Configuring the authentication channel for SSL

You can secure communications by using the WebSphere® signer certificates to configure SSL between the authentication client and the authentication server.

To configure for SSL between the authentication client and the authentication server, complete the following steps:

1. Do one of the following:
   1. If you are using the WebSphere instance installed by Tivoli® Integrated Portal, navigate to SSL certificate and key mgmt > Manage endpoint security configurations > Node1 > Key stores and certificates > NodeDefaultTrustStore > Signer certificates.
   2. If you are using the WebSphere instance installed by Tivoli Change and Configuration Management Database (CCMDB) or IBM® SmartCloud Control Desk, navigate to SSL certificate and key mgmt > Manage endpoint security configurations > ctgNode01 > Key stores and certificates > NodeDefaultTrustStore > Signer certificates.
2. Export the WebSphere signer certificates to files (for example, export dummyclientsigner to signer1.cert and dummyserversigner to signer2.cert). If you are unsure about which certificates to export, you must export all of the signer certificates.
3. Copy the .cert files to the TADDM server. Create a truststore and import the WebSphere signer certificates as follows:

   $COLLATION_HOME/external/jdk-Linux-i686/jre/bin/keytool \
   -genkey -alias truststore -keystore truststore.jks
   $COLLATION_HOME/external/jdk-Linux-i686/jre/bin/keytool \
   -import -trustcacerts -alias default -file signer1.cert -keystore truststore.jks
   $COLLATION_HOME/external/jdk-Linux-i686/jre/bin/keytool \
   -import -trustcacerts -alias dummyserversigner -file signer2.cert -keystore truststore.jks

4. Include the truststore password and location in the $COLLATION_HOME/etc/collation.properties entries:

   com.collation.security.auth.ESSClientTrustStore=/opt/IBM/taddm/dist/etc/truststore.jks
   com.collation.security.auth.ESSClientTrustPwd=password  

5. Update the Tivoli Authentication Service URL in the ibmessclientauthncfg.properties file to use https and port 9443. Ensure that the WebSphere host name is correct, substituting it for localhost, and that the non-https entry is commented out.

   # This is the URL for the ESS Authentication Service
   #authnServiceURL=http://localhost:9080/TokenService/services/Trust
   authnServiceURL=https://localhost:9443/TokenService/services/Trust