Topic
  • 7 replies
  • Latest Post - ‏2013-04-24T20:41:22Z by jfk
jfk
jfk
30 Posts

Pinned topic Handle certificates in WAS

‏2013-04-21T19:22:33Z |

Hi,

We have a Java based web application deployed in WebSphere Application Server (6.1) that has to connect to a backoffice server using HTTPS and SSL.

What's the best procedure to follow in order to implement that ?

Export/Import backoffice server certificates ? Is there a way to manage the certificates in WAS ? Are there some variables for  the keystore, truststore and to use it in the Java code of the web application ?

The backoffice server relies on WAS too. Is there a solution to secure the communication between the 2 servers without modifying the Java  code of the front web application ? 

Thanks

Regards

Updated on 2013-04-21T19:23:33Z at 2013-04-21T19:23:33Z by jfk
  • bpaskin
    bpaskin
    5133 Posts

    Re: Handle certificates in WAS

    ‏2013-04-23T13:06:38Z  

    Hi, WebSphere has a keystore and a truststore that can be used, or you can create your own keystore and truststore.  In the console go to Security > SSL Certificate and Key Management > Key Stores and Certificates > YOUR_TRUST_STORE > Signer Certificates. Then click on the "retrieve from port" button and enter the info to get the certificate.  You can configure all traffic to go over SSL or only some using "Dynamic Outbound SSL Configuration."  No programming changes are needed.

    Regards,

    Brian

  • jfk
    jfk
    30 Posts

    Re: Handle certificates in WAS

    ‏2013-04-23T19:38:55Z  
    • bpaskin
    • ‏2013-04-23T13:06:38Z

    Hi, WebSphere has a keystore and a truststore that can be used, or you can create your own keystore and truststore.  In the console go to Security > SSL Certificate and Key Management > Key Stores and Certificates > YOUR_TRUST_STORE > Signer Certificates. Then click on the "retrieve from port" button and enter the info to get the certificate.  You can configure all traffic to go over SSL or only some using "Dynamic Outbound SSL Configuration."  No programming changes are needed.

    Regards,

    Brian

    Hi, 

    Thanks for the reply. 

    But is there an API to access keystore and truststore declared through the WAS console if I want to retrieve the certificate and used it in my web application ?

    The feature you mention "Dynamic Outbound SSL Configuration" seems interesting. How does it work ?

    I think in this case it is necessary to configure for SSL for inbound too to get the response.

    Regards

  • jfk
    jfk
    30 Posts

    Re: Handle certificates in WAS

    ‏2013-04-23T19:38:56Z  
    • bpaskin
    • ‏2013-04-23T13:06:38Z

    Hi, WebSphere has a keystore and a truststore that can be used, or you can create your own keystore and truststore.  In the console go to Security > SSL Certificate and Key Management > Key Stores and Certificates > YOUR_TRUST_STORE > Signer Certificates. Then click on the "retrieve from port" button and enter the info to get the certificate.  You can configure all traffic to go over SSL or only some using "Dynamic Outbound SSL Configuration."  No programming changes are needed.

    Regards,

    Brian

    Hi, 

    Thanks for the reply. 

    But is there an API to access keystore and truststore declared through the WAS console if I want to retrieve the certificate and used it in my web application ?

    The feature you mention "Dynamic Outbound SSL Configuration" seems interesting. How does it work ?

    I think in this case it is necessary to configure for SSL for inbound too to get the response.

    Regards

  • bpaskin
    bpaskin
    5133 Posts

    Re: Handle certificates in WAS

    ‏2013-04-24T11:18:52Z  
    • jfk
    • ‏2013-04-23T19:38:56Z

    Hi, 

    Thanks for the reply. 

    But is there an API to access keystore and truststore declared through the WAS console if I want to retrieve the certificate and used it in my web application ?

    The feature you mention "Dynamic Outbound SSL Configuration" seems interesting. How does it work ?

    I think in this case it is necessary to configure for SSL for inbound too to get the response.

    Regards

    You can access the keystore and trustore using java APIs, but there is no reason to do so for your purpose.  SSL communication is handled by the container. 

