IBM Support

How to Configure SSL / TLS Connections with the IBM Toolbox for Java Driver in WebSphere Application Server (WAS)

Troubleshooting


Problem

This document will describe the instructions for how to configure Secure Sockets Layer (SSL) / Transport Layer Security (TLS) connections with the IBM Toolbox for Java Driver in WebSphere Application Server (WAS).

Environment

IBM i OS; IBM Toolbox driver; IBM WebSphere Application Server (WAS)

Resolving The Problem

The IBM Toolbox for Java access classes provide support for accessing IBM i host servers over Secure Sockets Layer (SSL) / Transport Layer Security (TLS) connections. The preferred method of establishing a SSL/TLS connection with the IBM Toolbox for Java Driver is to use the Java Secure Socket Extension (JSSE or JSSE2) classes. The JSSE/JSSE2 classes are built into the Java runtime at Versions 1.4 and beyond, and they are also available as a download for prior versions of Java.

Support for JSSE/JSSE2 connections is built into the IBM Toolbox for Java Driver at V5R2 (JTOpen 3.x) and later. Previous versions of the IBM Toolbox for Java Driver used the IBM SSLight implementation for SSL/TLS connections. However, these classes are no longer recommended, and they no longer ship as of IBM i 5.4. The following instructions explain how to configure SSL/TLS connections in the IBM Toolbox for Java Driver using JSSE/JSSE2 in WebSphere Application Server (WAS).

Notes:
1. Step 1 only needs to be performed if you currently do not have a valid SSL certificate assigned to the Host Server applications. This can be checked by logging into the IBM Digital Certificate Manager (Step 1a below), signing into the *SYSTEM certificate store (Step 1b below), and viewing the server application definitions (Under Manage Applications -> View application Definition -> Server).
2. The SSL certificate should be created and assigned to the applications on the partition hosting the IBM i DB2 UDB and the IBM i Host Servers.
3. The SSL certificate should be imported to the partition hosting the WebSphere Application Server environment.

 

Create a self-signed certificate within IBM Digital Certificate Manager and assign it to the necessary applications.

a. Open a browser window and go to the following URL:
http://<server>:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0
where <server> is the IP address or Fully Qualified Host Name (FQDN) of your IBM i server.  i.e. 10.1.1.1 or as400.ibm.com
b. Sign into the *SYSTEM Certificate Store.

  • Click on the Select a Certificate Store button.

Screen shot of the main Digital Certificate screen. A hand icon instructs you to click on the "Select a Certificate Store".

  • Select the *SYSTEM store and click Continue.
  • Enter your certificate store password and click Continue.

NOTE:  If you do not know your *SYSTEM store password, you can click on the "Reset Password" button to change it.

c. Create a self-signed certificate and assign it to the required applications.

  • After signing in, click the Create Certificate link in the left-hand, vertical menu bar.


Screen shot of the current certificate store. A hand icon instructs you to click on "Create a certificate".

  • Select Server or client certificate and click Continue.
  • Select Local Certificate Authority and click Continue.
  • Select your Certificate Authority, Key Algorithm, and Key Size.  Then, fill in the Certificate label (any unique name will do), Common name (the FQDN of the server; for example, as400.ibm.com), Organization name, State, and Country. We also recommend the "Fully qualified domain name" field under Subject Alternative Name be set to your IBM i FQDN.  Then, click Continue.


image-20190401122116-1

  • Select the necessary applications you are accessing in order to assign the newly created certificate.

NOTE: IBM recommends you select the Central, Database, Data Queue, Network Print, Remote Command, Signon,  IBM i DDM/DRDA Server, Host Servers, and File Server applications.  You can also secure the IBM i Telnet Server and Management Central server as well.

- If you are accessing the DB2, you will need to select the Database Server and the Signon Server.
- If you are accessing the File Server, select the File Server and the Signon Server.
- If you are accessing the Remote Command Server, select the Remote Command Server and the Signon Server, and so on.

image-20190401155458-1

  • Click Replace at the bottom of the page.

You should receive a message stating The application you selected will use this certificate to indicate a successful creation and assignment.

d. Finally, restart the host servers using the ENDHOSTSVR *ALL and STRHOSTSVR *ALL commands. Note: You can choose to restart only the servers in which you assigned the new certificate.

Download the CA certificate from DCM and import into WebSphere.

There are two options available to perform the CA certificate download from DCM and import into WebSphere. The easiest option (Option a) is listed first. Option b should only be used when Option a fails.

a. Use the "Retrieve from port" feature within WebSphere to automatically download the CA certificate from the IBM i Server and import it into WebSphere.

