." This section uses the following file names to represent the appropriate key stores.
4. Enter ISCServerKeyFile.jks as the file name.
5. Enter the directory that will hold the key file as the location, in this case: <isc_root>\AppServer\etc.
6. Click OK.
7. A password prompt appears. Enter a password and repeat to confirm. This password will be required to read from or write to this file in the future, so don't forget it. The password strength is determined by the variety of the characters used in the password.
8. Click OK.
9. From the menu bar, select Create > New Certificate Request....
10. Enter a key label that will identify this key. It is recommended that spaces not be used. The value used in this section is ISCIntSec .
11. Select the appropriate key size. 1024 is an appropriate default value.
12. Enter a common name: ISCsrv01 .
13. Enter an Organization, for example: IBM .
14. The Organization Unit, Locality, and State/Province fields are optional, but it is recommended that values be provided, for example: ITSO , Raleigh , NC .
15. Select the appropriate country, in this case: US .
16. The file name in which the certificate request is to be stored should be entered in the last field. The value used in this section is <isc_root>\AppServer\etc\ISCServerKeyFile.arm .
17. Click OK. A message confirming the creation of the certificate request should be returned (See Figure 2.)

Note: Consult the documentation from your chosen CA prior to completing the certificate request fields. For example, VeriSign Server IDs stipulate that the Common Name (CN) must represent the fully qualified server name.

The contents of the certificate request file ( ISCServerKeyFile.arm in this sample) show that a certificate has been generated. Next, Listing 2 (repeated here) shows what a certificate request looks like.

                
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBmzCCAQQCAQAwXDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5DMRAwDgYDVQQHEwdSYWxlaWdo
MQwwCgYDVQQKEwNJQk0xDTALBgNVBAsTBElUU08xETAPBgNVBAMTCG1rYTJ2YWxvMIGeMA0GCSqG
SIb3DQEBAQUAA4GMADCBiAKBgHHsF7RWcLXGF6DPY3KnFJTHn0Nmf/Ni2lhURbJkgnSTl2x2vECe
rrQ5qhYI7mXX4v1zL4FSDM9TzMCz8V4P5FXAwjyJRlPODfSxMP9h/kIJWiAx2n1X2FnHiKcVAz17
EE27hVObMTfj47Ww4ydQ7JMQFy1C7pZnHuJL3Ga1qBZLAgMBAAGgADANBgkqhkiG9w0BAQQFAAOB
gQAmzZ+9bsrqLjCw8tsxkUJHG7SMCspv1UCmc447aRubkM717j6nnw0zr9QgCO8bxzvOD6C35Liv
MDPrc5ML+CT9KVHtXnV9mpOKx9+3d1A4YDAdEoQA0cPYXu9n6aDfG69ZIdwjBMlohsy7q8qPlnGd
yqfmhhEbFcn+PlW86bhnjg==
-----END NEW CERTIFICATE REQUEST-----

It is clear that the process of creating a certificate request actually creates the certificate. This means that the public/private key pair exists in the JKS file. The certificate request is actually requesting that this certificate be signed by the CA. This certificate request can be viewed in ikeyman by selecting Key database content > Personal Certificate Requests (See Figure 3.)

Note: Don't destroy this certificate request. It must be present in the key store in order for the certificate to be added after it has been signed by the CA.

Of course, the CA will need to validate the identity claimed by the certificate before signing it. The certificate request should be copied into the form provided by the CA, usually on their Web site, and submitted.

Another note: Be sure to submit the request in its original form. If the request is being pasted from a text editor, make sure that extra characters, such as spaces, have not been added to the end of the lines. If the request is not submitted correctly, the reply may not import correctly.

Some CAs offer a convenient service for generating test certificates (certificates that are valid for a short period of time like a month and are intended for testing purposes only). If the certificate request used in this section is submitted to Thawte, a well-known CA, the reply is in Base64 encoded format (Listing 3, again).

                
-----BEGIN CERTIFICATE----- 
MIICgDCCAemgAwIBAgIDLqKsMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa 
...
..
.
XmYOnq8HX/fj0il6NQxW48bp3O8= 
-----END CERTIFICATE-----

This reply should be saved into a plain text file, then imported into the key store that created the original certificate request. (As with the request, ensure that the CA's reply is copied to a file correctly. Ensure there are no additional characters appended to the end of lines that would otherwise affect the import process.)

1. Ensure that ikeyman has the relevant key file open and select Key database content > Personal Certificates.
2. Click Receive.
3. Enter the file name of the reply from the CA.
4. The reply will probably be encoded with Base64, so ensure Base64-encoded ASCII data is selected from the datatype drop-down list.
5. Click OK.
6. Select Key Database File > Close.

