Creating a WAAPI SSL connection (client-server authentication)

To create a secure, client- and server-authenticated connection between WAAPI and the Web GUI deployed within Dashboard Application Services Hub (without FIPS 140–2), you reference Dashboard Application Services Hub in the WAAPI truststore and WAAPI in the Dashboard Application Services Hub truststore. You then enable SSL authentication in WAAPI and add the WAAPI keystore certificate to your browser's truststore. Lastly, you enable client authentication in Dashboard Application Services Hub.

Procedure

  1. Using the Dashboard Application Services Hub GUI, extract the default truststore signer certificate.
    1. Click Console Settings > WebSphere Admin Console, and click Launch WebSphere Admin Console.
    2. Click Security > SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore > Personal certificates.
    3. Select the default (Alias) truststore certificate and click Extract.
    4. Type a name, for example, /example/tipcert.arm.
    5. Select Base64-encoded ASCII data and click Ok.
  2. Using the Dashboard Application Services Hub Ikeyman utility, add the new certificate to the WAAPI truststore.
    1. Go to JazzSM_WAS_Profile/bin and start Ikeyman.
    2. Click KeyDatabaseFile > New and select PKCS as the key database type.
    3. Provide a truststore name, for example /example/waapiTruststore.p12.
    4. Enter the default password WebAS and click Ok.
    5. Select Signer Certificates from the dropdown list and click Add.
    6. Point to the signer certificate, in this example /example/tipcert.arm, and click Ok. Make a note of the signer certificate CN (common name) value.
  3. Using the Dashboard Application Services Hub Ikeyman utility, extract a self-signed personal keystore certificate from the WAAPI keystore.
    1. Go to JazzSM_Home/bin and start Ikeyman.
    2. Click KeyDatabaseFile > New and select PKCS as the key database type.
    3. Provide a keystore name, for example waapiKeystore.p12.
    4. Enter the default password WebAS and click Ok.
    5. Select Personal Certificates from the dropdown list and click New Self-Signed.
    6. Enter a key label, for example WAAPI_cert, complete the other fields as required, then click Ok.
    7. Select the new keystore certificate, in this example WAAPI_cert, and click Extract Certificate.
    8. Select Base64-encoded ASCII data.
    9. Enter a certificate file name, for example WAAPI_cert.arm, and define a location, in this example /example/, then click Ok.
  4. Using the Dashboard Application Services Hub GUI, add the new WAAPI keystore certificate to the Dashboard Application Services Hub truststore.
    1. Click Settings > WebSphere Admin Console, and click Launch WebSphere Admin Console.
    2. Click Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates.
    3. Click Add and enter an alias of WAAPI_cert (for this example).
    4. Point to the previously-generated WAAPI_cert, click Ok, then Save.
  5. Using your browser's security management functionality, add the new keystore certificate to the browser's truststore.
    Warning: If you do not complete this step, you will no longer be able to access Dashboard Application Services Hub after you enable client authentication in the next step.
  6. Using the Dashboard Application Services Hub GUI, enable client authentication.
    1. Click Settings > WebSphere Admin Console, and click Launch WebSphere Admin Console.
    2. Click Security > SSL certificate and key management > SSL Configurations > NodeDefaultSSLSettings > Quality of protection (QoP) settings.
    3. Select Required from the General Properties > Client authentication drop-down list.
    4. Click Ok, then Save.
  7. Edit the waapi.init file.
    1. Open WEBGUI_HOME/waapi/etc/waapi.init and go to the WAAPI Secure Modes section.
    2. Set waapi.secure:on.
    3. Ensure that the host name in waapi.host is the same as the CN (common name) value in the signer certificate.
    4. Provide the keystore name, in this example /example/waapiKeystore.p12.
    5. Provide the truststore name, in this example /example/waapiTruststore.p12.
    6. Enter the password of WebAS.
    For Windows operating systemNote: When entering the location of keystore and truststore on a Windows system, use two backslashes as the path separator because a single backslash is interpreted as an escape character. For example to specify the truststore use \\example\\waapiTruststore.p12.

What to do next

To test if you have successfully set up the WAAPI SSL connection, execute a WAAPI example.