Configuring SSL for WebSphere Application Server

This section includes the following steps to configure SSL with your IBM WebSphere Application Server.

    Creating a local user account on WebSphere

    For enabling SSL, WebSphere needs access to a user account in the local OS user registry that has permission to administer the system:

    • (Windows) Create a new Windows user who is part of the Administrators group and has the privilege to act as part of the operating system. (See Create a Windows user for WebSphere.)

    • (Linux, UNIX) The user can be a root user or another user who has root privileges. When you enable SSL on WebSphere, use the server identification and password of this user.

    Create a Linux or UNIX user for WebSphere

    1. Log in as the root user.

    2. Create a user by entering the following command in a command prompt:

      • (Linux and Sun Solaris) useradd

      • (IBM AIX) mkuser

    3. Set the password of the new user by entering passwd in the command prompt.

    4. (Linux and Solaris) Create a shadow password file by entering pwconv (with no parameters) in the command prompt.

      Note: (Linux and Solaris) For WebSphere Application Server Local OS security registry to work, a shadow password file must exist. The shadow password file is usually named /etc/shadow and is based on the /etc/passwd file. If the shadow password file does not exist, an error occurs after enabling global security and configuring the user registry as Local OS.

    5. Open the group file from the /etc directory in a text editor.

    6. Add the user who you created in step 2 to the root group.

    7. Save and close the file.

    8. (UNIX with SSL enabled) Start and stop WebSphere as the root user.

    Create a Windows user for WebSphere

    1. Log in to Windows by using an administrator user account.

    2. Select Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.

    3. Right-click Users and select New User.

    4. Type a user name and password in the appropriate boxes, and type any other information you require in the remaining boxes.

    5. Deselect User Must Change Password At Next Login, click Create, and then click Close.

    6. Click Users, right-click the user you just created and select Properties.

    7. Click the Member Of tab and then click Add.

    8. In the Enter The Object Names To Select box, type Administrators, click Check Names to ensure that the group name is correct.

    9. Click OK and then click OK again.

    10. Select Start > Control Panel > Administrative Tools > Local Security Policy > Local Policies.

    11. Click User Rights Assignment, and then right-click Act as Part of the Operating System and select Properties.

    12. Click Add User or Group.

    13. In the Enter The Object Names To Select box, type the name of the user you created in step 4, click Check Names to ensure that the name is correct, and then click OK.

    14. Click OK to close the Act As Part Of The Operating System Properties dialog box.

    Creating an SSL Credential

    To configure SSL on WebSphere, you need an SSL credential for authentication. You can use the IBM Key Management tool that is installed with WebSphere to perform the following tasks to create a credential:

    • Create a keystore file and use it to store a new self-signed certificate and associated private key.

    • Export the certificate, and then add it to the same keystore as a signer certificate. The same keystore is used as the key file and the trust file in the WebSphere SSL configuration.

    Create an SSL credential

    1. Open a command prompt and run the IBM Key Management tool by entering the following command:

      • (Windows) [appserver root]\bin\ikeyman.bat

      • (Linux, UNIX) [appserver root]/bin/ikeyman.sh

    2. From the menu bar, select Key Database File > New and, from Key Database Type, select JKS.

    3. Click Browse and navigate to the [appserver root]/etc directory.

    4. In the File Name box, type ads-credentials.jks, click Save, and then click OK.

    5. In the Password Prompt window, type a password, and then retype the same password in the Confirm Password box. This password must match the SSL credential password for the SSL property that is set in Administration Console > Trust Store Management.

    6. Click OK.

    7. From the menu bar, select Create and then click New Self Signed Certificate. The Create New Self-Signed Certificate window appears.

    8. In the Key Label box, type ads-credentials, and then specify values for Organization, Organization Unit, Country or Region, and Validity Period.

    9. Edit the Common Name value to be the fully qualified domain name of the LiveCycle server, and then click OK.

    10. In the list, select the ads-credentials certificate, and then click Extract Certificate.

    11. Under Data type, select Base64-encoded ASCII data; under Certificate file name, type ads-cert.arm and; and under Location, type [appserver root]/etc and then click OK.

    12. From the menu in the Key Database Content area, select Signer Certificates, and then click Add.

    13. In the Certificate file name box, click Browse, select the ads-cert.arm created in step 11, click Open, and then click OK.

    14. In the Enter a Label dialog box, type ads-credentials-cert and then click OK.

    15. Select Key Database File > Exit.

    Configure WebSphere to use local OS registry instead of LDAP

    If you are not using LDAP, configure WebSphere to use the local OS registry.

    1. Ensure that WebSphere is running.

    2. In WebSphere Administrative Console, navigate to Local OS.

    3. In the navigate tree, click Security > Global Security and, under User Registries, select Local OS.

    4. Perform the following tasks:

      • In the Server User ID box, type the name of the user account that you created by following the instructions in Creating a local user account on WebSphere.

      • In the Server User Password box, type the user password for the user entered for Server User ID.

    5. Click OK and then save your changes.

    Enable SSL on WebSphere

    1. In WebSphere Administrative Console, navigate to LTPA and then click Security > Secure Administration, Applications and Infrastructure and, under Authentication, click Authentication Mechanisms and Expiration.

    2. Perform the following tasks:

      • In the Password box, type the password that you specified when you created the ads-credential.jks file, as described in Creating an SSL Credential.

      • In the Confirm Password box, type the password again.

