Updating SSL properties

Communication between Global Mailbox and Sterling B2B Integrator is secured with SSL during the installation. You can modify the SSL configuration by running the appConfigUtility script.

Before you begin

The Global Mailbox Admin UI connects to several HTTP server adapters in Sterling B2B Integrator to perform the following:
  • Verify the Single Sign-On (SSO) token when the user navigates to the Global Mailbox UI from the Sterling B2B Integrator Dashboard by calling an API in the REST HTTP Server Adapter,
  • Search for and display Sterling B2B Integrator Users, Business Processes, and Contracts in the Global Mailbox Event Explorer by calling a REST API in the Global Mailbox REST Services Adapter.

About this task

To modify the SSL properties for connecting to HTTP server adapters listed above in Sterling B2B Integrator, perform the following:

Procedure

  1. Locate the /<install_dir>/MailboxUtilities/admin/bin (UNIX or Linux) directory or \<install_dir>\MailboxUtilities\admin\bin (Windows).
    Tip: Replace <install_dir> with the directory where your instance is installed.
  2. Optional: To see the available options, run the ./appConfigUtility.sh (Linux® or UNIX) or appConfigUtility.bat (Windows).
  3. To modify SSL configuration, type ./appConfigUtility.sh setSSL (Linux or UNIX) or appConfigUtility.bat setSSL command (Windows).
  4. Enter the following parameters and values to suit your needs, in the format: ./appConfigUtility.sh setSSL <parameter="value"> (Linux or UNIX) and appConfigUtility.bat setSSL <parameter="value"> (Windows).
    Where:
    --appName
    The name of the application. This name is displayed in the Application field in the user permissions wizard in Global Mailbox. For example: 
    --appName="application_name"
    --protocol
    The SSL/TLS protocol to connect to the server. Acceptable values are those that are valid for the IBM® SDK, Java™ Technology Edition JRE.
    From Sterling B2B Integrator v6.2.0.1 onwards, the default value is TLS which allows the server to specify the version used. To use the default value (recommended), do not specify this parameter. To override this value, specify the parameter. For example:
    --protocol=TLS_v1.2
    The above example specifies Global Mailbox should only connect using TLS 1.2.

    For Sterling B2B Integrator v6.2.0.0, the default value is SSL_TLS.

    --ciphers

    A comma-separated list of cipher suites that can be used to secure the connection with the server. The server picks one of the ciphers in this list during the SSL handshake. Must be in the server list of supported cipher suites. The default is the list of ciphers available to the JRE. To restrict the ciphers to a subset, specify the list of cipher suites as the value for this parameter.

    --verifyHostName

    Whether the host name of the server must match the common name of the returned server certificate. The default is false. If this option is true, and the server host name does not match the pattern in the returned certificate common name, the connection is refused.

    --trustAny

    Indicates that any certificate returned by the server must be trusted. This is the default.

    --trustStoreFile
    The fully qualified path to a key store to verify the server is trusted. If this option is specified, then the certificate returned by the server (or a certificate up the signer chain) must be present in the given trust store for the SSL connection to succeed.
    Important: Setting this option disables --trustAny. The contents of the trust store are copied and stored as a binary blob on Sterling B2B Integrator configuration properties in the database. All Global Mailbox nodes share the same trust store for Sterling B2B Integrator. Subsequent changes to this file have no effect on the trust store for Sterling B2B Integrator. If certificates are added or removed from this trust store file, and these changes must be applied to Sterling B2B Integrator, then the setSSL command must be invoked again, specifying the modified trust store file, so that the modified trust store is copied to the database.
    --trustStoreType

    The type of the trust store file. This option is required if --trustStoreFile is specified. Valid values are JKS and PKCS12.

    --trustStorePassword

    The password of the trust store file. This option is required if --trustStoreFile is specified. This password is used to open the trust store to copy its contents. When the trust store is serialized as a blob to the database, the trust store blob is encrypted with a different random password.

    --keyStoreFile
    The fully qualified path to a key store containing the key-certificate that is used to authenticate to the server, if the server configuration requires client authentication. This is optional. If specified, the key-certificate from the key store is copied and stored as a binary blob on Sterling B2B Integrator configuration properties in the database. All Global Mailbox nodes share the same key store for Sterling B2B Integrator.
    Important: Subsequent changes to this file have no effect on the key store for Sterling B2B Integrator. If key-certificates are added or removed from this key store file, and these changes must be applied to Sterling B2B Integrator, then the setSSL command must be invoked again, specifying the modified key store file, so that the modified key store is copied to the database.
    --keyStoreType

    The type of the key store file. This option is required if --keyStoreFile is specified. Valid values are JKS and PKCS12.

    --keyStorePassword

    The password of the key store file. This option is required if --keyStoreFile is specified. This password is used to open the key store to copy its contents. When the key store is serialized as a blob to the database, the key store blob is encrypted with a different random password.

    --keyAlias

    The alias of the key-certificate in the key store that is used to authenticate Global Mailbox to the server. This option is needed only if the key store file contains more than one key-certificate, so that Global Mailbox can copy the desired key certificate to the serialized key store blob in the database.

    --reset
    Resets the SSL configuration for Sterling B2B Integrator to the default values.
    Important: If this option is specified, all other options are ignored.
    --test

    Tests the SSL configuration by attempting to connect to the server specified on the ----server option, and secure the connection with the configured SSL parameters. If the connection fails, the changes from the command line options are not saved.

    --chooseTrust

    Connects to the server specified in ----server, secures the connection with the configured --protocol, and displays the certificate chain returned by the server. Select a certificate from the chain to add to the trust store. This option is a convenience to directly extract the server certificate from a server host and port, without having to access the server and export its certificate into a file.

    --server

    The address and port of the server to use with the --test and --chooseTrust options. If not specified, the address and port of the User Lookup Service is used.