GitHubContribute in GitHub: Edit online

Additional customization of the Liberty server

WebSphere Liberty allow user to edit and override default configuration with configDropins. Config Dropins feature is described here: https://www.ibm.com/docs/en/was-liberty/base?topic=files-using-configuration-dropins-folder-specify-server-configuration

Note: however that by default dynamic configuration updates are disabled and Liberty needs to be restarted to load new configuration files.

Example:

As an example of such customization, setup of zosWorkloadManager is described:

  1. First make sure that directories configDropins/overrides exists in a server default directory, if not, just create them.
  2. You have to ensure that this directories are readable for Liberty server.
  3. Create properly encoded eg. ISO8859-1 XML file inside overrides directory with feature configuration eg. like this:
    <server description="UKO">
        <!-- Enable feature -->
        <featureManager>
        <feature>zosWlm-1.0</feature>
        </featureManager>
    
        <!-- WLM -->
        <variable name="wlm.tcName" defaultValue="MYCBTC"/>
        <zosWorkloadManager collectionName="EKMFWEB"/>
        <wlmClassification>
        <httpClassification transactionClass="${wlm.tcName}"/>
        </wlmClassification>
    
    </server>
    
  4. After saving this file, the server needs to be restarted to load new configuration.

Setup of mTLS

Using mTLS it is possible for a UKO client to utilize its APIs using a certificate. The certificate presented in the TLS handshake maps to a RACF user ID which is then authorized to UKO resources in the same manner as a UKO client from a browser.

UKO supports mTLS in 2 ways:

  1. You can enable mTLS for ALL communications, so that each user MUST present a trusted certificate when accessing UKO via a browser on port https.port. To configure that, set TLS_CLIENT_AUTHENTICATION=true in server.env
  2. You can enable mTLS support without requiring it. To configure that, set TLS_CLIENT_AUTHENTICATION=false and TLS_CLIENT_AUTHENTICATION_SUPPORTED=true in server.env

The CA certificate that issued the mTLS client certificate must be added to RACF as CERTAUTH, and defined in the key ring identified by TLS_TRUST_STORE_KEY_RING in server.env.

The client certificate must be imported to RACF with a specific RACF user ID as owner, which will then be the user ID that is authorized to the UKO roles.

To learn how to use mTLS for calling UKO APIs, see Interact with the API using the command line.