Two-way SSL communication for hybrid integrations

webMethods Integration Server 10.7 and later versions support two-way SSL communication between the on-premises Integration Server and IBM® webMethods Integration. Integration Server, by default, supports one-way SSL communication in which the on-premises Integration Server acts as a client and validates the certificate that is issued by IBM webMethods Integration that acts as a server.

In two-way SSL communication, both the on-premises Integration Server and IBM webMethods Integration validate each other’s certificate. If you want more secure communication between two business applications, you can set up two-way SSL communication.

How to set up two-way SSL communication

Let us see how to set up two-way SSL communication between the on-premises Integration Server and IBM webMethods Integration.

Important:

  • Before you set up a two-way SSL communication, you need to download the IBM webMethods Integration signed certificate and generate a keystore file. Then use the keystore file to generate a keystore alias on the on-premises Integration Server. When you set up a connection to IBM webMethods Integration, you need to use these keystore details so that IBM webMethods Integration can validate the certificate.

  • Ensure that you have Integration Server 10.7 or any later version that is installed for two-way SSL communication.

  • Further, if you are using on-premises Integration Server v10.15 for hybrid connectivity, and if your hybrid connectivity uses two-way SSL, ensure that you have installed IS_10.15_WmCloud_Fix1 or higher in your environment.

  1. Go to IBM webMethods Integration and click Profile > Settings > Client Certificate > Tenant Certificate. Download the webMethods signed certificate file in jks or pkcs12 format, which contains the private key and the certificate. You can also upload your own CA signed certificate. You can either directly generate the jks or pkcs12 file, or if you have generated a text file, use the JKS tools or utilities to generate the JKS file.

Note: IBM webMethods Integration does not support uploading self-signed certificates.

  1. Go to Integration Server, add the certificate file, and specify the keystore properties in the Security > Keystore > Create Keystore Alias page. Provide the file path in the Location field and specify the keystore password. Click Submit.

Note: The default password is changeit. Update the password for enhanced security.

  1. In Integration Server Administrator, click webMethods Cloud > Tenant connections (Settings) and specify the details.

    Field Description
    Username Username for an account on IBM webMethods Integration.
    Password Password identified in the user account for username.
    webMethods Cloud URL The URL of IBM webMethods Integration with which to share accounts and applications that are created on the on-premises Integration Server. The URL format is: https://sub-domain.domain-name, for example https://sample.int-aws-us.webmethods.io:8443. For two-way SSL communication, add port 8443 in the URL, for example https://sub-domain.domain-name:8443.

    Under Certificate Settings (optional), complete the fields if you want to set up a two-way SSL communication with IBM webMethods Integration. If you do not configure these settings, Integration Server uses one-way SSL communication with IBM webMethods Integration.

Important: If you do not specify a truststore alias on the webMethods Cloud > Tenant connections > Create tenant connections page, Integration Server relies on the certificates in the JVM truststore for one-way SSL communication. The certificate that is issued by IBM webMethods Integration uses CAs that are trusted by the JVM and are part of the JVM truststore. You might need to create a truststore if you connect to IBM webMethods Integration by using an intermediate proxy or other internal endpoints and the intermediaries use CA certificates that are signed by private CAs. If you override the JVM truststore with your own truststore, ensure that you update your truststore to include the required CAs from the JVM truststore.

Keystore Alias: A user-specified, text identifier for the Integration Server keystore. This is the alias for the keystore that contains the client certificates that you want Integration Server to use when connecting to IBM webMethods Integration. Select the same keystore alias that you have created in Integration Server. A keystore alias is required for two-way SSL. If the JVM is not configured to have a keystore and key alias or you do not want to use the JVM keystore, you must specify a value for Keystore Alias.

Key Alias: The alias for the private key, which must be stored in the keystore that is specified by the keystore alias. This value is automatically selected. A key alias is required for two-way SSL. If the JVM is not configured to have a keystore and key alias or you do not want to use the JVM keystore, you must specify a value for Key Alias.

Truststore Alias: The alias for the truststore that contains the CA certificates accepted by the IBM webMethods Integration endpoint and any intermediate endpoints or proxies. Select Default_JVM_Truststore. The truststore must contain the trusted root certificate for the CA that signed the Integration Server certificate that is associated with the key alias. The truststore also contains the list of CA certificates that Integration Server uses to validate the trust relationship.

Note: If the connection to IBM webMethods Integration involves intermediate endpoints that use certificates that are signed by private CAs, the selected truststore alias must be for a truststore that contains the CA certificates for the private CA. This truststore might also include the certificates for the JVM.

  1. Click Update Settings. Integration Server connects to IBM webMethods Integration specified in the webMethods Cloud URL field and downloads the configuration information that is required to receive any incoming requests.

  2. Create an account in Integration Server.

  3. Create the application in Integration Server.

  4. Select the account and upload the application to IBM webMethods Integration.

    The application is listed on the On-Premises Connectors page in IBM webMethods Integration.