Configuring TLS certificates for the IBM Sterling Transformation Extender web UI server

Edit online

The web UI server serves requests for the Design Server web UI. Upon installation, a default certificate is created for the web UI server. The web UI server is also called client.

A custom TLS certificate is provided to the Design Server web UI server in the form of a PEM certificate file and a PEM private key file. In the typical case where the server should provide a certificate chain during a TLS handshake, a PEM certificate chain file (concatenated PEM certificate files) should be used for the PEM certificate file.

These files will be copied to a directory relative to the root directory of the web UI server application. See the table below for the web UI server root directory.

Note: For the Design Server web UI to use the certificate, ensure that /client/inbound/protocol is set to https in config.yaml. This is the default setting.
Table 1.
Environment Installation folder
Windows The client installation folder is DesignServer/ client.
Linux (Native) The client installation folder is node-context/ install.
Linux (containerized) The client installation folder is within the tx- client container at /usr/src/app. Use the docker cp command or an equivalent command to copy files from a local folder to the container.
Steps for providing PEM certificate and key files:
  • For a Windows installation:
    1. Install the application.
    2. Stop the application.
    3. Edit the section /client/inbound/ssl in config.yaml to provide the paths to the certificate and key files. If a CA certificate file path must be provided as the value of client/outbound/server/ssl/ca in config.yaml, the filepath can be provided at this step. See below.
    4. Copy the files to the configured locations.
    5. Start the application.
  • For Linux installations:
    1. Before installation, edit the section "/client/inbound/ssl" in config.yaml to provide the paths to the certificate and key files. If a CA certificate file path must be provided as the value of “client/outbound/server/ssl/ca” in config.yaml, the filepath can be provided at this step. See below.
    2. Install the application.
    3. Copy the files to the configured locations.
    4. Start the application.

If a user-provided certificate and private key are used for the Design Server backend server, then the root CA certificate for the backend server certificate should be provided for the client application. This is done by providing the file path to the CA certificate as the value of client/outbound/server/ssl/ca. Relative paths are interpreted as for the other files. The CA certificate is then copied to the configured location. These steps should be performed as above.

config.yaml example:

key: "ssl-certificates/private-certificates/server-key.pem"

cert: "ssl-certificates/public-certificates/server-crt.pem"