  • Log into the IBM Integrated Solutions Console for WebSphere by doing the following:

Open a Web browser and go to the IBM Integrated Solutions Console (in other words, IBM WebSphere Administrative Console); for example, http://<server>:<adminPort>/ibm/console
where <server> is the FQDN (in other words, as400.ibm.com); <adminPort> is the WAS profile administrative port.

Note: The adminPort value can be found by displaying the WAS joblog, locating the WebSphere Application Server is ready message, and displaying the second-level text of the message. The second-level text will indicate the administrative port number.

  • Expand the Security section in the left-hand, vertical menu bar click on the SSL certificate and key management link.

Screen shot of the welcome screen in the WebSphere Integrated Solutions Console. A hand icon instructs the user to click on "SSL certificate and key management" under the Security section.

  • Click on the Key stores and certificates link under Related Items.

Screen shot of the "SSL certificate and key management" page. A hand icon instructs the user to click on "Key stores and certificates" under the "Related Items" section.

  • Click on the NodeDefaultTrustStore link under the Name column.

Note: In an Network Deployment (ND) environment, click on the CellDefaultTrustStore link under the Name column.
Screen shot of the "Key stores and certificates" page. A hand icon instructs the user to click on the "NodeDefaultTrustStore" link in the Name column.

  • Click on the Signer certificates link under the Additional Properties section.
Screen shot of the "NodeDefaultTrustStore" page. A hand icon instructs the user to click on the "Signer certificates" link under the "Additional Properties" section.
 
  • Click on Retrieve from port to retrieve the certificate from the IBM i Access Database Host Server directly.

Scree shot of the "Signer certificates" page. A hand icon instructs the user to click on the "Retrieve from port" button.

  • First, enter in the host name of the IBM i Server you wish to retrieve the SSL Certificate from (for example, AS400.IBM.COM). This information can be obtained from CFGTCP Option 12. Second, enter a value of 9471 for the port number. This is the SSL port number for the Database Host Server. Third, enter an alias value for the certificate. This has to be a unique name in the Trust Store. Finally, click Retrieve signer information, and then click OK.


Screen shot of the "Retrieve from port" page. A hand icon instructs the user to click on the "Retrieve signer information" button.

  • Save the changes to the master configuration. After doing so, you will see the new certificate in the trust store.

Screen shot of the "Signer certificates" page showing the new certificate.

b. Manually download the CA certificate from DCM and import it into WebSphere.

  • Open a browser window and go to the following URL:
http://<server>:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0
where <server> is the IP address or Fully Qualified Host Name (FQDN) of your IBM i server.  i.e. 10.1.1.1 or as400.ibm.com
 
  • Click on the Select a Certificate Store button.
  • Select the *SYSTEM store and click Continue.
  • Enter your certificate store password and click Continue.

NOTE:  If you do not know your *SYSTEM store password, you can click on the "Reset Password" button to change it.

  • In DCM, click on the Install Local CA Certificate on Your PC link in the left-hand, vertical menu bar.

Screen shot of the Digital Certificate Manger page. A hand icon instructs the user to click on the "Install Local CA Certificate on Your PC" link in the left-hand menu.

  • Click on the Copy and past certificate link under the To copy and past the certificate to a file on your PC section in the right pane.

IBM i 7.1 and earlier:
Screen shot of Digital Certificate Manager page. A hand icon instructs the user to click on the "Copy and paste certificate" link in the "Install Local CA Certificate on Your PC" page.

IBM i 7.2 and later:
image-20190401110350-1

  • Highlight the entire certificate text, including the BEGIN CERTIFICATE and END CERTIFICATE lines.

Screen shot of Digital Certificate Manager "Copy and Paste CA Certificate" page. The certificate text is highlighted and copied to the clipboard.

  • Open a text editor (such as Notepad), and paste the certificate data into the new text file.
  • Save the file as MYSYS.cer (replace MYSYS with the system name, as appropriate).
  • Finally, you can now click OK in the browser and exit DCM.
  • Copy the MYSYS.cer file from your PC to the /home directory on the IBM i Server.
    • Available methods to copy the data to the server: SSH, FTPS (ASCII mode), Mapped Network Drive.
  • Start the WebSphere Application Server profile if it is not already started.
a. STRQSH
b. /QIBM/ProdData/WebSphere/AppServer/<version>/<edition>/bin/startServer -profileName <profileName>
where <version>= V7, V8. V85, or V9; <edition>=Express, Base, or ND; and <profileName>=The name of the WAS profile you wish to start (case-sensitive).
 
