Worklight Security With Self-Signed Certificates and Adapter HTTP Requests
DavidSeager 110000C5XS Visits (5263)
Now for production use, such systems will likely have security enabled and be using SSL, so any requests to their REST services will be over HTTPS. Generally such systems will also be using SSL certificates from well known Certificate Authorities, and so a client accessing them will accept the certificate and make the SSL connection without issue. For example, when you access a web site which has a valid certificate signed by a CA that your web browser knows, you see a green padlock icon somewhere, and you connect to the website right away
Worklight adapters are such a client application. They seem to use the Apache HTTP Client to connect to a back end system via HTTP. So if you attempt to use a Worklight adapter to connect to a system which is using HTTPS and has a self-signed SSL certificate, the connection will fail. For example, even if you connect from Worklight server running on the very same WebSphere Application Server as WSRR, to WSRR, you will still get the error, even though the WAS security credentials are the same, so the connection should work. This is a problem because generally you want to test with security enabled, so in the real world your mobile application will work with real systems, but you don't often want to buy a real certificate for your development system.
The Apache HTTP Client just uses the certificates of the Java Runtime Environment (JRE), so you can install the self-signed certificate of your WSRR server into the JRE and the Worklight adapter connection will work. I would have hoped that when running from within WebSphere Application Server, Worklight would have used the WAS certificates when making HTTP connections, so connections to the same WAS server would just work, but it seems it does not. Here is how you can get the connection to work.
First you need to extract the SSL certificate. For WSRR, this is done using the WebSphere Administrative Console (ISC) on the WSRR server. This will run on port 9060 by default and can be accessed by http
The self-signed server certificate is extracted to the file system where you specified.
Now put this file onto the server where Worklight is running. For the example above, the Worklight server is installed onto the WSRR WAS server, so you can leave the certificate file where it was extracted.
From the JRE of the server, run the folllowing command. For the example above, this JRE is under the WSRR server install folder in java/jre/bin. The server name is "djsdbs" and the location of the file is "c:\
keytool -keystore ..\l
Now if you restart the WAS server running WSRR (and Worklight server), the adapter will connect to WSRR fine.