What is SSL?
SSL is a protocol that provides privacy and integrity between two communicating applications using TCP/IP. The data going back and forth between client and server is encrypted using a symmetric algorithm.
A public-key algorithm (RSA) is used for the exchange of the encryption keys and for digital signatures. Public key cryptography defines an algorithm that uses two keys, each of which may be used to encrypt a message. If one key is used to encrypt a message, the other must be used to decrypt it. This makes it possible to receive secure messages by simply publishing one key (the public key) and keeping the other undisclosed (the private key).
Fig: Client/server authentication
- The SSL implementation used by the WebSphere® Application Server stores personal certificates in an SSL key file and signer certificates in a trust file.
- A key file contains a collection of certificates, each one of which may be presented during an SSL connection initiation in order to prove identity.
- A trust file contains a collection of certificates that are considered trustworthy and against which the presented certificate will be matched during an SSL connection initiation in order to assure identity.
- A key store contains the personal certificates that can be used as the identity for the SSL end point referencing the key store. If more than one certificate is present, a certificate alias on the SSL configuration specifies one of the personal certificates. When an SSL connection is made (on either the client or the server side), certificates may be exchanged. The personal certificate referenced by the SSL configuration and stored in the key store is the certificate that will be used.
- A personal certificate represents the identity of the end point and contains a public and private key for signing/encrypting data.
- A trust store contains the signer certificates which this end point trusts when either making connections (from an outbound end point) or accepting connections (for an inbound end point).
- A signer certificate represents a certificate and public key associated with some personal certificate. The purpose of the signer certificate is to verify personal certificates. By accepting the signer certificate into an end point's trust store, you are allowing the owner of the private key to establish connections with this end point; that is, the signer certificate explicitly trusts connections made to or by the owner of the associated personal certificate. The signer certificate is typically made completely public by the owner of the personal certificate, but it's up to the receiving entity to determine if it is a trusted signer prior to adding it to the trust store.
Data encryption to prevent the exposure of sensitive information while data flows across the wire.
Data signing to prevent unauthorized modification of data while data flows across the wire.
Client and server authentication to ensure that you talk to the appropriate person or machine.
SSL provides secure communications between the Internet web client and the Administrative server.
You must have a digital certificate, keystore file, and truststore file to fully implement SSL communications key store file is used to setup secure MQ channels to the message flow servertruststore: set SSl security for the websphere application server
digital certificates are issued by trusted parties called certificate authoritiesYou can create self signed certificate if you do not have a certificate issued by a CADigital certificate
A digital certificate reveals information about its owner, including their identity. During the initialization of an SSL connection, the server must present its certificate to the client for the client to determine the server identity.
Keystore file
The keystore file is a key database file that contains both public keys and private keys. Public keys are stored as signer certificates while private keys are stored in the personal certificates. The keys are used for a variety of purposes, including authentication and data integrity. You can use both the key management utility (iKeyman) and the keytool utility to create.
Truststore file
A truststore file is a key database file that contains the public keys for target servers. The public key is stored as a signer certificate. If the target uses a self-signed certificate, extract the public certificate from the server keystore file. Add the extracted certificate into the truststore file as a signer certificate. For a commercial certificate authority (CA), the CA root certificate is added. The truststore file can be a more publicly accessible key database file that contains all the trusted certificates.
Start the IBM Key Management application c:\Program Files\IBM\gsk7\bin\gsk7ikm.exeNote: The JAVA_HOME variable must be set. The default location is C:\Program Files\WebSphere\AppServer\java.
For example:
set JAVA_HOME=C:\Program Files\WebSphere\AppServer\java
To Create a key file and self-signed certificate:
Select KeyDatabaseFile > New and enter the followingSelect KeyDatabaseFile > New and enter the following:
Table 1. KeyDatabaseFile values File Name HCNAdminServerKeyFile.jks Location WAS_HOME\etc\
Click OK.
Enter the Key File Password as defined in Table 1 table.
Click OK.
Under Key database content select Personal Certificates.
Click New self-signed.
Enter the following:
Table 2. Administrative server Key file properties Propery Value
Key Label HCN Admin
Common Name Administrative server host name
Example: hcnadmin.ibm.com
Organization Enter an organization name.
Validity Period Enter 7300 days, this is the maximum.
Country or Region Change if default not appropriate.
