Configuring the WebSphere Application Server Connection

Export a public certificate from WebSphere® Application Server so it can be imported into the WASTrust.jks truststore.

Procedure

  1. Start the WebSphere Application Server administrative console.
  2. Enter the WebSphere Application Server administrator user ID and password and click Log in.
  3. From the menu on the left side of the window, expand Security and click SSL certificate and key management.
  4. On the right side of the window, under the Related Items heading, click Key stores and certificates.
  5. A new window displays. From the Keystore usages menu towards the top of the page, select Root certificates keystores.
  6. Select NodeDefaultRootStore from the table.
    Figure shows the NodeDefaultRootStore option available in the table.
  7. A new window displays. On the right side of the window, under the Additional Properties heading, click Personal certificates.
    Figure shows the Personal certificates option available in the Additional Properties section of the page.
  8. Use the check box in the Select column to select the root alias. Click Export at the top of the table.
    Figure shows the root alias that is selected in the table.
  9. On the next screen that is displayed, in the center pane under the General Properties heading, enter the key store password and key store file information to export your WebSphere Application Server root certificate keystore file.
    • The default keystore password is WebAS.
    • Under Key store file, specify the path and name for the file you are exporting.
    • Set the Type field to JKS. Assign a password for your WebSphere Application Server root certificate keystore file.
    Figure shows the required properties fields for configuring a certificate for export to a key store.
  10. Click OK. You are asked for a password; enter it here.
  11. From the Keystore usages menu towards the top of the page, select SSL keystores.
  12. Select NodeDefaultKeyStore from the table.
    Figure shows the NodeDefaultKeyStore option available in the table.
  13. A new window displays. On the right side of the window, under the Additional Properties heading, click Personal certificates.
    Figure shows the Personal certificates option available in the Additional Properties section of the page.
  14. Use the check box in the Select column to select the default alias. Click Export at the top of the table.
    Figure shows the root alias that is selected in the table.
  15. On the next screen that is displayed, in the center pane under the General Properties heading, enter the key store password and key store file information to export your WebSphere Application Server root certificate keystore file.
    • The default keystore password is WebAS.
    • Under Key store file, specify the path and name for the file you are exporting.
    • Set the Type field to JKS. Assign a password for your WebSphere Application Server root certificate keystore file.
    Figure shows the required properties fields for configuring a certificate for export to a key store.
  16. Click OK. You are asked for a password; enter it here.
    Figure shows the change label dialog box with "default" and "root" options listed.
  17. If the Tivoli Directory Integrator server is not on the same system as WebSphere Application Server, the exported certificates must be made available as a file on the Tivoli Directory Integrator system.
  18. Start the IBM Key Management Tool with the following command:
    /opt/IBM/TDI/V7.1.1/jvm/jre/bin/ikeyman
  19. On the right side of the window, click Import. Go to the /root/WASkey keystore file to open and import the keystore file into the WASTrust.jks truststore you created earlier.
    Figure shows the values for the truststore file.
  20. Click Browse to show the Open window. Set the Look In menu to navigate to root. In the File Name field, enter WASkeyand set the Files of Type field to All Files. Click Open.
    Figure shows the keystore file that you created that you add to the truststore.
  21. Click OK to return to the previous window. You might be prompted to enter the WebSphere keystore password. The default is "WebAS."
  22. In the Change Labels window, click OK to import the keystore file into the WASTrust.jks truststore. You are prompted to enter the password you set when you created the keystore file. You do not need to change the label.
    Figure shows the Change Labels window that is displayed once you click OK to import the keystore file.

    The personal certificates of root and default are now in the WASTrust.jks truststore. Save and close the WASTrust.jks key database file. You completed the WebSphere Application Server connection.