Maximo Anywhere, MobileFirst and SSL : REDUX
Shane Howard 270000C70V Visits (9895)
A couple of years ago I wrote a basic SSL configuration doc for Maximo Anywhere, at the time of the document I was just showing how to configure the SSL Certificates with the run time keystore. This certificate is used for the MobileFirst adapter to communicate to the back-end server through SSL ( Maximo ). The problem with this is there is more configuration that may need to be done for SSL and MobileFirst if the plan is an end to end SSL solution.
Although this configuration is not specific to Maximo Anywhere it is something we should still go over. In this blog I will do my best to outline the process of configuring Maximo Anywhere with a secured Maximo server as well as a secured MobileFirst server hosted on a different machine.
So to start your Maximo is likely already configured with SSL if you are reading this document, so I'm not going to go over configuring the Maximo WebSphere server, what we will start with is what I ran through in my last document with some added details, as well as configuring MobileFirst.
Securing the connection between the MobileFirst adapter and Maximo
1. Our scenario starts with maximo secured and our mobile devices trying to connect via SSL without any configuration. Before we do anything on the Anywhere side we need to ensure the WebSphere server MobileFirst and our run time is deployed to can trust our Maximo servers certificates. We can do this by importing our Maximo signer certificate to our Node
From the WebSphere console Expand Security - Click on SSL Certificate and key management - > Keystores and Certificates - > Node
A common error seen in the WebSphere logs if this step is not complete would be the following.
000000b0 WSX509TrustMa E CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=
2. Now that we have our Maximo signer certificate in our Node trust store on the MobileFirst server we need to configure MobileFirst adapter key store to validate the SSL-Client identity. We can do this by extracting the certificate from our trust store and saving it to the Anywhere build server.
From SSL certificate and key management - > Key stores and certificates - > Node
Once copied over to the Anywhere build machine we need to import the certificate to our key store to build in to the run time. In the IBM\
From the IBM\
ikeyman.cmd -cert -add -db c:\I
From the Java
keytool -import -alias maximo -file c:\IBM\maximo.cer -keystore c:\I
3. Now that your certificate is imported we need to update the work
You will also want to update the adapter properties in the build.properties to use SSL if not already defined during the install.
After updating the files, rebuild the and deploy your MaximoAnywhere.war and applications, at this point you should have a working HTTP connection between the device and MobileFirst and HTTPS connection between the adapter and Maximo.
*NOTE* Before proceeding any further, ensure you update the mxe.
A common error seen in the WebSphere logs when the above 3 steps are not complete would be the following, which means the keystore does not exist or contains no certificates.
FWLSE0101E: Caused by: [project Maxi
Securing the connection between MobileFirst and the Mobile Device.
The above steps outline how to have a non-secured MobileFirst server interact with a secured Maximo, however what if we want to secure MobileFirst? What is Required? How do we trust the server from the device? That is what we will cover in the next set of steps.
Now before we get started one very important thing to note is that the mobile device platforms do not allow you to trust self-signed certificates that aren't not from CA. If you have created your own certificates and the basic constraints of the certificate do not show Subject Type=CA your certificates will not be trusted and you will not be able to make the connection to MobileFirst.
Most customers configuring a production environment likely will be using certificates signed by a verified certificate authority, however when testing on your own you will need to create a CA to self-sign your certificates with. I did this using ikeyman from the WebSphere java, but it can also be done fairly easily with OPENSSL.
So I have my root certificate and and intermediate self-signed CA certificates now in my private key. The first thing I want to do is import those certificates in to my NodeDefaultKeyStore on the MobileFirst server.
From SSL Certificate and and key management - > Key stores and certificates - > NodeDefaultKeyStore - > Personal Certificates click on Import. Select the 'Key Store File' option, enter the path to your keystore, the type and the password, mine is a JKS file, so I've entered what you see below. Ensure you select the certificate alias you wish to import and click apply.
As we have only imported the certificates in to the Node
Now that are have our personal certificates imported and signers exchanged we need to tell the Node to use our certificate rather then the ones bundled with WebSphere.
Again from SSL Certificate and and key management click on SSL Configurations, then select Node
Click apply and save to master configuration, then do a full synchronization on your node and restart your MobileFirst JVM. Now when you access the MobileFirst application over your SSL enabled port and protocol, you should be able to see your certificate in use. If it is using the default WAS certificate still you may want to double check the last step has been updated from default to mobilefirst or your certificate name.
Updating Build Properties and the Device.
1. Now your MobileFirst server is secured we need to update your build properties to point to the secured server, from IBM\
For the *.url properties ensure the SSL enabled port is defined as well as the protocol updated to HTTPs
For the *.protocol properties change http to https
For the *.port properties change the port to the SSL enabled port.
Rebuild and deploy your applications.
2. If you are using certificates signed by a verified CA (Symantec, Verisign etc..) you will likely not have to install any certificates to your device as most CA certificates pre-exist. However if you are using a self-signed CA you will need to install the certificate to the device, if chained the root certificate will also be required. My certificates are chained so I have two certificates I need to place on the device, you can email these to yourself and install to the device under VPN and Apps, example for Android found below.
If the certificate is signed by a CA it will show up under user in security certificates on the device, if it is not signed by a CA it will end up under user certificates. At this point you should successfully be able to log in to Maximo Anywhere end to end through SSL communication.
Common Device Errors.
Any error you may see in the device logs if the above is not configured correctly is the following, which is due to no trusted certificates for the server being found on the device or the self signed certificate not being trusted by the CA.
Another error you may see from the device is the following, which is due to the level of security being used by the server. This can be corrected by updating the QOP for the Node
09-17 21:48:54.309 670-798/? W/System.err: java
09-17 21:48:54.309 670-798/? W/System.err: at com.