You can enable SSL for web services by using the WebSphere Application Server administrative
console for development and testing, and by using Run Engine commands for permanent configuration
changes.
Procedure
For development and testing, use the WebSphere Application Server administrative
console:
-
When client authentication is not needed.
If the server does not require client authentication, that is, it does not validate the client
certificate, the configuration is not complex. The server certificate is added to the default
truststore:
-
Open the WebSphere Application Server administrative console.
-
Expand Security. Click SSL certificate and key
management.
-
In the Related Items section, click Key stores and
certificates.
-
Select NodeDefaultTrustStore.
-
In the Additional Properties section, click Signer
Certificates.
-
You can either:
- Click Retrieve from port and enter the HTTPS host name and port. This
setting automatically retrieves the certificate for you.
- Click Add to import the Base64-encoded certificate file.
The server is now trusted.
-
When client authentication is needed.
If client authentication is needed, the server verifies the client certificate and refuses the
connection if the client is untrusted. The server must add the client certificate to its own
truststore.
-
Create the keystore and truststore.
For testing purposes, you can create a new keystore and truststore and use a self-signed
certificate. However, in production, you must use a certificate from a trusted certificate authority.
- Open ikeyman to create the certificate stores.
ikeyman is in the AppServer/bin directory.
- In the Key Database File menu, select New....
- For the key database type, select JKS. Other formats such as PKCS12 can
also be selected.
- Select a name and path for the keystore. For example,
CommerceKeyStore.jks
- Enter a password. Remember this password as it is needed in later steps.
- When Personal Certificates is selected, click New
Self-Signed...
- Complete the form and click Accept.
Your new keystore is created and contains the self-signed certificate. The following steps
create the truststore.
- In the Key Database File menu, select New....
- Create a file to use for the truststore, for example, CommerceTrustStore.jks. The truststore
contains the certificates this server trusts. The server certificate needs to be added to this
truststore.
- You can add the server certificate later by using the user interface or iKeyman. The server
certificate is typically a .arm (Base64-encoded) certificate file or is
included in a key database such as JKS or p12.
- To import the server certificate from an arm file, ensure that the Signer
Certificates drop-down menu is selected and click Add.... If the
certificate is a JKS or p12 file, you can extract it as an asm file.
-
Define the new truststore and keystore in HCL Commerce.
- Open the WebSphere Application Server administrative console.
- Expand Security. Click SSL certificate and key
management.
- In the Related Items section, click Key stores and
certificates.
- Click New. Use CommerceKeyStore for the name and populate the path and
password for the CommerceKeyStore.jks file and remaining options.
- After creation, click Personal certificates to see the details of the
self-signed certificate. This test ensures that the keystore is correctly defined.
- Repeat these steps and define CommerceTrustStore from CommerceTrustStore.jks. Click
Signer certificates for the truststore to see the server certificate.
-
Create an SSL configuration.
- Expand Security. Click SSL certificate and key
management
- In the Related Items section, click SSL
configurations.
- Click New.
- Enter CommerceSSLConfig as the name.
- For the truststore name, select CommerceTrustStore.
- For the keystore name, select CommerceKeyStore.
- Click Get certificate aliases.
- For the Default server certificate alias and Default client
certificate alias, select the alias for the self-signed certificate or your client
certificate.
- In the Additional properties section, click Quality of
protection (QoP) settings.
- Set Client Authentication to Required.
-
Associate the SSL Configuration to the web Service.
- In the Related Items section of the SSL certificate and key
management pane, click Dynamic outbound endpoint SSL
configurations.
- Click New. You can configure outbound requests that are made in a
particular protocol to a particular host name and port to use a non-default SSL configuration.
- Select the combination of protocol, host, and port that matches the one used by the outbound web
service.
- In the Related Items section of the SSL certificate and key
management pane, click SSL Configuration.
- Select CommerceSSLConfig. Then, click Get certificate
aliases.
- Select the client certificate.
Results
The preceding steps used WebSphere Application Server to enable SSL for outbound web services.
To complete permanent configuration changes, you might need to customize the docker file to
execute Run Engine commands to preserve the WebSphere Application Server configurations. For more
information, see Run Engine commands.