In order for Commerce Enabled Portal to work properly, you must set up the SSL certificate from the WebSphere Commerce HTTP server to the WebSphere Application Server on the WebSphere Portal machine. The certificate does not need to be new, as long as the certificate is recognized by the HTTP Server running on the WebSphere Commerce machine, it will work.
This section provides an example of how to create a new self-signed certificate for SSL for testing purposes on a WebSphere Commerce machine.
Note: These instructions cover creating a certificate for testing purposes only for IBM HTTP Server on Windows. The steps are similar for IBM HTTP Server on other platforms. For production purposes, you should get a SSL certificate from a trusted Certificate Authority (CA).
To create a new self-signed certificate for testing purposes for IBM HTTP Server on Windows, do the following:
- Go to Programs, then IBM HTTP Server 1.3.28, then Start Key Management Utility. The IBM Key Management window displays.
- You have the option of using an existing key, or creating a new one.
- If you are using an existing key, go to step 3.
- To create a new key, do the following:
- From the Key Database File menu, select New. The New dialog box displays.
- Change Key Database type to CMS.
- In the File Name field a file name is created for you (by default key.kdb). Change this file name to keyfile.kdb.
Note: By default the HTTP server configuration file points to IBM_HTTP_SERVER_DIR/ssl/keyfile.kdb. If you choose to use another filename, you must update the httpd.conf file to reflect the new name.
- In the Location field, type the location where you want to save the file. Click OK. The Password Prompt window displays.
Note: By default, the HTTP server configuration file points to the location IBM_HTTP_SERVER_DIR\ssl. If you save the file to another location, you must update the HTTP server configuration file.
- In the Password field, type the password of your choice.
- In the Confirm Password field, retype the password.
- Select Stash the password to a file? Click OK A dialog box displays telling you where that the password is encrypted. Click OK.
- If you are using Commerce Enabled Portals with Linux on
iSeries and Linux on
pSeries. To create a new key, do the following:
- Open the following file $JAVA_HOME/jre/lib/security/java.security where $JAVA_HOME is the JAVA that GsKit uses
- Add the following line security.provider.6=com.ibm.spi.IBMCMSProvider Your provider session may look like the following: ----- # # List of providers and their preference orders (see above): #
- security.provider.1=com.ibm.crypto.provider.IBMJCE
- security.provider.2=com.ibm.jsse.IBMJSSEProvider
- security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
- security.provider.4=com.ibm.security.cert.IBMCertPath
- security.provider.5=com.ibm.crypto.pkcs11.provider.IBMPKCS11
- security.provider.6=com.ibm.spi.IBMCMSProvider
- In the IBM Key Management window, from the Create menu, select New Self-Signed Certificate. The Create New Self-Signed Certificate window displays.
- In the Key Label field, type the WebSphere Commerce machine's host name.
- In the Common Name field, type the WebSphere Commerce machine's fully qualified host name.
- In the Organization field, type the name of your organization. Click OK.
- In the IBM Key Management window, click Extract Certificate. The Extract Certificate to a File dialog displays.
- Accept the default certificate name.
- In the Location field, type the location on the WebSphere Commerce machine where you want to save the certificate. Click OK.
- Stop and restart the IBM HTTP Server.
- Copy the certificate file to the WebSphere Portal machine. The file can be copied anywhere on the WebSphere Portal machine that is accessible to the Commerce Enabled Portal Configurator.
Changing encryption
To change the encryption on a SunOne Web server to 40 bit, do the following:
- Open the iPlanet Web Server Administration Server. (http://hostname:8888).
- Type your administration username and password.
- From the Select a Server drop down list, select your server. Click Manage.
- Select the Preferences tab. Click Edit Listen Sockets.
- In the Listen Sockets Table, for port 8000, click the Attributes link. The Security Settings of Listen Socket page opens.
- In the Ciphers column, click SSL3/TLS. The SSL3/TLS Encryption window opens.
- In the SSL/TLS 3.0 ciphers list, deselect all the selected ciphers. Select only the 40-bit ciphers.
- Click OK. A pop up displays saying your ciphers are set. Click OK Then click Quit.
- Click ON/OFF to restart your servers.