Configuring two-way SSL authentication for your production environment by using Run Engine commands

Two-way SSL authentication between HCL Commerce and Sterling Order Management requires that you configure HCL Commerce by adding the Sterling Order Management certificate to the HCL Commerce truststore, and that you add the HCL Commerce client certificate to the Sterling Order Management truststore.

About this task

This task enables two-way SSL authentication between HCL Commerce and Sterling Order Management.

Procedure

  1. Extract the server certificate from Sterling Order Management; For example: scserver.cer.
  2. Create and extract the HCL Commerce client certificate.
    1. Use OpenSSL to generate a private key and certificate.

      For example: openssl req -newkey rsa:2048 -nodes -keyout rsa_private.key -x509 -days 365 -out wcclient.cer

      Ensure that the Common Name (CN) value is set to WCIntegrationUser.

      The resulting certificate might represent the following file: onewaycert.zip

    2. Run the command to import the self-signed certificate to the keystore.
      1. Create a sample JSON to save the private key and certificate. Note the following:
        • Copy the private_key and certificate values from the rsa_private.key and cert.crt values generated in the previous step.
        • For the issuing_ca value, the certificate must be imported to the trust store. In this case, in a two-way SSL authentication, the certificate from Sterling must be imported to the trust store in HCL Commerce. The value of issuing_ca must be copied from the certificate of Sterling. For example: scserver.cer. (Conversely, in a one-way SSL authentication, the value can be null).
        • For destination_host, use your Sterling host name value, for example, in this task, samplesterlling.cn.ibm.com is used.
      2. Put the JSON file in the following directory: SETUP/certs/custom.
      3. Run the following script: updateLocalCerts.sh.
    3. Build a new image with your changes.
  3. Copy the certificate file to the Sterling Order Management runtime directory, where the agent server runs. For example, /tmp/wcclient.cer.
  4. Import the wcclient.cer file into the local trust store by executing the following keytool -import command: 
    
keytool -import -alias wcclientcert -file /path to file/wcclient.cer -keystore /<INSTALL_DIR>/jdk/jre/lib/security/cacerts
    Where <INSTALL_DIR> is the location where Sterling Order Management is installed.
    Note: The default password is changeit.