Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
7 replies Latest Post - ‏2013-04-24T20:41:22Z by jfk
jfk
jfk
30 Posts
ACCEPTED ANSWER

Pinned topic Handle certificates in WAS

‏2013-04-21T19:22:33Z |

Hi,

We have a Java based web application deployed in WebSphere Application Server (6.1) that has to connect to a backoffice server using HTTPS and SSL.

What's the best procedure to follow in order to implement that ?

Export/Import backoffice server certificates ? Is there a way to manage the certificates in WAS ? Are there some variables for  the keystore, truststore and to use it in the Java code of the web application ?

The backoffice server relies on WAS too. Is there a solution to secure the communication between the 2 servers without modifying the Java  code of the front web application ? 

Thanks

Regards

Updated on 2013-04-21T19:23:33Z at 2013-04-21T19:23:33Z by jfk
  • bpaskin
    bpaskin
    3894 Posts
    ACCEPTED ANSWER

    Re: Handle certificates in WAS

    ‏2013-04-23T13:06:38Z  in response to jfk

    Hi, WebSphere has a keystore and a truststore that can be used, or you can create your own keystore and truststore.  In the console go to Security > SSL Certificate and Key Management > Key Stores and Certificates > YOUR_TRUST_STORE > Signer Certificates. Then click on the "retrieve from port" button and enter the info to get the certificate.  You can configure all traffic to go over SSL or only some using "Dynamic Outbound SSL Configuration."  No programming changes are needed.

    Regards,

    Brian

    • jfk
      jfk
      30 Posts
      ACCEPTED ANSWER

      Re: Handle certificates in WAS

      ‏2013-04-23T19:38:55Z  in response to bpaskin

      Hi, 

      Thanks for the reply. 

      But is there an API to access keystore and truststore declared through the WAS console if I want to retrieve the certificate and used it in my web application ?

      The feature you mention "Dynamic Outbound SSL Configuration" seems interesting. How does it work ?

      I think in this case it is necessary to configure for SSL for inbound too to get the response.

      Regards

    • jfk
      jfk
      30 Posts
      ACCEPTED ANSWER

      Re: Handle certificates in WAS

      ‏2013-04-23T19:38:56Z  in response to bpaskin

      Hi, 

      Thanks for the reply. 

      But is there an API to access keystore and truststore declared through the WAS console if I want to retrieve the certificate and used it in my web application ?

      The feature you mention "Dynamic Outbound SSL Configuration" seems interesting. How does it work ?

      I think in this case it is necessary to configure for SSL for inbound too to get the response.

      Regards

      • bpaskin
        bpaskin
        3894 Posts
        ACCEPTED ANSWER

        Re: Handle certificates in WAS

        ‏2013-04-24T11:18:52Z  in response to jfk

        You can access the keystore and trustore using java APIs, but there is no reason to do so for your purpose.  SSL communication is handled by the container. 

        Take a look at this documentation for info on the Dynamic Outbound SSL Config: http://pic.dhe.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.express.doc/info/exp/ae/usec_sslnewdynendconf.html

        Regards, Brian

        • jfk
          jfk
          30 Posts
          ACCEPTED ANSWER

          Re: Handle certificates in WAS

          ‏2013-04-24T18:30:16Z  in response to bpaskin

          Hi,

          If i understand well SSL implementation is all managed by WAS through configuration with no intrusion to java web application code. 

          With this configuration is SSL two way supported ? server certificate (the remote server) and client certificate (my application) ? I think when  a remote request is made (to the backoffice) my certificate (of my front application) must be sent automatically for check in the http request. I don't see what to do in order to take into account my certificate and to send it. I think it must be done in code when the https connection is opened.

          In trustore are certificates to check against (so in my example back office certifictae will be installed in trustore of my web front application).

          Thanks a lot.

          Regards

           

           

          • bpaskin
            bpaskin
            3894 Posts
            ACCEPTED ANSWER

            Re: Handle certificates in WAS

            ‏2013-04-24T19:49:10Z  in response to jfk

            Hi, for two way SSL where WAS is the client there is a little more that needs to be setup. Do the following:

            1. Import the necessary certs into the key and truststores.

            2. go to SSL certificate and key management > SSL configurations and add a new SSL Configuration. You will need to set the "Default client certificate alias" to the client cert that you will send. You do not necessarily need to create a new configuration, but I would recommend this to avoid any confusion on configurations.

            3. go to SSL certificate and key management > Dynamic outbound endpoint SSL configurations and add a new outbound connection.  Under the "SSL Configuration, please make sure that you use the SSL Configuration you setup on step 2.

            If this is the only connection that requires 2 way SSL, you can set this up another way, but I would recommend using this if the configuration will not change.  You can set the outbound HTTPS and override the SSL Configuration with the SSL configuration set above.

            Regards, Brian

            • jfk
              jfk
              30 Posts
              ACCEPTED ANSWER

              Re: Handle certificates in WAS

              ‏2013-04-24T20:41:22Z  in response to bpaskin

              Hi,

              Exactly we want to deploy mutual authentication with WAS. Described like that it seems simple, based only on configuration. I will have a look at WAS console tomorrrow. Some points are still a little unclear so i will look at the configuration.

              Thanks a lot for all these informations.