IBM Support

Enabling HTTPS for WebSphere Lombardi Edition (WLE) Portal

Question & Answer


Question

How do I configure HTTPS for WebSphere Lombardi Edition using an SSL certificate from a certificate authority in a standalone WebSphere Lombardi Edition environment?

Answer

The following steps refer to the NodeDefaultKeyStore and NodeDefaultTrustStore files. If you are running in a cluster configuration, you will have a copy of these files for each node.
For example, if you have a two-node cluster, you will have two copies of each file. For every instruction that instructs you to modify one of these files, modify each copy for additional nodes. For every instruction that instructs you to modify a node, do this for all nodes. Complete the following steps

  1. Back up your WebSphere Application Server configuration:
    AppServer\bin>backupconfig -nostop

  2. Log on to the WebSphere Administrative Console.

  3. Create a Personal Certificate Request:
    Click Security -> SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore > Personal certificate requests > New.

  4. Generate the SSL certificate from a third party certificate issuing authority using the certificate request.

  5. Before receiving the final signed certificate, add any additional certificates that are provided by the certificate authority. Often times, certificate authorities (internal or external) provide an intermediate certificate. If you are provided with any additional certificates, add them to the NodeDefaultKeyStore and the CellDefaultTrustStore using the following substeps. If the certificate authority does not provide you with additional certificates, add the root certificate for the certificate authority instead.
    1. Click Security -> SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore > Signer certificates > Add.
    2. Click Security -> SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates > Add.

  6. When you receive the final certificate from the Certificate Authority, save the new Secure Sockets Layer (SSL) certificate and the new root certificate to a local file system in the application server.

  7. Add the signer certificate to NodeDefaultkeyStore:
    1. Click SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore > Signer certificates > Add signer certificate.
    2. Specify an alias name for the signer certificate
    3. Specify the fully qualified location of the certificate file name
    4. Click Apply and save the changes
  8. Add the personal certificate to NodeDefaultkeyStore:
    1. Click SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore > Personal certificates > Receive certificate from CA.
    2. Specify the fully qualified location of the certificate file name.
    3. Click Apply and save the changes.
    4. Replace the default certificate with your new Personal certificate:
      1. Click SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore > Personal certificates
      2. Select the check box next to default and click Replace.
      3. Choose the certificate to replace default.
      4. Select Delete old certificate after the replacement.
      5. Select Delete old signers.
      6. Click Apply and save the changes.

  9. Add the signer to the NodeDefaultTrustStore:
    1. Click SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates > Add signer certificate.
    2. Specify an alias name for the signer certificate.
    3. Specify the fully qualified name of the root certificate.
    4. Click Apply and save the changes.

  10. Add the personal certificate to the NodeDefaultTrustStore:
    1. Click SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Personal certificates > Receive certificate from CA.
    2. Specify the fully qualified name of the root certificate
    3. Click Apply and save the changes.
    4. Replace the default certificate with your new personal certificate:
      1. Click SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore > Personal certificates.
      2. Select the check box next to default and click Replace.
      3. Choose the certificate to replace default.
      4. Select Delete old certificate after the replacement.
      5. Select Delete old signers.
      6. Click Apply and save the changes.

  11. Configure the SSL certificates for inbound transactions by selecting the newly configured certificate alias:
    1. Click SSL certificate and key management > Manage endpoint security configurations > Node name in Inbound section > Certificate alias in key store.
    2. Click Apply and save the changes.

  12. Configure the SSL certificates for outbound transactions by selecting the newly configured certificate alias:
    1. Click SSL certificate and key management > Manage endpoint security configurations > Node name in Outbound section > Certificate alias in key store.
    2. Click Apply and save the changes.

  13. Extract your Trust Store signer certificate:
    1. Log in to the WebSphere Administrative Console.
    2. Navigate to SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates.
    3. Select the check box next to the root certificate.
    4. Click Extract.
    5. Enter a path and file name to save the certificate on the machine that hosts the deployment manager.
    6. Set the Data type value to Binary DER data.
    7. Click OK.

  14. Import the Trust Store signer certificate into the Java™ virtual machine (JVM) trust store using iKeyMan tool:
    1. Stop the WebSphere Lombardi Edition Process Server, if it is running.
    2. Transfer the DER file from Step 13 to a file system location that is accessible to the WebSphere Lombardi Edition Process Server.
    3. On the Process Server host, navigate to the [WLE_Home]/AppServer/bin directory and invoke the ikeyman.bat tool.
      NOTE: If you are using a UNIX-based machine that does not have a user interface (GUI), you can use ikeyman as a command-line tool. For more information, see the Using the IKEYCMD command-line interface document in the information center.
    4. Select Key Database File > Open.
    5. Set the Key Database type to JKS.
    6. Set the Location to [WLE_Home]/AppServer/java/jre/lib/security.
    7. Set the File Name to cacerts.
    8. Click OK.
    9. Provide a password. The default value is changeit.
    10. Select Signer Certificates from the drop-down list.
    11. Select Add.
    12. Specify the location of the DER file and click OK.
    13. Enter a label for the certificate and click OK.

  15. Stop all application servers and node agents. Leave the deployment manager running.

  16. Synchronize all nodes using the syncNode script, as follows:

    AppServer/profiles/Lombardi/bin/syncNode Dmgr_hostname -user tw_user -password tw_user

WebSphere Lombardi Edition related configurations

Create a 120SSLchanges.xml file in the process-server/config or process-center/config directory (depending on your environment) and copy the following code to it:


Note: For Process Center environments, omit the <teamworks-webapp-prefix> code as it causes problems in the authoring environment.
<properties>
 <common merge="mergeChildren">
   <portal-prefix merge="replace">https://hostname:443/portal
   </portal-prefix>
   <process-admin-prefix merge="replace">https://hostname:443/ProcessAdmin
   </process-admin-prefix>
    <teamworks-webapp-prefix merge="replace">https://hostname:443/teamworks
    </teamworks-webapp-prefix>
 </common>
 <server merge="mergeChildren">                            
   <email merge="mergeChildren">
     <mail-template merge="mergeChildren">
       <client-link merge="replace">https://hostname:443/teamworks
       </client-link>
     </mail-template>
   </email>
 </server>
</properties>

Note: Change the server name and port as appropriate for your configuration and copy this file to all nodes. Ensure that you modify the server name accordingly. Also note that the previous code includes :443 even though that is the default SSL port. This port value is required to get around a current WebSphere Lombardi Edition issue. You must restart the application servers for the change to take effect.

Configure Virtual Host settings to enable SSL for a specified port
    Note: This change is only required if you want to change the default port, which is 9444.
    1. Log on to the WebSphere Administrative Console

    2. Click Application servers > twprocsvr > Ports > WC_defaulthost_secure.

    3. Optional: Change the default value of 9444 if necessary. For example, you can change it to 443 and so on.

    4. Click Environment > Virtual hosts > twprocsvr_host > Host Aliases.

    5. Add 443 or whatever port you specified previously for *

    6. Restart all WebSphere processes including WebSphere Lombardi Edition.

    7. Log on to the portal and processAdmin using the following URLs:

[{"Product":{"code":"SSFPRP","label":"WebSphere Lombardi Edition"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Installation \/ Configuration","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Product Synonym

WLE Lombardi

Document Information

Modified date:
15 June 2018

UID

swg21452291

Page Feedback