Skip to main content

skip to main content

developerWorks  >  WebSphere  >

Configuring SSL for secure outbound Web service calls from WebSphere Commerce to WebSphere Enterprise Service Bus

developerWorks
Go to the previous pagePage 4 of 8 Go to the next page

Document options
PDF format - Fits A4 and Letter

PDF - Fits A4 and Letter
1097 KB (31 pages)

Get Adobe® Reader®


My developerWorks needs you!

Connect to your technical community


Rate this tutorial

Help us improve this content


Trusting the client and server

In this section, you will learn how to add the add client certificate into the trust store of the server and server certificate of the server to the trust store of the client. To do that, you need to begin by creating a new client key store in WebSphere Commerce. You need to create a new client certificate in the key store and then export the same to the trust store in WebSphere ESB. To work on certificates, key stores, and trust stores in WebSphere Commerce, you need to use the iKeyman utility as mentioned earlier.

The server certificate from the key store of WebSphere ESB needs to be exported to the trust store of WebSphere Commerce. The JCA connector in WebSphere Commerce uses the default Java Virtual Machine trust store to authenticate server certificates. Hence, the WebSphere ESB server certificate will be added to the trust store of the Java Virtual Machine in WebSphere Commerce.

Creating a key store in WebSphere Commerce

In this section, you will learn how to create a key store in WebSphere Commerce using the iKeyman utility. After creating the key store, you will have to specify the key store as the default key store to be used by WebSphere Commerce as the Java Virtual Machine generic argument.

Create the key store file in WebSphere Commerce

  1. Launch the iKeyman utility in WebSphere Commerce. iKeyman utility is located in the USER_INSTALL_ROOT/bin folder, where USER_INSTALL_ROOT is the path to the WebSphere Application Server profile.
  2. Click New from the Key Database File menu.
  3. Enter the details as shown in Figure 12.

    Figure 12. Creating the key store file using iKeyman utility
    Creating the key store file using iKeyman utility

  4. Select JKS as the key database type. JKS is the default key store type in the Java Virtual Machine in WebSphere Commerce.
  5. Enter file name, for example, CommerceKey.jks.
  6. Enter the location of the file, for example, C:\CommerceToolkit\wasprofile\etc\.
  7. Click OK.
  8. Enter a password of your choice for the key store.
  9. Click OK.

Creating a self-signed client certificate in WebSphere Commerce

When WebSphere Commerce acts as a client and attempts to do a SSL handshake with WebSphere ESB, WebSphere Commerce will send the client certificate to the WebSphere ESB server to confirm its identity.

  1. Click the Create a new self-signed certificate button.
  2. Enter the details as shown in Figure 13.
  3. Click OK.

    Figure 13. Creating a self-signed certificate using iKeyman
    Creating a self-signed certificate using iKeyman

Specifying the default key store in WebSphere Commerce

In this section, you will learn how to specify the key store to be used by the Java Virtual Machine in WebSphere Commerce.

  1. Login to the WebSphere Application Server Administrative Console in WebSphere Commerce.
  2. Navigate to Application servers > server1 from the Servers section.
  3. Click Process Definition as shown in Figure 14.

    Figure 14. Navigating to Process Definition
    Navigating to Process Definition

  4. Click Java Virtual Machine.
  5. In Generic JVM arguments, enter -Djavax.net.ssl.keyStore=path to the WebSphere Commerce client key store file that you created, -Djavax.net.ssl.keyStorePassword=password of the WebSphere Commerce client key store file. For example, -Djavax.net.ssl.keyStore=${WAS_ETC_DIR}/CommerceKey.jks -Djavax.net.ssl.keyStorePassword=WebAS as shown in Figure 15.
  6. Click OK and save the changes to the master configuration.

