Creating server certificates

You must create an SSL certificate for your server.

Every server in your topology needs a keystore that contains a suitable server certificate, or a separate truststore that trusts all other servers.

You can use self-signed certificates or public certificates depending on the specific needs of your configuration:
  • You can create an SSL keystore that contains a self-signed certificate by using the security utility tool, and then copy the keystore file (.jks) to the security folder of each server in your topology.
  • You can also use the Java™™ keystore tools to export the public certificate from the server, and import the certificate into the truststore of the client.
You can use the following tools to generate a server certificate in Java:
  • Java keytool command
  • WebSphere® Liberty securityUtility command
  • Graphic tools such as KeyStore Explorer
The following example shows you how to use the securityUtility createSSLCertificate command to create an SSL certificate for each server, specifying the server name and a password: 
securityUtility createSSLCertificate --server=<server_name> --password=<your_password> --keyType JKS

The command creates a key.jks keystore for the specified server as a result. For more information, see Creating SSL certificates from the command line in the WebSphere Liberty product documentation.

A certificate can be either self-signed or certificate authority (CA) signed, depending on your system configuration and the positioning of the server. That is, whether the server is public-facing or internal. The public-facing certificates are generally CA-signed, while the internal servers can rely on the self-signed certificates.

Self-signed certificate

If the certificate is self-signed, the browser prompts you to accept the insecure connection when you go to the URL for the first time. You need to answer Yes to see the URL and then view its certificate.

Client applications must be configured to accept a self-signed certificate from the server. For more information, see Importing a server certificate to your environment.

CA-signed certificate

When the certificate is CA-signed, the CA is already listed in the default certificate store of the browser or the client-side JVM. In this case, the connections to the server can be established without importing a certificate or having specific options.

Configuring server certificates

You must configure the SSL certificate in each server after creating it.

When you finish creating the SSL certificate, you confirm that the SSL feature is enabled in all of the server.xml files for the Liberty servers and add your password to the keystore definition:
<featureManager> 
   <feature>ssl-1.0</feature>
</featureManager>
<keyStore id="defaultKeyStore" password="{xor}NjEsbjg3Kyw=" location="<myserver>.jks" type="JKS"/>

Add the <myserver>.jks file to the /resources/security folder in all the Liberty servers of your topology.

For more information, see Enabling SSL communication in Liberty in the WebSphere Liberty product documentation.