Deploying a client SSL certificate

After you obtain the client SSL certificate, you must deploy the certificate to the Content Platform Engine server.

Deploying a client certificate on WebSphere

WebSphere Application Server supports directly deploying a certificate from another WebSphere server or IBM® HTTP Server.

Procedure

To deploy the client certificate:

  1. Log in to the WebSphere administrative console on the Content Platform Engine server that acts as the SSL client.
  2. Navigate to Security > SSL certificate and key management.
  3. Select the default truststore:
    Option Description
    WebSphere Application Server Network Deployment Select CellDefaultTrustStore.
    WebSphere base and stand alone Select NodeDefaultTrustStore.
  4. In the Additional Properties section, click Signer certificates.
  5. Click Retrieve From Port.
  6. In the Host field, enter the hostname of the WebSphere server at the remote site.
  7. In the Port field, enter the secure port.
    The default port is 9443 for WebSphere . The default port is 443 for IBM HTTP Server.
  8. In the Alias field, enter a name for this certificate.
  9. Click Retrieve Signer Information.
  10. Verify that the certificate information is for a certificate that you can trust.
  11. Click Apply, and click Save.

Deploying a client SSL certificate on WebLogic

After you obtain the client SSL certificate, you must deploy the certificate to the Content Platform Engine server.

Procedure

  1. Copy the server.crt file to a folder on the Content Platform Engine server.
    For example, copy the file to the C:\IBM\keystore or the /IBM/keystore directory.
  2. Configure WebLogic to use the Java standard trust as its default trust keystore.
    1. Log in to the WebLogic administrative console.
    2. Navigate to Environment > Servers > server name.
    1. Click the Configuration tab.
    2. Click the Keystores tab.
    3. For the Keystores list, click Change.
    4. Select the Custom Identity and Java Standard Trust option.
    5. Click Save.
    6. In the Keystores tab, note the value for Java Standard Trust Keystore, such as drive:/bea/jdk160_21/jre/lib/security/cacerts.
  3. On the Content Platform Engine server, import the client SSL certificate into the truststore by using the following command: 
    keytool -import -alias myserver -file mypath/server.crt
 -keystore drive:/bea/jdk160_21/jre/lib/security/cacerts -storepass password

    myserver is the alias for the certificate

    mypath/server.crt is the path to the certificate file

    drive:/bea/jdk160_21/jre/lib/security/cacerts is the path to the truststore

    password is the truststore password

  4. Verify that the certificate was added to the truststore by using the following command: 
    keytool -list -v -alias myserver
 -keystore drive:/bea/jdk160_21/jre/lib/security/cacerts -storepass password
  5. Modify the WebLogic start-up script to add the following JVM argument to the Java command line: 
    -DUseSunHttpHandler=true
  6. Restart the server.