Configuring SSL for Sterling Order Management
After configuring two-way SSL for WebSphere Commerce, configure two-way SSL authentication for Sterling Order Management.
Before you begin
About this task
- Enabling access to the servlets
- Restricting access to an authorized username
Procedure
- Open the <INSTALL_DIR>/repository/eardata/smcfs/extn/ directory.
- Optional: If the web.xml.sample file does not already exist, build the smcfs.ear file to generate the file, and then rename web.xml.sample to web.xml.
Next, for each servlet, restrict access to an authorized username:
-
Edit
<INSTALL_DIR>/repository/eardata/smcfs/extn/web.xml by
adding code for AuthorizationOnlyApiServlet and SCWCSoapServlet.
For AutorizationOnlyApiServlet, add the following code:
<security-constraint> <web-resource-collection> <web-resource-name>AuthorizationOnlyApiServlet</web-resource-name> <url-pattern>/interop/AuthorizationOnlyApiServlet</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>WCIntegrationUser</role-name> </auth-constraint> </security-constraint>
For SCWCSoapServlet, add the following code:<security-constraint> <web-resource-collection> <web-resource-name>SCWCSoapServlet</web-resource-name> <url-pattern>/servlets/scwcsoapservlet</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>WCIntegrationUser</role-name> </auth-constraint> </security-constraint> <login-config><auth-method>CLIENT-CERT</auth-method> <realm-name>defaultWIMFileBasedRealm</realm-name></login-config> <security-role> <role-name>WCIntegrationUser</role-name> </security-role>
Note: To determine the value to enter for <realm-name> in web.xml, refer to the WebSphere Application Server configuration. The sample code uses defaultWIMFileBasedRealm for <realm-name>. - Build the EAR, which now contains the modified web.xml file.
-
Redeploy the EAR:
- Open the WebSphere Application Server Administrative Console and click .
- Select Sterling Order Management and click Update.
- Select Replace the entire application and Remote file system. Browse to the smcfs.ear file.
- Click Next and accept all defaults.
The application is updated.
Next, enable administrative and application security:
- In the WebSphere Application Server Administrative Console, click . The Global Security settings are displayed.
- Click Security Configuration Wizard and click Enable administrative security if it is not enabled by default. Click Next.
- For Step 2: Select user repository, click Federated repositories.
- For Step 3: Configure federated repository, enter a Primary administrative user name and password. User name example: configadmin
-
For Step 4: Summary, verify that the following values are shown:
Table 1. Summary of options set in the global security wizard for administrative security A list of the five options and expected values set through use of the Global administrative wizard are shown.
Options Value Enable administrative security true Enable application security true Use Java™ 2 security to restrict application access to local resources false User repository Federated depositories Primary administrative user name Varies. - Restart the WebSphere Application Server for Sterling Order Management.
-
Set the value of the certificateMapMode property to notSupported. For
more information, see Enabling client certificate login support for a file-based repository in federated
repositories.
- Go to <Sterling_profiledir>/bin/.
- Run ./wsadmin.sh -conntype none.
- In wsadmin tool, run $AdminTask setIdMgrCustomProperty {-id InternalFileRepository -name certificateMapMode -value notSupported}
- To save the configuration, run $AdminConfig save.
- Go to and create WCIntegrationUser.
- Go to and create WCIntegrationGroup.
- Add the newly created WCIntegrationUser user as a member of WCIntegrationGroup. Go to , and then search for and choose the WCIntegrationGroup group. Click on members and add WCIntegrationUser.
-
Go to
, and map the following below:
- WCIntegrationUser user role to the WCIntegrationUser user created in Step 13.
- WCIntegrationGroup group role to the WCIntegrationGroup group created in Step 14.
-
Click
.
- Click Quality of protection (QoP) settings.
- Set Client Authentication to Supported.