To secure
the Content Platform Engine server
end of the communication with another server, you need to deploy the
third-party certificate that you generated on the other server into
the keystore on the Content Platform Engine server.
Before you begin
Ensure that
WebSphere® Deployment Manager and the
WebSphere node agent are running and
that all instances of
Content Platform Engine are
stopped.
Procedure
To deploy a third-party
certificate on Content Platform Engine:
- Download a CA
certificate from the certificate authority (CA) website and save it
as cssThirdPartyCA.cer in any folder on the Content Platform Engine server, such as C:\IBM\cssKeystore.
- On the Content Platform Engine server, log on to the WebSphere Integrated Solutions Console.
- Navigate to .
- Navigate to the
signer certificates page, depending on the type of your WebSphere installation:
Option |
Description |
WebSphere base edition
or stand-alone environment |
|
WebSphere ND |
|
- Click Add.
- Type a certificate
alias (for example, YourAlias) in the Alias
field. The alias is how the certificate is referenced in
the keystore. The alias you enter must differ from any existing alias
in the keystore.
- In the File
Name field, type the file name and path to where the certificate
is located (for example, C:\IBM\cssKeystore\cssThirdPartyCA.cer).
- In the Data
Type field, select Base64-encoded ASCII data.
- Click Apply and
then click Save to save your changes to the
master configuration of WebSphere.
- Navigate to .
- For each server
instance (for example, server1, server2,...) complete the following
substeps to set Java™ system
parameters on the Content Platform Engine application
server and to change the keystore type to pkcs12:
- Navigate to and add these two parameters in the Generic
JVM arguments field:
- -Djavax.net.ssl.trustStore=path_to_WebSphere_default_trustStore
For
example:
-Djavax.net.ssl.trustStore=C:\Progra~1\IBM\WebSphere\AppServer\profiles\
AppSrv01\config\cells\MyServerCell01\trust.p12
MyServerCell01 should
reflect the value in your environment.
- -Djavax.net.ssl.trustStorePassword=WebSphere_trustStore_password
For
example:
-Djavax.net.ssl.trustStorePassword=WebAS
Note
that WebAS is the default password for the
default truststore in WebSphere.
- In the WAS_HOME/java/jre/lib/security/java.security file,
set the keystore type to pkcs12:
keystore.type=pkcs12
If
your application server is clustered, repeat this java.security file
edit on each Content Platform Engine node
in the cluster.
- If your application
server is clustered, synchronize your changes to all the nodes in
the cluster:
- Navigate to .
- Select all the nodes in the cluster, and then click Full
Resynchronize.
- In a command window,
stop WebSphere Deployment
Manager. When the stop command completes, restart WebSphere Deployment Manager:
stopManager.bat -username username -password password
startManager.bat
- Restart the node
agents:
- Log on to the WebSphere Integrated
Solutions Console.
- Navigate to .
- Select all the node agents, and then click Restart.
- Restart the Content Platform Engine instances on the application
server.