IBM Support

Guide to renew SSL certificate for B2BAPIs' (REST API UI) secure interface

Technical Blog Post


Abstract

Guide to renew SSL certificate for B2BAPIs' (REST API UI) secure interface

Body

You must have been already aware that B2BAPIs interface is hosted (deployed) on WAS Liberty server bundled within Sterling File Gateway (SFG). This deployment happens at the time of installation of b2biAPIs_nnnn.jar (e.g., b2biAPIs_1000603.jar) over SFG. During installation of b2biAPIs_nnnn.jar, it creates the certificate key store with default certificate automatically and assigns expiration date of 1 year after. This is the certificate would be used while accessing secure B2BAPIs interface i.e., "https://<HOST>:<LIBERTY_HTTPS_PORT>/B2BAPIs/svc".

 

If you wish to renew this certificate due to expiry or want to use your own self-signed (or CA signed certificate), This blog should help you.

 

Unlike other regular system certificates of SB2Bi/SFG, this particular system/private certificate is not listed under Trading Partner -> Digital Certificates -> System menu on SB2Bi dashboard.

Instead, it is available in jks key-store on SB2Bi/SFG file system at this location : <sfg_install_dir>/liberty/wlp/usr/servers/SIServer/resources/security/key.jks

key-store password is listed in Liberty Server Profile available at <sfg_install_dir>/liberty/wlp/usr/servers/SIServer/server.xml

e.g., <keyStore id="defaultKeyStore" password="defaultPassword"></keyStore>

 

View B2BAPI's Private Certificate

We must be able to view this certificate using JDK's keytool. e.g.,

$<sfg_install_dir>/jdk/bin/keytool -list -v -keystore <sfg_install_dir>/liberty/wlp/usr/servers/SIServer/resources/security/key.jks
Enter keystore password:

Keystore type: jks
Keystore provider: IBMJCE

Your keystore contains 1 entry

Alias name: default
Creation date: Aug 16, 2016
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=SIServer, O=ibm, C=us
Issuer: CN=localhost, OU=SIServer, O=ibm, C=us
Serial number: 483ce439
Valid from: 8/16/16 4:19 PM until: 8/16/17 4:19 PM
Certificate fingerprints:
         MD5:  1F:B9:07:06:A3:11:79:22:F9:9F:33:A2:34:57:22:46
         SHA1: 12:8C:FB:6C:6E:9C:9F:DD:EA:1C:A0:48:44:07:FF:0E:05:D1:5C:63
         SHA256: 72:33:DE:A3:80:B3:C3:B6:7E:F8:4B:83:D3:07:AE:B5:82:93:60:A5:08:95:4E:27:94:9E:79:77
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 75 af 5c cd 1d c7 92 7b 0c 76  u..............v
0010: 9d 5d 28 7c                                        ....
]
]

*******************************************
*******************************************

 

Or same can be viewed through browser URL - https://<HOST>:<LIBERTY_HTTPS_PORT>/B2BAPIs/svc. By clicking on "certificate error" or "view certificate"

image

 

Create New key-store and certificate

In order to replace default certificate, we must create new key-store and certificate in key-store. I used IBM Key Management Tool to do this task. You should be able to use any tool that you have access to.

1) Create new jks store.

Click on "New Database File" and then New. Choose Database type as "JKS".

image

You will be prompted for password when you click OK here. I entered password as "security".

2) Next, Created Self-Signed Certificate inside key.jks.

imageWith this step, we have key.jks ready with a Self-Signed certificate.

NOTE : If you have CA signed certificate, you should be able to add it to key.jks instead of Self-Signed certificate.

 

Use newly created key-store with Liberty profile (i.e., with B2BAPIs)

* Keep a backup of existing key-store <sfg_install_dir>/liberty/wlp/usr/servers/SIServer/resources/security/key.jks

* Use newly created key-store (C:\Kishore\key.jks in previous section) such that <sfg_install_dir>/liberty/wlp/usr/servers/SIServer/resources/security/myKeyStore.jks would be new key-store.

Note : I renamed key.jks to myKeyStore.jks so that product upgrade/patch would not replace my custom key store

* Update key-store password in <sfg_install_dir>/liberty/wlp/usr/servers/SIServer/server.xml. Please note security is new password used while creating jks in previous section. Make sure location attribute points to new key store name

   e.g, <keyStore id="defaultKeyStore" location="myKeyStore.jks"  password="security">

* You can view key-store contents to confirm it has right certificate that was intended.

   e.g., <sfg_install_dir>/jdk/bin/keytool -list -v -keystore <sfg_install_dir>/liberty/wlp/usr/servers/SIServer/resources/security/key.jks -storepass security

image

* Restart SB2Bi node to take changes effective.

* Accessing "https://<HOST>:<LIBERTY_HTTPS_PORT>/B2BAPIs/svc" should show new certificate in use.

 

image

 

[{"Business Unit":{"code":"BU012","label":"WCE"}, "Product":{"code":"SSMHNK","label":"IBM Sterling B2B Integrator"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":""}]

UID

ibm11121055