Two way SSL authentication
This topic describes the configurations that are required to establish a two-way SSL connection.
In two-way SSL authentication, both the server and client present a certification authority (CA) certified certificate to establish their identity to the other party. Here, the Sterling Store Associate Mobile server application acts as the client and the IBM® Sterling Selling and Fulfillment Foundation acts as the server.
There are two types of keystores used to configure SSL:
- Identity Store: This contains the identity certificate of a server which will be presented to the clients during SSL connections.
- Trust Store: This contains the CA root certificates which the client trusts while accepting SSL connections.
Before configuring two-way SSL, ensure that both the IBM Sterling Selling and Fulfillment Foundation and Sterling Store Associate Mobile server have each others' CA root certificate in their trust store.
Configure properties inSterling Store Associate Mobile server
To establish two-way SSL, the following configurations are required:
Before
building the EAR file to be deployed on IBM Sterling Selling and Fulfillment Foundation,
make the following modifications for the yifclient.properties file:
| Property | Description |
|---|---|
| yif.apifactory.protocol | Set the property to the HTTPS. |
| yif.httpapi.url | Set the value to the URL for AuthorizationOnlyApiServlet. Ensure that the protocol is HTTPS. For example: https://<host>:<port>/<context-root>/interop/AuthorizationOnlyApiServlet. Here, the host refers to the IBM Sterling Selling and Fulfillment Foundation. |
| yif.httpapi.disableKeyStore | Make sure this property does not exist in the file. |
| yif.httpapi.disableTrustStore | Make sure this property does not exist the file. |
| yif.httpapi.urlStreamHandler | Set the property to sun.net.www.protocol.https.Handler. |
| javax.net.ssl.keyStore | Set the value to the complete path of the identity keystore. The certificate within this keystore should have CN same as role-name field used while restricting access to the AuthorizationOnlyApiServlet. |
| javax.net.ssl.keyStorePassword | Set the value to the password of the identity keystore. |
| javax.net.ssl.trustStore | Set the value to the complete path of the trust keystore. |
| javax.net.ssl.trustStorePassword | Set the value to the password of the trust keystore . |
| javax.net.ssl.trustStoreType | Set the value in the format type provided by the trust keystore. For example, if the truststore provided in javax.net.ssl.trustStore is client.jks, then javax.net.ssl.trustStoreType is jks. |
| javax.net.ssl.keyStoreType | Set the value to the format type of the provided keystore. |
Configure endpoints on server-side of theSterling Store Associate Mobile
Configure the following endpoints:
- SAM
- SMC