      • In the Timeout Value For Forwarded Credentials Between Servers box, type 10. Ten is the time (in minutes) after which the LTPA token expires. This time must be greater than the Application cache time-out (Cache Timeout property) of WebSphere Security.

    3. Click OK.

    4. In the navigation tree, click Security > Secure Administration, Applications and Infrastructure.

    5. Perform the following tasks:

      • Select Enable Administrative Security.

      • Deselect Use Java 2 Security To Restrict Application Access To Local Resources, Use Domain-Qualified User Names.

      • In the Active User Registries list, select the user registry you are using.

    6. Click OK. If you are prompted to enter Local OS login information, type the same information that you specified in step 2 of this procedure.

    7. In the navigation tree, select Security > SSL Certificate And Key Management.

    8. Under Key Stores and Certificates, click New and configure as follows:

      • In the Name box, enter AdsSSL.

      • In the Path box, type [appserver root]/etc/ads-credentials.jks.

      • In the Password box, type the password you used when you created the ads-credentials.jks file.

      • In the Confirm Password box, type the password you used when you created the ads-credentials.jks file.

      • From the Type list, select JKS.

    9. Click OK and save the configuration.

    10. Under SSL Configuration, click New and configure as follows:

      • In the Name box, type AdsSSL.

      • From the Trust Store Name list, select AdsSSL.

      • From the Keystore Name list, select AdsSSL and then click Get Certificate Aliases.

      • From the Default Server Certificate Alias list, select ads-credentials.

      • From the Default Client Certificate Alias list, select ads-credentials.

    11. Click OK and save the configuration.

    12. Navigate to CSIv2 Inbound Authentication and then click Security > Secure Administration, Applications and Infrastructure and, under Authentication, click RMI/IIOP Security > CSIv2 Inbound Authentication.

    13. Set Basic Authentication to Supported, set Client Certificate Authentication to Supported, and then click OK.

    14. Navigate to CSIv2 Outbound Authentication and then click Security > Secure Administration, Applications and Infrastructure and, under Authentication, click RMI/IIOP Security > CSIv2 Outbound Authentication.

    15. Set Basic Authentication to Supported, set Client Certificate Authentication to Supported, and then click OK.

    16. Navigate to CSIv2 Inbound Transport and then click Security > Secure Administration, Applications and Infrastructure and, under Authentication, click RMI/IIOP Security > CSIv2 Inbound Transport.

    17. Set Transport to SSL-Supported and SSL Settings to localhost/AdsSSL, and then click OK.

    18. Navigate to CSIv2 Outbound Transport and then click Security > Secure Administration, Applications and Infrastructure and, under Authentication, click RMI/IIOP Security > CSIv2 Outbound Transport.

    19. Set Transport to SSL-Supported, set SSL Settings to localhost/AdsSSL, and then click OK.

    20. In the navigation tree, click Servers > Application Servers and click the [server name].

    21. Under Container Settings, click Web Container Settings > Web Container.

    22. Under Additional Properties, click Web Container Transport Chains and then click WCInboundDefaultSecure.

    23. Click SSL Inbound Channel (SSL_2) and, under SSL Configuration, select Specific To This Endpoint and then select AdsSSL from the list.

      If you are connecting over SSL using Internet Explorer 6.x, disable the addition of the cache-control header. Configure the WCInboundDefaultSecure property as follows:

      • Click HTTP Inbound Channel and select Custom Properties.

      • Click New and configure as follows:

        Name - CookiesConfigureNoCache

        Value - false

        Description - To disable the addition of Cache-Control header to response in SSL

    24. Click OK and save your changes to the Master Configuration.

    25. Stop and restart WebSphere. WebSphere Administrative Console now displays a login dialog box where you must type the user name and password that you specified in step 2.

    26. (Workspace, Process Management) In the navigation tree, click Resources > JMS > JMS Providers, and then click Default Messaging.

    27. Under Connection Factories, select JMS Queue Connection Factory and then select QueueConnectionFactory.

    28. (Workspace, Process Management) In the Component-Managed Authentication Alias list, select [computer name]/myAlias and click OK.

    29. (Workspace, Process Management) Under Related Items, select J2C Authentication Data Entries, ensure that the database user has root privileges, and then click OK.

    30. (Workspace, Process Management) Save your changes to the Master Configuration.

    31. (Workspace, Process Management) Stop and restart WebSphere.

    Configuring WebSphere to convert URLs that begins with https

    To convert a URL that begins with https, add a Signer certificate for that URL to the WebSphere server.

    Create a Signer certificate for a https enabled site

    1. Ensure that WebSphere is running.

    2. In WebSphere Administrative Console, navigate to Signer certificates and then click Security > SSL Certificate and Key Management > Key Stores and Certificates > NodeDefaultTrustStore > Signer Certificates.

    3. Click Retrieve From Port and perform these tasks:

      • In the Host box, type the URL. For example, type www.paypal.com.

      • In the Port box, type 443. This port is the default SSL port.

      • In the Alias box, type an alias.

    4. Click Retrieve Signer Information and then verify that the information is retrieved.

    5. Click Apply and then click Save.

    HTML-to-PDF conversion from the site whose certificate is added will now work from the Generate PDF service.

    Note: For an application to connect to SSL sites from inside WebSphere, a Signer certificate is required. It is used by Java Secure Socket Extensions (JSSE) to validate certificates that the remote side of the connection sent during an SSL handshake.

    // Ethnio survey code removed