    Figure 15. Specifying the generic Java Virtual Machine arguments
    Specifying the generic Java Virtual Machine arguments



Back to top


Exporting certificates to trust stores

In this section, you will learn how to export a certificate from the key store in one server to the trust store of another. You will learn how to extract the client certificate of WebSphere Commerce and then add the same into the signer certificates of the trust store in WebSphere ESB. You will learn how to extract the server certificate of WebSphere ESB to the signer certificates of the trust store in WebSphere Commerce.

Exporting WebSphere Commerce client certificate to trust store of WebSphere ESB

  1. Launch the iKeyman utility in WebSphere Commerce.
  2. Open the key store that you created above.
  3. Enter the key store password and click OK.
  4. Select the self certificate that you created above and click the Extract Certificate button.
  5. Enter the details as shown in Figure 16.

    Figure 16. Extracting a certificate using iKeyman
    Extracting a certificate using iKeyman

  6. Enter a certificate file name, for example, CommerceClientcert.arm.
  7. Enter the location of the file, for example, C:\Certificates.
  8. Click OK.
  9. Transfer the extracted certificate file to a folder in the WebSphere ESB server.
  10. Login to the Administration Console in WebSphere ESB.
  11. Navigate to SSL certificate and key management > Key stores and certificates under the Security section.
  12. Click the trust store that you created earlier.
  13. Click Signer certificates.
  14. Click Add.
  15. Enter the details as shown in Figure 17.

    Figure 17. Adding a certificate to the trust store in WebSphere ESB
    Adding a certificate to the trust store in WebSphere ESB

  16. Enter an alias for the certificate.
  17. Enter the full path to the WebSphere Commerce client certificate, which you copied to the WebSphere ESB server from the WebSphere Commerce server, for example, C:\clientcertificates\CommerceClientcert.arm.
  18. Click OK and save the changes to the master configuration.

Exporting the WebSphere ESB server certificate to the trust store of WebSphere Commerce

  1. Login to the Administration Console in WebSphere ESB.
  2. Navigate to SSL certificate and key management > Key stores and certificates under the Security section.
  3. Click the key store that you created earlier.
  4. Click Personal certificates.
  5. Choose the server certificate that you created.
  6. Click Extract.
  7. Enter the full path of a certificate file where the server certificate needs to be extracted to, for example, C:\ServerCertificates\MyServerCertificate.arm as shown in Figure 18.

    Figure 18. Extracting a certificate from WebSphere ESB
    Extracting a certificate from WebSphere ESB

  8. Click OK and save the changes to the master configuration.
  9. Transfer the extracted certificate file to a folder in the WebSphere Commerce server.
  10. Launch the iKeyman utility in the WebSphere Commerce server.
  11. Open the Java Virtual Machine trust store. The Java Virtual Machine trust store of WebSphere Application Server in WebSphere Commerce server is present in the appServerRoot/java/jre/lib/security/cacerts file, where appServerRoot is the path to the WebSphere Application Server root folder. The Key database type is JKS.
  12. Enter the trust store password. The default password for cacerts is changeit.
  13. Click OK.
  14. Select Signer Certificates and click Add.
  15. Enter the certificate file details as shown in Figure 19.

    Figure 19. Adding a certificate to the trust store using iKeyman
    Adding a certificate to the trust store using iKeyman

  16. Enter the certificate file name of the server certificate, which you had copied from the WebSphere ESB server to the WebSphere Commerce server.
  17. Enter the certificate file location.
  18. Click OK.
  19. Enter a label for the new certificate and click OK.

Now both the WebSphere ESB and WebSphere Commerce servers trust each other. Restart both the servers. If you have created a non-SSL enabled transport chain, then first test your application in WebSphere ESB using the non-SSL transport chain to make sure that there are no errors either in the application or the transport. If it works fine, then test your application using the SSL enabled transport chain. Check the logs in both the servers to see that there is no error or exception logged by the transport chain. If it all works fine, then delete the non-SSL enabled transport chain from WebSphere ESB for better security.



Back to top



Go to the previous pagePage 4 of 8 Go to the next page