  • Import the Local CA into the NodeDefaultTrustStore and/or CellDefaultTrustStore certificate store.
  • Open a Web browser and go to the IBM Integrated Solutions Console (in other words, the IBM WebSphere Administrative Console); for example, http://<server>:<adminPort>/ibm/console
where <server> is the FQDN (in other words, as400.ibm.com); <adminPort> is the WAS profile administrative port.

Note: The adminPort value can be found by displaying the WAS instance's job log, locating the "WebSphere Application Server is ready" message, putting the cursor on this message and pressing F1.  This will display the message's second level text, which will indicate the administrative port number (adminPort) to use in the URL.
 
  • Expand the Security section in the left-hand, vertical menu bar click on the SSL certificate and key management link.
Screen shot of the WebSphere Integrated Solutions Console Welcome page. A hand icon instructs the user to click on the "SSL certificate and key management" link under the Security section.
 
  • Click on the Key stores and certificates link under Related Items.
Screen shot of the "SSL certificate and key management" page. A hand icon instructs the user to click on the "Key stores and certificates" link under the "Related Items" section.
 
  • Click on the NodeDefaultTrustStore link under the Name column.
Note: In an Network Deployment (ND) environment, click on the CellDefaultTrustStore link under the Name column.
Screen shot of the "Key stores and certificates" page. A hand icon instructs the user to click on the "NodeDefaultTrustStore" link in the Name column.
  • Click on the Signer certificates link under the Additional Properties section.
  • Click on the Add button to add a new certificate to the certificate store.
Screen shot of the "Signer certificates" page. A hand icon instructs the user to click on the Add button to add a certificate.
 
  • Enter an Alias and the path to the Local CA certificate that you moved to the IFS of the server. Then, click OK to add the certificate. Screen shot of th "Add signer certificate" page. The Alias, File Name,and Data Type fields are filled out. A hand icon instructs the user to click on the OK button.

Set the connection to use SSL/TLS.

Non-JDBC Connections: Implement the SecureAS400 class instead of the non-SSL AS400 class. Please refer to the SecureAS400 javadoc URL: https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/rzahh/ssl.htm
JDBC Connections: Implement the secure=true JDBC connection property to set the connection to use SSL.

a. In the IBM Integrated Solutions Console, expand Resources -> JDBC and click on Data sources.
Screen shot containing a hand icon instructing the user to click on the "Data sources" link under JDBC in the Resources section in the ISC.
b. Click on the data source name you accessing in your Web application to display its configuration properties.
c. Click on Custom properties link under the Additional Properties section to view the custom data source properties.
Screen shot of the data source page for the Toolbox data source. A hand icon instructs the user to click on the "Custom properties" link under the "Additional Properties" section.
d. Locate the secure property on the second page and click on the property name to edit its value.
e. Change the value of the secure property to true and then click on OK.
Screen shot of the new custom properties page for a data source. A hand icon instructs the user to change the value field to "true" and click the Ok button.

Restart the application server (node).

a. STRQSH
b. /QIBM/UserData/WebSphere/AppServer/<version>/<edition>/profiles/<profileName>/bin/stopServer
c. /QIBM/UserData/WebSphere/AppServer/<version>/<edition>/profiles/<profileName>/bin/startServer
where <version>=V7, V8, V85, or V9; <edition>=Express, Base, or ND; and <profileName>=The name of the WAS profile you wish to start (case-sensitive)

Test the JDBC connection.

a. In the data source configuration, click on the Test connection button.
NOTE: A JAAS - J2C Authentication entry is required to be assigned to the component-managed authentication alias under Security Settings in the Data Source configuration.
Screen shot of the Toolbox data source configuration page. A hand icon intructs the user to click on the "Test connection" button

b. If everything is set up correctly, you should receive a message similar to the following: The test connection operation for data source <dataSource> on server <server> at node <node> was successful.
Screen shot of the data source configuration page showing the test connection was successful.

c. If the test connection does not complete successfully, review the error message(s) and contact the IBM i Global Support Center at 1-800-IBM-SERV (1-800-426-7378) or create an IBM Service Request for further assistance.

Note: If the error message states The certificate issued by xxx is not trusted, there might be a problem with the Local CA certificate you exported from DCM.  Review the Local CA and Server Certificate settings within DCM and what was imported into WAS to resolve the issue.  If you require further assistance, contact the IBM i Global Support Center at 1-800-IBM-SERV (1-800-426-7378) or create an IBM Service Request to open problem ticket.

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]

Historical Number

587064477

Document Information

Modified date:
18 December 2019

UID

nas8N1011771

Page Feedback