Configuring SSL in WebSphere Application Server

"What is Secure Socket Layer?" and related concepts
Overview: WebSphere Application Server's use of SSL
Configuring SSL between the Web browser and the Web server:
Configuring SSL for between the Web server plug-in and an application server
Configuring default SSL settings

Overview: WebSphere Application Server's use of SSL

SSL (Secure Socket Layer) is used by several WebSphere Application Server components in order to provide secure communication. This is separate from the SSL configured between the Web server and the web browser. In particular, SSL is used between:

The WebSphere Application Server plug-in in the Web server, acting as an SSL client, and an application server Web container, acting as an SSL server, using HTTPS.
EJB clients, acting as an SSL client, and an application server, acting as an SSL server, using RMI/IIOP over SSL.
Web components (servlets, JSPs, etc.), acting as an SSL client, and an external SSL secured Web site, acting as an SSL server, using HTTPS.
EJBs in an application server, acting as an SSL client, and an external SSL secured EJB server, acting as an SSL server, using RMI/IIOP over SSL.
Internal administrative and application server processes using RMI/IIOP over SSL. This is available only in WebSphere Application Server Advanced Edition.
Administrative clients (Java based administrative console, XMLConfig, WSCP, etc.), acting as an SSL client, and the administrative server, acting as an SSL server, using RMI/IIOP over SSL. This is available only in WebSphere Application Server Advanced Edition.
Administrative and application servers, acting as an SSL client, and an SSL secured LDAP server, acting as an SSL server, over LDAPS. This is available only in WebSphere Application Server Advanced Edition.

The administrative model in WebSphere Application Server allows these various SSL components to be centrally managed by configuring the default SSL Settings. Furthermore, the default settings to connect to the LDAP server and plug-in can be overridden by configuring the specific SSL settings for those connections. This provides both central administration as well as individual configurability which may be required for the various uses of SSL.

Configuring SSL between the Web browser and the Web server:

Configuring SSL for the browser

Configuring SSL for the browser is browser-specific. Consult your browser documentation for instructions. Generally speaking, when the you type "https://..." instead of "http://...", the browser creates an SSL connection instead of a simple TCP connection to the Web server. The browser then typically either prompts the user or fails to connect if it was unable to validate the Web server or to agree upon the level of security options (the strength of the encryption algorithm to use). If prompted, it usually asks if you wish to trust the SSL secured web server you trying to connect to because their is no signer certificate in the browser's memory corresponding to the certificate used to secure the web server. This is normal if the web server was secured using a self signed certificate or a Certificate Authority who doesn't have an agreement with the web browser company to place their signer certificates into the browser at installation.

Configuring SSL for the Web server

Configuring SSL for the Web server depends on the type of Web server. Consult your Web server documentation for instructions. Generally speaking, when SSL is enabled, an SSL key file is required. This key file should contain both the CA certificates (signer certificates) as well as any personal certificates. Client authentication can also be enabled; by default, it is disabled (see section 5.5.5 Mapping certificates to users for client authentication and authorization).

In order for the client certificate (the certificate from the browser) to be forwarded by the WebSphere Web server plug-in to the WebSphere Application Server, client authentication must be enabled for the Web server. Enabling client authentication in WebSphere Application Server itself is not required unless you want to authenticate the WebSphere Web server plug-in (or any other clients connecting directly to the WebSphere Application Server over SSL).

In addition, the virtual host for each application server using the SSL port (usually 443) needs to have a port alias added for the SSL port (see section 6.6.16 Administering virtual hosts).

Configuring SSL for IBM HTTP Server, specifically

This section provides a brief example of configuring SSL for IBM HTTP Server. See the IBM HTTP Server documentation for the most recent and complete instructions. Note also that the httpd.conf.sample file of your Web server provides examples of all directives, including the SSL-related directives.

Create a keyfile using the IHS key management utility.

a. Create a directory at a location such as "product_installation_root/myKeys"
This directory will be used to hold all of your SSL key files and certificates.
b. Start the Key Management Utility from the IBM HTTP Server start menu.
To start this utility on a Windows platform, click: Start -> Programs -> IBM HTTP Server -> Start Key Management Utility
c. Click the Key Database File menu and select New.
d. Specify settings and click OK:

Key Database Type: CMS Key Database File
File Name: WebServerKeys.kdb
Location: The path to your "myKeys" directory

e. Enter a password for your SSL key file (twice for confirmation).
f. Check the "Stash the password to a file?" option. Click OK.