Create Trust File HCNAdminServerTrustFile.jks using the same values as in step 2. Place HCNAdminServerTrustFile.jks in WAS_HOME\etc.
Start IBM WebSphere Application Server Base V5.1.1 Administration Console.
Click Security > SSL > New Enter the following values:
Table 1. SSL Values Property Value
Alias HCNAdminSSLSettings Key File Name ${USER_INSTALL_ROOT}/etc/HCNAdminServerKeyFile.jks
Key File Password password
Trust File Name ${USER_INSTALL_ROOT}/etc/HCNAdminServerTrustFile.jks
Trust File Password password
${USER_INSTALL_ROOT} expands to the WebSphere Application Server installation path on your machine. It is defined in the IBM WebSphere Application Server Administrative Console.
Click OK
Click Servers > Application Servers > server1 > Web Container > HTTP Transports
Click * next to SSL port 443
Select the ADMIN_SERVER_NAME/HCNAdminSSLSettings.
Click OK > Save > Save.
Restart WebSphere.
Test the Administrative server main page (https://ADMIN_SERVER_NAME/hcn/index.html).
You must have a digital certificate, keystore file, and truststore file to fully implement SSL communications key store file is used to setup secure MQ channels to the message flow servertruststore: set SSl security for the websphere application server
digital certificates are issued by trusted parties called certificate authoritiesYou can create self signed certificate if you do not have a certificate issued by a CADigital certificate
A digital certificate reveals information about its owner, including their identity. During the initialization of an SSL connection, the server must present its certificate to the client for the client to determine the server identity.
Keystore file
The keystore file is a key database file that contains both public keys and private keys. Public keys are stored as signer certificates while private keys are stored in the personal certificates. The keys are used for a variety of purposes, including authentication and data integrity. You can use both the key management utility (iKeyman) and the keytool utility to create.
Truststore file
A truststore file is a key database file that contains the public keys for target servers. The public key is stored as a signer certificate. If the target uses a self-signed certificate, extract the public certificate from the server keystore file. Add the extracted certificate into the truststore file as a signer certificate. For a commercial certificate authority (CA), the CA root certificate is added. The truststore file can be a more publicly accessible key database file that contains all the trusted certificates.
Start the IBM Key Management application c:\Program Files\IBM\gsk7\bin\gsk7ikm.exeNote: The JAVA_HOME variable must be set. The default location is C:\Program Files\WebSphere\AppServer\java.
For example:
set JAVA_HOME=C:\Program Files\WebSphere\AppServer\java
To Create a key file and self-signed certificate:
Select KeyDatabaseFile > New and enter the followingSelect KeyDatabaseFile > New and enter the following:
Table 1. KeyDatabaseFile values File Name HCNAdminServerKeyFile.jks Location WAS_HOME\etc\
Click OK.
Enter the Key File Password as defined in Table 1 table.
Click OK.
Under Key database content select Personal Certificates.
Click New self-signed.
Enter the following:
Table 2. Administrative server Key file properties Propery Value
Key Label HCN Admin
Common Name Administrative server host name
Example: hcnadmin.ibm.com
Organization Enter an organization name.
Validity Period Enter 7300 days, this is the maximum.
Country or Region Change if default not appropriate.
Create Trust File HCNAdminServerTrustFile.jks using the same values as in step 2. Place HCNAdminServerTrustFile.jks in WAS_HOME\etc.
Start IBM WebSphere Application Server Base V5.1.1 Administration Console.
Click Security > SSL > New Enter the following values:
Table 1. SSL Values Property Value
Alias HCNAdminSSLSettings Key File Name ${USER_INSTALL_ROOT}/etc/HCNAdminServerKeyFile.jks
Key File Password password
Trust File Name ${USER_INSTALL_ROOT}/etc/HCNAdminServerTrustFile.jks
Trust File Password password
${USER_INSTALL_ROOT} expands to the WebSphere Application Server installation path on your machine. It is defined in the IBM WebSphere Application Server Administrative Console.
Click OK
Click Servers > Application Servers > server1 > Web Container > HTTP Transports
Click * next to SSL port 443
Select the ADMIN_SERVER_NAME/HCNAdminSSLSettings.
Click OK > Save > Save.
Restart WebSphere.
Test the Administrative server main page (https://ADMIN_SERVER_NAME/hcn/index.html).
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.