Friday, February 19, 2010

Procedure to enable SSL between web server and WebSphere Application Server

Procedure to enable SSL between web server and WebSphere Application Server


I wanted to try enabling SSL between my WebServer and WebSphere Application Server so i followed this process to do that

•Create 2 self signed certificates one is C:\Cert\HTTPServer\conf\keys\WAS6PluginCertificates.kdb and other is C:\Cert\WebSphere\AppServer\profiles\Dmgr01\config\cells\dmgrCell01\WAS6WebContainerCertificates.jks
 
Creating self signed certificate


IBM provides a ikeyman tool that you can use to create self signed certificate and manage keys by following these steps


1.Go to the WAS_HOME/bin directory and execute ikeyman tool, it will open a GUI based tool like this


2.Now click on Key Database File - New. It will open a dialog box, in that change Key Database type to CMS and enter file and path name. In my case i am creating WAS6PluginCertificates.kdb file in C:\Cert\HTTPServer\conf\keys\ directory and click OK

3.It will ask you for the password for the Key database file, enter a password, then check Stash the password to a file checkbox.




4.It will create a .kdb file and import bunch of keys for you by default and show a message like this


5.Once the .kdb file is created next step is to create a Self Signed certificate so click on Create - New Self Signed Certificate like this



6.Enter the details for self signed certificate such as, key label, Organizations,...

7.Thats it your self signed certificate is created, you can check them by going to the directory where we saved it. You will see 4 different files for that certificate are created out of that .sth is the stash password file

#####################################################################################

•Exchange public keys of self signed certificates

This section provides details and step-by-step instructions for exchanging public certificates between two key stores or trust (certificate) stores. You must perform the certificate exchange when you want to set up trust between two parties based on certificates. Usually you use this process with self-signed certificates because real certificates issued by well-known Certificate Authorities are already included in the key and trust stores.


•Start ikeyman and open the file that you just C:\Cert\HTTPServer\conf\keys\WAS6PluginCertificates.kdb, whose public certificate you want to export

•Now select the personal certificate that you created, in my case it is WASPluginCertificate and click on Extract Certificate button



•ikeyman tool will display a dialog where you can set location where the public certificat should be exported. Export it to c:\temp\publiccertificate\WAS6PluginCertificates.arm

•Now open the C:\Cert\WebSphere\AppServer\profiles\Dmgr01\config\cells\dmgrCell01\WAS6WebContainerCertificates.jks file in iKeyman tool
•Switch to the Signer certificate view by selecting signer certificate in the key database content section



•Now click on add, and it will show you the Add CA's certificate from file dialog, select the c:\temp\publiccertificate\WAS6PluginCertificates.arm file that you exported and click OK

•It will ask you to enter a lable for the public certificate enter WAS6PluginCertificatesCertificate.

•Now you should be able to see the certificate that you just imported in the list

No comments:

Post a Comment