;; This causes a file named "WebServerKeys.sth" to be created containing an encoded form of the password. Note that this encoding prevents a casual viewing of the password but is not highly secure. Therefore, operating system permissions should be used to prevent all access to this file by unauthorized persons.
g. When you see the list of default Signer Certificates, click the Signer Certificates menu and select Personal Certificates.

Import

New Self-Signed

Key Label

Organization

Key Database File

Close

Add the following lines to the bottom of your httpd.conf file:

LoadModule ibm_ssl_module modules/IBMModuleSSL128.dll(for Windows)

		
LoadModule ibm_ssl_module libexec/mod_ibm_ssl_128.so (for Unix)

```
		
AddModule mod_ibm_ssl.c (for Unix)
```
```
		
Listen 443
```
```
		
<VirtualHost:443>
```
```
		
SSLEnable
```
```
		
</VirtualHost>
```

 
Keyfile "product_installation_root/myKeys/WebServerKeys.kdb"

(use \ instead of / for Windows)

This causes the Web server to listen on port 443 (the default SSL port).

Uncomment the last line containing "SSLClientAuth required" if you want to enable client authentication. This will cause IHS to send a request for a certificate to the browser. Your browser may prompt you to choose a certificate to send to the Web server in order to perform client authentication.

Start your IBM HTTP Server.
Test your configuration from a browser by entering a URL such as:
```
https://localhost
```
If you are using a self-signed certificate, instead of a certificate issued by a CA such as Verisign, then your browser should prompt you to see if you want to trust the unknown signer of the server's certificate. Additionally, if you enabled client authentication, then your browser may prompt you to select a certificate to send to the Web server in order to perform client authentication. The page should then be displayed.
Test your configuration from a browser on a sample application:

a.Add port 443 to the WebSphere Application Server Virtual Host aliases settings: Start the WebSphere Application Server and open the Java administrative console. In the tree view, click on WebSphere Administrative Domain -> Virtual Hosts. The Virtual Hosts properties will be displayed in the property view. In the property view, click on the default_app virtual host. On the General tab, click the Add button next to the table of host aliases. A blank host alias entry will be added to the end of the table of host aliases. Click on the blank entry to place the cursor there and enter *:443.

Apply

WebSphere Administrative Domain -> Nodes -> (Your node name)

Regen Webserver Plugin

Default Server

https://localhost/servlet/snoop

Configuring SSL between the Web server plug-in and an application server

If you wish to configure SSL between the Web server plug-in and an application server, you must SSL secure the Web server first between it and the Web browser. If WebSphere Application Server security is enabled, https requests for application server web resources sent to the web server will go through the SSL connection between the web server plug-in and the application server, but regular http requests will still go between the web server plug-in and application server unencrypted. This section provides an example using a self signed certificate which is ok if you have full control over both the Web server machine and the WebSphere Application Server machine. They should be trusted in this case.

Step 1: Creating an SSL key file for the application server

You must use the JSSE key management utility which is installed with the WebSphere Application Server product or any other key management utility which writes to the JKS (.jks) format. The following is an example of how to create an SSL key file for your application server which will only allow the plug-in to connect to the application server on its SSL port only if client authentication is enabled on the application server.

Start the JSSE key management utility. On Windows, start the Key Management Utility from the WebSphere Application Server entry on the Windows Start menu.
Create a new key database file.
a.Click Key Database File and select New.
b.Specify settings:
- Key database type: JKS
- File Name: appServerKeys.jks
- Location: your myKeys directory, such as "product_installation_root\myKeys\
c.Click OK.
d.Enter a password (twice for confirmation) and click OK.
Delete all of the signer certificates.
Click Signer Certificates and select Personal Certificates.
Add a new self-signed certificate.
a.Click New Self-Signed to add a self-signed certificate.
b.Specify settings:
- Key Label: appServerTest
- Organization: IBM
c.Click OK.
Extract the certificate from this self-signed certificate so that it can be imported into the signer certificate section of the application server's SSL key file and the plug-in's SSL key file.
a.Click Extract Certificate.
b.Specify settings:
- Data Type: Base64-encoded ASCII data
- Certificate file name: appServerKeys.arm
- Location: the path to your myKeys directory
c.Click OK.
Import the self-signed certificate as a signer certificate. NOTE: If using a Certificate Authority (CA) instead of a self-signed certificate, a special certificate called the CA certificate must be received from the CA separately and imported as the signer certificate istead of doing as follows for a self-signed certificate:
a.Click Personal Certificates and select Signer Certificates.
b.Click Add.
c.Specify settings:
- Data Type: Base64-encoded ASCII data
- Certificate file name: appServerKeys.arm
- Location: the path to your myKeys directory
d.Click OK.
Enter "appServer signer" for the label and click OK.
Click Key Database File.
Select Exit. Note: Make sure to exit or close the key database file each time it is modified to ensure the changes are picked up by the plugin.

