Configuring Transport Layer Security (TLS)

You can configure Transport Layer Security (TLS) by adding a keystore, truststore, and choosing the certificate alias for your configuration.

Before you begin

About this task

The TLS settings apply to the user interface and data grids. The settings are applied to all of the appliances in the collective.

Procedure

  1. Go to the Settings panel. To manage your security options, go to the Settings panel with one of the following paths:
    • From the menu bar in the WebSphere DataPower XC10 Appliance user interface, click Appliance > Settings.
    • From the Welcome page, click the Customize settings link in the Step 1: Set up the appliance section.
  2. Expand Transport Layer Security (TLS).
  3. Upload new keystore and truststore information. After you upload a keystore or truststore, you must update the associated password. If you are using the default truststore, the password is xc10pass.
  4. If you uploaded a keystore, select the certificate alias for the collective to use.
  5. Specify the transport type. If you want to support both TCP/IP and TLS protocols, select TLS supported. If you want to require connections through the TLS protocol, select TLS required.
  6. To require the client to send a trusted certificate to enable communication, select Enable client certificate authentication.
  7. Click Submit TLS settings to save the changes to your configuration.

Results

The configured truststore is active. The collective must restart to complete the TLS configuration changes.

Limited portions of the user interface are accessible when the collective is restarting. If you cannot access portions of the user interface, wait for an appropriate time and submit the request again. The Tasks panel shows completion for some TLS changes automatically by displaying a success status.

You might need to restart the browser, log out and log back in to the user interface, or trust new certificates from a browser prompt.

If the user interface seems to be unavailable when client authentication is enabled, verify that you have a trusted client certificate imported into the browser. If a trusted client certificate is not imported into the browser, you cannot access the user interface. After you successfully log on to the user interface, the task indicates the success of the TLS configuration.

To download the active truststore at any time, click Download active truststore. Downloading the active truststore is useful if you are adding trusted entries for client authentication. After the download, you can verify that you are changing the latest truststore. If you are uploading a new truststore, the truststore becomes available for download after you submit the new settings. The file name of the downloaded truststore is not the same as the original file name that was used when the truststore was uploaded.

What to do next