Creating the client key file
The client key file is also created using the Ikeyman utility:

1. Create a new jks file by selecting Key Database File > New....
2. Enter the following information to create the key file and click OK:
   File Name: ISCClientKeyFile.jks
Location Name: <isc root>\AppServer\etc
3. Enter a password for your key file and click OK. Note: Be sure to remember this password as you will need it in the future to access the files.
4. Select Create > New Self-Signed Certificate....
5. Enter the following information to create the certificate and click OK:
   Key Label: ISCIntSecClientKey
Common Name: ISCsrv01
Organization: ISC
6. Select Extract Certificate....
7. Enter the following information to extract the public certificate and click OK:
   Certificate File Name: ISCClientKeyFile.arm
Location: <isc root>\AppServer\etc
8. Select Key Database File > Close.

Creating the server trust file
The server trust file is also created using the Ikeyman utility.

1. Create a new jks file by selecting Key Database File > New.
2. Enter the following information to create the key file and click OK:
   File Name: ISCServerTrustFile.jks
Location Name: <isc root>\AppServer\etc
3. Enter a password for your key file and click OK. Note: Be sure to remember this password as you will need it in the future to access the files.
4. Select Add....
5. Enter the following information to add the client's public certificate and click OK:
   Certificate File Name: ISCClientKeyFile.arm
Location: <isc root>\AppServer\etc
6. Enter a label for the client key public certificate and click OK. Enter a label for the certificate: ISCIntSecClientKey CA .
7. Select Add....
8. Enter the following information to add the server's public certificate and click OK:
   Certificate File Name: ISCServerKeyFile.arm
Location: <isc root>\AppServer\etc
9. Enter a label for the server key public certificate and click OK. Enter a label for the certificate: ISCIntSec CA .
10. Select Key Database File > Close.

Creating the client trust file
The client trust file is created using the Ikeyman utility:

1. Create a new jks file by selecting Key Database File > New.
2. Enter the following information to create the key file and click OK:
   File Name: ISCClientTrustFile.jks
Location Name: <isc root>\AppServer\etc
3. Enter a password for your key file and click OK. Note: Be sure to remember this password as you will need it in the future to access the files.
4. Select Add....
5. Enter the following information to add the client's public certificate and click OK:
   Certificate File Name: ISCClientKeyFile.arm
Location: <isc root>\AppServer\etc
6. Enter a label for the client key public certificate and click OK. Enter a label for the certificate: ISCIntSecClientKey CA .
7. Select Add....
8. Enter the following information to add the server's public certificate and click OK:
   Certificate File Name: ISCServerKeyFile.arm
Location: <isc root>\AppServer\etc
9. Enter a label for the server key public certificate and click OK. Enter a label for the certificate: ISCIntSec CA .
10. Select Key Database File > Close.

Step 2. Create the JACL script

Create an addSSLentry.jacl script in the <isc_root>/AppServer/bin directory to run using wsadmin to enable the Integrated Solutions Console to use the keys from the previous step. The sample script (shown in Listing 1) creates a new SSL entry. Note that the file names and passwords are hard coded in the file; you must modify the values in bold to reflect your environment. Copy the following lines into your newly created addSSLentry.jacl script and save it. (Pay special attention to the four comments that note which lines must be in a single line.)

Step 3. Modify the wsadmin.properties file to reflect the correct SOAP port

First you need to retrieve the correct port being used for SOAP. To do so, open the serverindex.xml file in the <isc root>/AppServer/profiles/default/config/cells/DefaultNode/nodes/DefaultNode directory.

Look for the serverEntry with serverName = ISC_Portal. Under that serverEntry, find the port number specified under the endPointName="SOAP_CONNECTOR_ADDRESS". Make note of this port number.

Now, open the wsadmin.properties file in the <isc root>/AppServer/profiles/default/properties directory. Change the com.ibm.ws.scripting.port setting to the port number you just found.

Save the file.

Step 4. Run wsadmin on the JACL script

Open a command prompt and navigate to the <isc root>/AppServer/bin directory. Run the following command:

wsadmin.bat/sh -f addSSLentry.jacl -user <userid> -password <password>

Note: userid and password are equivalent to the the userid and password of the Integrated Solutions Console administrator.

Step 5. Modify ConfigService.properties

Open the ConfigService.properties file in the <isc root>/PortalServer/shared/app/config/services/ directory. Change the values for redirect.login.ssl and redirect.logout.ssl from false to true:

redirect.login.ssl = true 
redirect.logout.ssl = true

Save the file.

Step 6. Modify the web.xml file

Open the web.xml file in the <isc_root>/AppServer/profiles/default/config/cells/DefaultNode/applications/wps.ear/deployments/wps/wps.war/WEB-INF/ directory.

Look for the <security-constraint> element. Change the following line:

<transport-guarantee>NONE</transport-guarantee>

to

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

Save the file.