Step 2: Creating an SSL key file for the WebSphere Web server plug-in

You must use the key management utility of GSKit which is installed when any WebSphere Application Server web server plug-in is installed (<drive>:\Program Files\ibm\gsk5\gsk5ikm.exe in Windows and /opt/ibm/gsk5/gsk5ikm or /usr/ibm/gsk5/gsk5ibm in Unix). Lack of the GSKit indicates that a plug-in wasn't installed or there was a problem installing the plug-in. Note that if you are using the IBM HTTP Server as your Web server, you may use the same SSL key file which the Web server is using; however, it is recommended that separate SSL key files be used because the trust policy for the connection to the web server is different than the trust policy for the connection to the application server. For example, we may want to allow many browsers to connect to the Web server's HTTPS port, whereas we only want to allow a small, well-known number of WebSphere plug-ins to connect directly to a WebSphere application server's HTTPS port. The following is an example of how to create an SSL key file for your WebSphere plug-in containing a self-signed certificate.

Create the directory product_installation_root\myKeys if you have not already done so.

This directory will contain all of the SSL key files and extracted certificates that you will create.

Start the key management utility of GSKit.

GSKit is the SSL implementation used by the WebSphere plug-in, which is the same implementation used by the IBM HTTP Server.

The default path on Windows to this utility is <drive>:\Program Files\ibm\gsk5\gsk5ikm.exe and on Unix is /opt/ibm/gsk5/gsk5ikm or /usr/ibm/gsk5/gsk5ibm

Click the Key Database File pulldown and select New.
Specify settings and click OK:
- Key database type: CMS Key Database File
- File name: plug-inKeys.kdb
- Location: your myKeys directory
Enter a password for your SSL key file (twice for confirmation).
Check the Stash the password to a file option. Click OK.

This causes a file such as "product_installation_root\myKeys\plug-inKeys.sth to be created containing an encoded form of the password. This encoding prevents a casual viewing of the password but is not highly secure. Therefore, operating system permissions should be used to prevent all access to this file by unauthorized persons.

When you see the list of default Signer Certificates, select the first certificate and click Delete.
Repeat the previous step until all of the signer certificates have been deleted.
Click Signer Certificates and select Personal Certificates.
Add a new self-signed certificate. NOTE: If using a Certificate Authority (CA) instead of a self-signed certificate, a special certificate called the CA certificate must be received from the CA separately and imported as the signer certificate istead of doing as follows for a self-signed certificate:
a.Click New Self-Signed to add a self-signed certificate.
b.Specify settings.
- Key Label: plug-in
- Organization: IBM
c.Click OK.
Extract the certificate so that you can import it into the application server key file later.
a. Click Extract Certificate.
b. Specify settings:
- Base64-encoded ASCII data: Data Type
- Certificate file name: plug-inKeys.arm
- Location: path to your myKeys directory
c. Click OK.
Import the application server's certificate. NOTE: If using a Certificate Authority (CA) instead of a self-signed certificate, a special certificate called the CA certificate must be received from the CA separately and imported as the signer certificate istead of doing as follows for a self-signed certificate:
a.Go to the Signer Certificates.
b.Click Add.
c.Specify settings:
- Data Type: Base64-encoded ASCII data
- Certificate file name: appServerKeys.arm
- Location: the path to your myKeys directory
d.Click OK.
Enter "appServer signer" for the label and click OK.
Click the Key Database File menu and select Close. Note: Make sure to exit or close the key database file each time it is modified to ensure the changes are picked up by the plugin.

