To create a secure, client- and server-authenticated connection
between WAAPI and the Web GUI deployed
within Dashboard Application
Services Hub (without
FIPS 140–2), you reference Dashboard Application
Services Hub in
the WAAPI truststore and WAAPI in the Dashboard Application
Services Hub truststore.
You then enable SSL authentication in WAAPI and add the WAAPI keystore
certificate to your browser's truststore. Lastly, you enable client
authentication in Dashboard Application
Services Hub.
Procedure
- Using the Dashboard Application
Services Hub GUI,
extract the default truststore signer certificate.
- Click , and click Launch WebSphere
Admin Console.
- Click Security > SSL certificate and key
management > Key stores and certificates > NodeDefaultKeyStore > Personal
certificates.
- Select the default (Alias) truststore certificate and
click Extract.
- Type a name, for example, /example/tipcert.arm.
- Select Base64-encoded ASCII data and
click Ok.
- Using the Dashboard Application
Services Hub Ikeyman
utility, add the new certificate to the WAAPI truststore.
- Go to JazzSM_WAS_Profile/bin and
start Ikeyman.
- Click KeyDatabaseFile > New and
select PKCS as the key database type.
- Provide a truststore name, for example /example/waapiTruststore.p12.
- Enter the default password WebAS and
click Ok.
- Select Signer Certificates from
the dropdown list and click Add.
- Point to the signer certificate, in this example /example/tipcert.arm,
and click Ok. Make a note of the signer certificate
CN (common name) value.
- Using the Dashboard Application
Services Hub Ikeyman
utility, extract a self-signed personal keystore certificate from
the WAAPI keystore.
- Go to JazzSM_Home/bin and
start Ikeyman.
- Click KeyDatabaseFile > New and
select PKCS as the key database type.
- Provide a keystore name, for example waapiKeystore.p12.
- Enter the default password WebAS and
click Ok.
- Select Personal Certificates from
the dropdown list and click New Self-Signed.
- Enter a key label, for example WAAPI_cert,
complete the other fields as required, then click Ok.
- Select the new keystore certificate, in this example WAAPI_cert,
and click Extract Certificate.
- Select Base64-encoded ASCII data.
- Enter a certificate file name, for example WAAPI_cert.arm,
and define a location, in this example /example/,
then click Ok.
- Using the Dashboard Application
Services Hub GUI,
add the new WAAPI keystore certificate to the Dashboard Application
Services Hub truststore.
- Click , and click Launch WebSphere Admin Console.
- Click Security > SSL certificate and key
management > Key stores and certificates > NodeDefaultTrustStore >
Signer certificates.
- Click Add and enter an alias
of WAAPI_cert (for this example).
- Point to the previously-generated WAAPI_cert, click Ok,
then Save.
- Using your browser's security management functionality,
add the new keystore certificate to the browser's truststore.
Warning: If you do not complete this step, you will no
longer be able to access Dashboard Application
Services Hub after
you enable client authentication in the next step.
- Using the Dashboard Application
Services Hub GUI,
enable client authentication.
- Click , and click Launch WebSphere Admin Console.
- Click Security > SSL certificate and key
management > SSL Configurations > NodeDefaultSSLSettings > Quality
of protection (QoP) settings.
- Select Required from the General
Properties > Client authentication drop-down list.
- Click Ok, then Save.
- Edit the waapi.init file.
- Open WEBGUI_HOME/waapi/etc/waapi.init and
go to the WAAPI Secure Modes section.
- Set waapi.secure:on.
- Ensure that the host name in waapi.host is the same
as the CN (common name) value in the signer certificate.
- Provide the keystore
name, in this example /example/waapiKeystore.p12.
- Provide the truststore name,
in this example /example/waapiTruststore.p12.
- Enter the password of WebAS.
Note: When entering the location
of keystore and truststore on a Windows system, use two backslashes
as the path separator because a single backslash is interpreted as
an escape character. For example to specify the truststore use
\\example\\waapiTruststore.p12.
What to do next
To test if you have successfully set up the WAAPI SSL connection,
execute a WAAPI example.