Step 7. Stop the ISC_Portal

If the Integrated Solutions Console server is running at this time, stop the server by issuing the following command: <isc root>/PortalServer/bin/stopISC.bat|sh ISC_Portal <userid> <password>. The userid and password are the Integrated Solutions Console administrator's userid and password.

Step 8. Modify the soap.client.props file

Open the soap.client.props file in the <isc root>/AppServer/profiles/default/properties directory. Change the following lines in the soap.client.props file to reflect the new SSL settings:

com.ibm.ssl.keyStore=<isc root>/AppServer/etc/ISCClientKeyFile.jks
com.ibm.ssl.keyStorePassword=<ClientKey.jks Password>
com.ibm.ssl.trustStore=<isc root>/AppServer/etc/ISCClientTrustFile.jks
com.ibm.ssl.trustStorePassword=<ClientTrust.jks Password>

Make sure your paths and passwords are updated to reflect your environment.

Save the file.

Step 9. Start the ISC_Portal

Start the Integrated Solutions Console for these changes to take effect by issuing the following command: <isc root>/PortalServer/bin/startISC.bat|sh ISC_Portal.

Step 10. Test your changes

Test your changes by launching the Integrated Solutions Console in a browser. Your session should be redirected to a secure connection and a browser security prompt appears with the certificate information. When redirected, the URL is updated with the SSL port specified during Integrated Solutions Console installation (default: 8422). You can also verify SSL is enabled by confirming that there is a "lock" image in the lower left hand corner of an IE browser (see Figure 1).

Back to top

Why SSL matters

The Integrated Solutions Console provides a common Web-based administrative console framework for hosting and integrating console modules in a way that lets customers to manage solutions rather than specific IBM products. This framework includes Portlet container, Java management applications, and Eclipse Help modules.

Share this... Digg this story Post to del.icio.us Slashdot it!

SSL can be configured to provide confidentiality and encryption. Communication between the client browser and the Integrated Solutions Console server can be protected using SSL. Encryption is important because the Integrated Solutions Console uses form-based authentication, which does not encrypt the user ID and password that are transmitted during login. If a console module requires access to back-end resources over secure connections, its portlets can use SSL.

Why should any of this matter? Because securely (and effectively) transmitting data over open communications channels is a critical component to maintaining a modern IT system, SSL is a powerful protocol to help achieve that security, and enabling SSL in an Integrated Solutions Console environment can be a complex and challenging task. Why challenging? Data security in a Web-based application environment such as Integrated Solutions Console can seem a bit vague to first-timers because IT security itself is a broad topic -- it covers many different aspects in open communication networks.

Resources

• "What is SSL and why should I care?" (developerWorks, March 2007) is the first article in this series.
  
  
• Self-signed server certificate: Create your own self-signed server certificate with this step-by-step guide.
  
  
• IBM Workplace Collaboration Services information center: This resource explains what components in which browsers require CA-signed SSL certificates.
  
  
• WebSphere Application Server and IBMJSSE: For more on SSL try this InfoCenter page.
  
  
• Launch the Integrated Solutions Console console thru Web Browser: This quick tip can show you how to launch the Integrated Solutions Console through a Web browser after installation.
  
  
• "Embed the Integrated Solutions Console installation" (developerWorks, March 2005): This article demonstrates how to use the installer to embed the Integrated Solutions Console in another product.
  
  
• For more on Java, Tivoli and WebSphere products, Eclipse, and security, visit the developerWorks and alphaWorks sites dedicated to the topic.
  
  

• Pick up a version of the Integrated Solutions Console and also learn more about it from the Autonomic Computing Toolkit.
  
  
• The WebSphere Application Server 6.1 is a Java 2 Enterprise Edition and Web services technology-based application platform; besides the regular version, you can download the Express version (a ready-to-go package including a J2EE app server, sample applications, development tools, and wizards) or the Community Edition (a free, lightweight version).
  
  

• Participate in the discussion forum.
  
  
• For relatively quick answers to installation and implementation difficulties, try the Integrated Solutions Console support forum and the Embedded WebSphere Application Server Express support forum.

About the authors

		Bimal Shah has been the Service and Support Team Lead for the Integrated Solutions Console (ISC) for the last two years. He has developed and implemented unique componentization service and support processes for the Integrated Solutions Console, which has been extremely well received by its deployers and consumers. He has worked within various groups at IBM including VM, Power Parallel Systems, AUIML, and Personal Communications (with the 3270/5250 emulator). He holds bachelor's degree in electrical engineering (India) and a master's in computer science (NJIT).

		Aya Zaghloul joined the Integrated Solutions Console team after graduating from North Carolina State University with a bachelor's degree in computer science. For the past five years, Aya has worked in various areas of the Integrated Solutions Console team, including development, test, tooling, and currently, Service and Support.

Rate this page