Step 3: Import the plug-in's certificate into the application server's SSL key file

Start the JSSE key management utility.
Click the Key Database File pulldown and select Open.
Find appServerKeys.jks in your myKeys directory and double-click on it.
Enter a password for your SSL key file.
Import the plug-in's certificate.
a.Go to the Signer Certificates.
b.Click Add.
c.Specify settings. NOTE: If using a Certificate Authority (CA) instead of a self-signed certificate, a special certificate called the CA certificate must be received from the CA separately and imported as the signer certificate istead of doing as follows for a self-signed certificate:
- Data Type: Base64-encoded ASCII data
- Certificate file name: plug-inKeys.arm
- Location: the path to your myKeys directory
d.Click OK.
Enter "plug-in signer" for the label and click OK.
Click Key Database File.
Select Exit. Note: Make sure to exit or close the key database file each time it is modified to ensure the changes are picked up by the plugin.

Step 4: Referencing the appServerKeys.jks key file in the web container's transport settings

default SSL settings

Start the administrative console.
In the tree view, click on WebSphere Administrative Domain -> Nodes -> (Your node name) -> Application Servers -> (Your application server name)
In the properties frame, click on the Services tab.
In the Service table, click on Web Container Service and click on the Edit Properties button
In the Web Container Service window, click on the Transport tab.
Click on the Add button.
Specify settings in the General tab.
- Transport host: *
- Transport port: 9443 (or another port if this is being used)
Click on the Enable SSL box to enable it and activate the SSL configuration fields.
Specify settings in the SSL configuration.
- Key File Name: product_installation_root\myKeys\appServerKeys.jks
- Key File Password: enter your password
- Key File Format: JKS
- Trust File Name: product_installation_root/myKeys/appServerKeys.jks
- Trust File Password: enter your password
- Trust File Format: JKS
Click on the Enable client authentication box, if you wish to enable it. Enabling this ensures that only the plugin containing the matching certificate will be able to authenticate to the appserver.
Save your changes.
In the tree view, right-mouse click on WebSphere Administrative Domain -> Nodes -> (Your node name) to display a pop-up menu
Select Regen Webserver Plugin from the resulting pop-up menu to have the transport settings incorporated into the plug-in configuration file (plugin-cfg.xml).

Step 5: Modifying the WebSphere Web server's plug-in configuration file

"product_installation_root

keyring

stash file

 <ServerGroup Name="node name/app server name">

     <Server CloneID="unique identifier" Name="app server name">

         <Transport Hostname="node name" Port="9080" Protocol="http"/>

         <Transport Hostname="node name" Port="9443" Protocol="https">

             <Property name="keyring" value="product_installation_root\myKeys\plug-inKeys.kdb"/>

             <Property name="stashfile" value="product_installation_root\myKeys\plug-inKeys.sth"/>

         </Transport>

     </Server>

 </ServerGroup>

Step 6: If your web server is on a separate machine from your WebSphere Application Server, you must copy over the plugin-cfg.xml file to the web server machine and replace the existing plugin-cfg.xml on the web server machine.

Step 7: If your web server is running as a user who doesn't have read permission for the keyring (.kdb) and stash (.sth) files, you must either change the user that the web server runs as or the permissions of the keyring and stash files so that the web server can read those files.

Step 8: Stop the servers and start them again

The configuration is complete. In order to activate the configuration, stop and restart both the Web server and the application server.

Configuring default SSL settings

default SSL settings

The following example creates a self signed certificate to replace the sample certificate using one file containing both the personal and signer certificates.

Step 1: Creating an SSL key file for the default SSL settings

Start the JSSE key management utility.
On Windows, start the key management utility from the WebSphere Application Server entry on the Windows Start menu.
Create a new key database file.
a.Click Key Database File and select New.
b.Specify settings:
- Key database type: JKS
- File Name: SSLKeys.jks
- Location: your myKeys directory, such as "product_installation_root\myKeys
c.Click OK.
d.Enter a password (twice for confirmation) and click OK.
Delete all of the signer certificates.
Click Signer Certificates and select Personal Certificates.
Add a new self-signed certificate.
a.Click New Self-Signed to add a self-signed certificate.
b.Specify settings.
- Key Label: SSL Server
- Organization: IBM
c.Click OK.
Extract the certificate from this self-signed certificate so that it can be imported into the signer certificate section of the application server's SSL key file and other trust files as needed.
a.Click Extract Certificate.
b.Specify settings:
- Data Type: Base64-encoded ASCII data
- Certificate file name: SSLKeys.arm
- Location: the path to your myKeys directory
c.Click OK.
Import the self-signed certificate as a signer certificate. NOTE: If using a Certificate Authority (CA) instead of a self-signed certificate, a special certificate called the CA certificate must be received from the CA separately and imported as the signer certificate istead of doing as follows for a self-signed certificate:
a.Click Personal Certificates and select Signer Certificates.
b.Click Add.
c.Specify settings:
- Data Type: Base64-encoded ASCII data
- Certificate file name: SSLKeys.arm
- Location: the path to your myKeys directory
d.Click OK.
Enter "SSL Signer" for the label and click OK.
Click Key Database File.
Select Exit. Note: Make sure to exit or close the key database file each time it is modified to ensure the changes are picked up by the WebSphere Application Server.

Step 2: Reference the key file in WebSphere Application Server systems administration

default SSL settings

Start the administrative console.
Open the Security Center.
Select Default SSL Configuration ...
Specify settings in the default SSL configuration.
- Key File Name: "product_installation_root\myKeys\SSLKeys.jks
- Key File Password: enter your password
- Key File Format: JKS
- Trust File Name: "product_installation_root\myKeys\SSLKeys.jks
- Trust File Password: enter your password
- Trust File Format: JKS
- Client Authentication: selected
Save your changes.

Step 3: Creating an SSL key file for the WebSphere Application Server administrative clients and external EJB clients

Start the JSSE key management utility.
On Windows, start the key management utility from the WebSphere Application Server entry on the Windows Start menu.
Create a new key database file.
a.Click Key Database File and select New.
b.Specify settings:
- Key database type: JKS
- File Name: ClientKeys.jks
- Location: your myKeys directory, such as "product_installation_root\myKeys
c.Click OK.
d.Enter a password (twice for confirmation) and click OK.
Delete all of the signer certificates.
Import the self-signed certificate as a signer certificate.
a.Go to the Signer Certificates section.
b.Click Add.
c.Specify settings. NOTE: If using a Certificate Authority (CA) instead of a self-signed certificate, a special certificate called the CA certificate must be received from the CA separately and imported as the signer certificate istead of doing as follows for a self-signed certificate:
- Data Type: Base64-encoded ASCII data
- Certificate file name: SSLKeys.arm
- Location: the path to your myKeys directory
d.Click OK.
Enter "Default SSL Signer" for the label and click OK.
Click Key Database File.
Select Exit. Note: Make sure to exit or close the key database file each time it is modified to ensure the changes are picked up by the WebSphere Application Server.

Step 4: Reference the key file in WebSphere Application Server administrative clients and external EJB clients

1.Edit the "product_installation_root\properties\sas.client.props and any other copy or derivation of the sas.client.props file using a text editor and modify the following parameters as indicated:

com.ibm.ssl.keyStoreType=JKS
com.ibm.ssl.keyStore=product_installation_root\myKeys\ClientKeys.jks
com.ibm.ssl.keyStorePassword=enter your password
com.ibm.ssl.trustStoreType=JKS
com.ibm.ssl.trustStore=product_installation_root\myKeys\ClientKeys.jks
com.ibm.ssl.trustStorePassword=enter your password

Save the modified file

Step 5: If needed, add the SSLKeys.arm signer certificate to the plugin key file

default SSL settings

Start the key management utility of GSKit.
Open the plug-in key file.
Import SSLKeys.arm as a signer certificate.
a.Go to the Signer Certificates section.
b.Click Add.
c.Specify settings:
- Data Type: Base64-encoded ASCII data
- Certificate file name: SSLKeys.arm
- Location: the path to your myKeys directory
d.Click OK.
Click the Key Database File menu and select Close.

Step 6: If needed, add the LDAP server signer certificate to the SSLKeys.jks file

If the LDAP server is configured to connect to the WebSphere Application Server via LDAPS, the LDAP server's certificate needs to be added to the signer certificate section of SSLKeys.jks.

Export the certificate from the LDAP server.
Start the JSSE key management utility.
Open the SSLKeys.jks file.
Import the LDAP server certificate as a signer certificate.
a.Go to the Signer Certificates section.
b.Click Add.
c.Specify settings:
- Data Type: Base64-encoded ASCII data
- Certificate file name: LDAP server certificate file name
- Location: the path to your LDAP server certificate file
d.Click OK.
Click theKey Database File menu and select Close. Note: Make sure to exit or close the key database file each time it is modified to ensure the changes are picked up by the WebSphere Application Server.

Step 7: Stop the servers and start them again

The configuration is complete. In order to activate the configuration, stop and restart both the Web server (if the plug-in key file was modified) and the WebSphere Application Server.