    Take a look at this documentation for info on the Dynamic Outbound SSL Config: http://pic.dhe.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.express.doc/info/exp/ae/usec_sslnewdynendconf.html

    Regards, Brian

  • jfk
    jfk
    30 Posts

    Re: Handle certificates in WAS

    ‏2013-04-24T18:30:16Z  
    • bpaskin
    • ‏2013-04-24T11:18:52Z

    You can access the keystore and trustore using java APIs, but there is no reason to do so for your purpose.  SSL communication is handled by the container. 

    Take a look at this documentation for info on the Dynamic Outbound SSL Config: http://pic.dhe.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.express.doc/info/exp/ae/usec_sslnewdynendconf.html

    Regards, Brian

    Hi,

    If i understand well SSL implementation is all managed by WAS through configuration with no intrusion to java web application code. 

    With this configuration is SSL two way supported ? server certificate (the remote server) and client certificate (my application) ? I think when  a remote request is made (to the backoffice) my certificate (of my front application) must be sent automatically for check in the http request. I don't see what to do in order to take into account my certificate and to send it. I think it must be done in code when the https connection is opened.

    In trustore are certificates to check against (so in my example back office certifictae will be installed in trustore of my web front application).

    Thanks a lot.

    Regards

     

     

  • bpaskin
    bpaskin
    5133 Posts

    Re: Handle certificates in WAS

    ‏2013-04-24T19:49:10Z  
    • jfk
    • ‏2013-04-24T18:30:16Z

    Hi,

    If i understand well SSL implementation is all managed by WAS through configuration with no intrusion to java web application code. 

    With this configuration is SSL two way supported ? server certificate (the remote server) and client certificate (my application) ? I think when  a remote request is made (to the backoffice) my certificate (of my front application) must be sent automatically for check in the http request. I don't see what to do in order to take into account my certificate and to send it. I think it must be done in code when the https connection is opened.

    In trustore are certificates to check against (so in my example back office certifictae will be installed in trustore of my web front application).

    Thanks a lot.

    Regards

     

     

    Hi, for two way SSL where WAS is the client there is a little more that needs to be setup. Do the following:

    1. Import the necessary certs into the key and truststores.

    2. go to SSL certificate and key management > SSL configurations and add a new SSL Configuration. You will need to set the "Default client certificate alias" to the client cert that you will send. You do not necessarily need to create a new configuration, but I would recommend this to avoid any confusion on configurations.

    3. go to SSL certificate and key management > Dynamic outbound endpoint SSL configurations and add a new outbound connection.  Under the "SSL Configuration, please make sure that you use the SSL Configuration you setup on step 2.

    If this is the only connection that requires 2 way SSL, you can set this up another way, but I would recommend using this if the configuration will not change.  You can set the outbound HTTPS and override the SSL Configuration with the SSL configuration set above.

    Regards, Brian

  • jfk
    jfk
    30 Posts

    Re: Handle certificates in WAS

    ‏2013-04-24T20:41:22Z  
    • bpaskin
    • ‏2013-04-24T19:49:10Z

    Hi, for two way SSL where WAS is the client there is a little more that needs to be setup. Do the following:

    1. Import the necessary certs into the key and truststores.

    2. go to SSL certificate and key management > SSL configurations and add a new SSL Configuration. You will need to set the "Default client certificate alias" to the client cert that you will send. You do not necessarily need to create a new configuration, but I would recommend this to avoid any confusion on configurations.

    3. go to SSL certificate and key management > Dynamic outbound endpoint SSL configurations and add a new outbound connection.  Under the "SSL Configuration, please make sure that you use the SSL Configuration you setup on step 2.

    If this is the only connection that requires 2 way SSL, you can set this up another way, but I would recommend using this if the configuration will not change.  You can set the outbound HTTPS and override the SSL Configuration with the SSL configuration set above.

    Regards, Brian

    Hi,

    Exactly we want to deploy mutual authentication with WAS. Described like that it seems simple, based only on configuration. I will have a look at WAS console tomorrrow. Some points are still a little unclear so i will look at the configuration.

    Thanks a lot for all these informations.