Configuring Security Settings

About this task

By default, the endpoint ports from all services are available in the domain on HTTP protocol and access control is not enforced. You can enable the Hypertext transfer protocol secure (HTTPS) as a default connection protocol by following the steps in the Procedure section. Access control can be enabled through Configuring Authentication Server (DEX).

Procedure

  1. Access Start Menu > IBM Application Discovery and Delivery Intelligence > Launch IBM Application Discovery Configuration Service Admin, and go to Configure > Environments > "Your environment" > Servers and security > Security. The Security settings page is displayed.
  2. Select a protocol type. Starting with IBM® AD 6.1.3, if you select HTTPS as a connection protocol, both TLS 1.2 and TLS 1.3 are supported.
    Important: This step implies the use of certificates. If you want to set the communication to be secured, make sure that a certificate authority issues a signed certificate (.crt), a nonencrypted private key for the certificate (.key), and the keystore file that needs to have one of the following extensions: .jks, .keystore, .pfx, .p12, or .ks.
    Restriction: There is a limitation in supporting TLS 1.3. When Java™ Semeru 8 was used, Db2® for LUW cannot be connected successfully.
  3. Select one of the options to secure the communications between servers and services.
    • If you have prepared certificate files, you can select Custom certificate files. This option is recommended for production environments.
      1. Drag and drop the three required files or click to browse.
      2. After all files are successfully uploaded, enter the Keystore Password.
      3. Click Save.
    • Select the Self signed certificate files. This option will show the default certificate that is used in WebSphere Liberty profile service and Authentication Server (DEX) and will configure all other IBM AD services to use the same certificate.
      1. If the certificate is expired or a new Fully Qualified Domain Name (FQDN) has been defined on the machine, you can regenerate the certificate by checking the Generate new self signed certificate files option.
      2. Once the option is selected, a new field is displayed to enter the new keystore password reveal.
      3. Click Save.
  4. Click OK when a confirmation dialog is displayed. The saving process takes several minutes.
  5. Note: If you encounter a Page not found message while reloading the browser, this means that the service is still restarting. You can try reloading the page after a minute and then you can repeat the process as required.
    After the process is completed, an alert dialog might be displayed to indicate that a browser might need to be restarted. It is because that the browser does not know about or trust the new certificate and shows an untrusted certificate page that blocks the access to all page within the IBM Application Discovery Configuration Service Admin.

What to do next

You can set up a secure communication for: