If any of the servers in the solution require the presence of SSL certificates for
communication, import the required SSL certificates into the WebSphere® Application Server Liberty Profile default keystore.
Before you begin
You must export the SSL certificate for the site that you need to connect to before you can
import the required SSL certificate into the WebSphere Application Server Liberty Profile default keystore.
About this task
If you do not import the required SSL certificate, any attempt to connect to an external site
might fail. When the relevant server tries to connect to the external site by using an HTTPS
connection, CertPathBuilderException errors are displayed in the log files. Follow
these instructions to import the SSL certificates, or use the iKeyman tool if you prefer to use a graphical interface.
In the commands that are given in the following procedure, replace the
ioc.user, liberty_install_dir, and
liberty.instance.name variables with the values that are configured in your
ioc.install.properties installation properties file. The default value for the
ioc.user variable is iocadmin, the
liberty_install_dir value is the WebSphere Application Server Liberty Profile installation directory, and the
liberty.instance.name value is the name of the Liberty instance.
Procedure
- Export the SSL certificate for the site that you need to connect to.
- Log on to the application server as the ioc.user user. For example,
log on as iocadmin.
- Run the following commands to extract the external site's certificate, where
external_host_name:port is the fully qualified host name and the SSL port number
of the external server:
su - ioc.user
cd liberty_install_dir/usr/servers/liberty.instance.name/resources/security
openssl s_client -showcerts -connect external_host_name:port </dev/null 2>/dev/null | openssl x509 -outform PEM > 3rd_party_ssl_cert.pem
For
example:su - iocadmin
cd /opt/IBM/WebSphere/wlp/usr/servers/iocsvr1/resources/security
openssl s_client -showcerts -connect extserver.abc.com:636 </dev/null 2>/dev/null | openssl x509 -outform PEM > 3rd_party_ssl_cert.pem
- Run one of the following commands in a terminal window on the server, depending on
whether you are performing a development installation or a runtime installation.
- For a development installation, run the following
command:
keytool -import -file path_to_file_that_contains_cert -alias certificate_alias
-keystore /home/ibmadmin/liberty/usr/servers/defaultServer/resources/security/key.jks
-storepass keystore_password
- For a runtime installation, run the following command, where
path_to_file_that_contains_cert is the directory path to the file that contains
the SSL certificate, certificate_alias is the alias for the SSL certificate, and
keystore_password is the password for the Liberty
keystore:
keytool -import -file path_to_file_that_contains_cert -alias certificate_alias
-keystore /opt/IBM/WebSphere/wlp/usr/servers/iocsvr1/resources/security/key.jks
-storepass keystore_password
Example
If you want to either add secured
Esri base maps to the solution, or if you want to configure data sources
that acquire data from a secured Esri feature service, you must import
the certificate for either the ArcGIS server, or for ArcGIS Online.