Securing the Central Configurator in My webMethods Server

Edit online

About this task

Communications between the configuration portlets and back-end web-application can be secured even if the primary IBM My webMethods Server instance is not. This is because the Central Configurator web-application creates its own Glue based HTTP server. This server can be configured to require the use of SSL for its in bound connections. To enable SSL in the Central Configurator, several configuration files must be changed manually. The SSL key and trust stores are configured through IBM My webMethods Server server.properties batch or shell script.

The "server.properties.bat" (Windows) or "server.properties.sh" (Unix) files contain the environment settings for the IBM My webMethods Server instance. In this file the JVM, debug, SSL, JMX, HTTP and other options are specified. For SSL, the key and trust store variables define the key and trust store file locations, their type, and finally the access password. Note that once the IBM My webMethods Server instance is started or restarted the password variables values will be encrypted. For more information see Administering IBM My webMethods Server.

To secure the Central Configurator in IBM My webMethods Server

Procedure

  1. In Windows, open the Software AG_directory\MWS\server\default\bin\server.properties.bat file. If you have a Unix-based system, the filename will be server.properties.sh.
  2. Edit the appropriate section of the file based on the example that follows. Note that the paths and values shown may not be applicable to your system configuration: 
    # SSL Properties 
set.JAVA_KEYSTORE=Software AG_directory\MWS\server\default\config 
    \security\localhost.p12 
set.JAVA_KEYSTORETYPE=pkcs12 
set.JAVA_KEYSTORE_PASSWORD=encrypted_password 
set.JAVA_TRUSTSTORE=Software AG_directory\MWS\server\default\config 
    \security\sagdemoca.jks 
set.JAVA_TRUSTSTORETYPE=jks 
set.JAVA_TRUSTSTORE_PASSWORD=encrypted_password
  3. Save your changes to the serverproperties.xml file and close it.
  4. Open the Software AG_directory\MWS\server\default\config\engine\GlueServiceRegistryProperties.xml file.
  5. Locate the web service protocol configuration, and update it from “http” to “https”.
  6. Save and close the GlueServiceRegistryProperties.xml file.
  7. Restart IBM My webMethods Server and examine the log to verify that it started cleanly.
  8. Open the Software AG_directory\optimize\<component>\conf\system\EndpointRegistry.xml file in an appropriate text editor. Note that <component> should be replaced with the Optimize component for which SSL is being configured.
  9. Edit the Configuration Agent protocol entry to be https.

    To save time, you can change the protocol for all applicable web services at the same time, if it makes sense for your situation.

  10. Open the Software AG_directory\optimize\<component>\conf\glue\GlueSSLProperties.xml file in an appropriate text editor. Note that <component> should be replaced with the Optimize component for which SSL is being configured.
  11. Edit the appropriate section of the file based on the example that follows. Note that the paths and values shown may not be applicable to your system configuration: 
    <entry key=”keyStore”>./security/ssl/glueKeyStore.jks</entry> 
<entry key=”keyStoreType”>jsk</entry> 
<entry key=”keyStorePasswordHandle”>keyStoreHandle</entry> 
 
<entry key=”trustStore”>./security/ssl/glueTrustStore.jks</entry> 
<entry key=”trustStoreType”>jsk</entry> 
<entry key=”trustStorePasswordHandle”>trustStoreHandle</entry>
    Note: Paths must be relative to Software AG_directory\optimize\<component>\conf. For further information on adding a password-handle to the Optimize Password Manager, see webMethods Password Administrator Utility.

Results

There are several ways to verify SSL configuration. If you are running the Analytic Engine as a console application on a Windows server, you can check the console window.