Technical Blog Post
Abstract
Guide to renew SSL certificate for B2BAPIs' (REST API UI) secure interface
Body
You must have been already aware that B2BAPIs interface is hosted (deployed) on WAS Liberty server bundled within Sterling File Gateway (SFG). This deployment happens at the time of installation of b2biAPIs_nnnn.jar (e.g., b2biAPIs_1000603.jar) over SFG. During installation of b2biAPIs_nnnn.jar, it creates the certificate key store with default certificate automatically and assigns expiration date of 1 year after. This is the certificate would be used while accessing secure B2BAPIs interface i.e., "https://<HOST>:<LIBERTY_HTTPS_PORT>/B2BAPIs/svc".
If you wish to renew this certificate due to expiry or want to use your own self-signed (or CA signed certificate), This blog should help you.
Unlike other regular system certificates of SB2Bi/SFG, this particular system/private certificate is not listed under Trading Partner -> Digital Certificates -> System menu on SB2Bi dashboard.
Instead, it is available in jks key-store on SB2Bi/SFG file system at this location : <sfg_install_dir>/liberty/wlp/usr/servers/SIServer/resources/security/key.jks
key-store password is listed in Liberty Server Profile available at <sfg_install_dir>/liberty/wlp/usr/servers/SIServer/server.xml
e.g., <keyStore id="defaultKeyStore" password="defaultPassword"></keyStore>
View B2BAPI's Private Certificate
We must be able to view this certificate using JDK's keytool. e.g.,
| $<sfg_install_dir>/jdk/bin/keytool -list -v -keystore <sfg_install_dir>/liberty/wlp/usr/servers/SIServer/resources/security/key.jks Keystore type: jks Your keystore contains 1 entry Alias name: default Extensions: #1: ObjectId: 2.5.29.14 Criticality=false ******************************************* |
Or same can be viewed through browser URL - https://<HOST>:<LIBERTY_HTTPS_PORT>/B2BAPIs/svc. By clicking on "certificate error" or "view certificate"
Create New key-store and certificate
In order to replace default certificate, we must create new key-store and certificate in key-store. I used IBM Key Management Tool to do this task. You should be able to use any tool that you have access to.
1) Create new jks store.
Click on "New Database File" and then New. Choose Database type as "JKS".
You will be prompted for password when you click OK here. I entered password as "security".
2) Next, Created Self-Signed Certificate inside key.jks.
With this step, we have key.jks ready with a Self-Signed certificate.
NOTE : If you have CA signed certificate, you should be able to add it to key.jks instead of Self-Signed certificate.
Use newly created key-store with Liberty profile (i.e., with B2BAPIs)
* Keep a backup of existing key-store <sfg_install_dir>/liberty/wlp/usr/servers/SIServer/resources/security/key.jks
* Use newly created key-store (C:\Kishore\key.jks in previous section) such that <sfg_install_dir>/liberty/wlp/usr/servers/SIServer/resources/security/myKeyStore.jks would be new key-store.
Note : I renamed key.jks to myKeyStore.jks so that product upgrade/patch would not replace my custom key store
* Update key-store password in <sfg_install_dir>/liberty/wlp/usr/servers/SIServer/server.xml. Please note security is new password used while creating jks in previous section. Make sure location attribute points to new key store name
e.g, <keyStore id="defaultKeyStore" location="myKeyStore.jks" password="security">
* You can view key-store contents to confirm it has right certificate that was intended.
e.g., <sfg_install_dir>/jdk/bin/keytool -list -v -keystore <sfg_install_dir>/liberty/wlp/usr/servers/SIServer/resources/security/key.jks -storepass security
* Restart SB2Bi node to take changes effective.
* Accessing "https://<HOST>:<LIBERTY_HTTPS_PORT>/B2BAPIs/svc" should show new certificate in use.
UID
ibm11121055