SSL in WebSphere 8.5.5.9
Version 8 of WebSphere Application Server, everything is done from the admin console, which includes a complete overview of the SSL management capabilities.
For more information about managing SSL in WebSphere please refer to the following website or follow the steps listed below.
http://pic.dhe.ibm.com/infocenter/wasinfo/v8r0/index.jsp
Note: Search for Overview and new features Securing under Network Deployment
Steps to Configure SSL/https
- Login to the WebSphere console.
- Expand Server Types and click WebSphere Application Servers.
- Click on the server that you created.
Example: ODS_WILDCAT_10.0.0.0
- Expand Port and copy WC_defaulthost_secure=port number. This will be pasted in step 7.
- From the left side menu expand Environment and click Virtual Host.
- Click default_host and click Host_Aliases.
- Click New and copy the port number from step 4, then click OK.
- Restart the server/JVM.
- Navigate to https://machinename:9444/PASJava in your browser to access the login page of ODS.
Steps to Configure Certificates
32 bit WebSphere Application Server
IBM_JAVA_SECLIB = C:\Program Files (x86)\ WebSphere\AppServer\java\jre\lib\security
IBM_JAVA_HOME = C:\Program Files (x86)\IBM\WebSphere\AppServer\java
64 bit WebSphere Application Server
IBM_JAVA_SECLIB = C:\Program Files\ WebSphere\AppServer\java\jre\lib\security
IBM_JAVA_HOME = C:\Program Files\IBM\WebSphere\AppServer\java
- Download and install IBM JDK, if WebSphere is not installed on the machine.
URL to download http://www.ibm.com/developerworks/java/jdk/
- Start the WebSphere application server
- Enable SSL in WebSphere.
- Log in to the WebSphere console.
- Expand Server Types and click WebSphere Application Servers.
- Click on the server that you created.
Example: ODS_WILDCAT_10.0.0.0
- Expand Port and copy WC_defaulthost_secure=port number. This will be copied later in the process.
- From the left menu, expand Environment and click Virtual Host.
- Click default_host and then click Host_Aliases.
- Click New and copy the port number then click OK.
- Go to IBM_JAVA_SECLIB\security and comment the details below in the java.security file.
Note: Make sure to uncomment Default JSSE socket factories and comment WebSphere socket factories (in cryptosf.jar).
Default JSSE socket factories
ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl
WebSphere socket factories (in cryptosf.jar)
#ssl.SocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLSocketFactory
#ssl.ServerSocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLServerSocketFactory
- Stop the server, Node Agent and Deployment Manager.
- Start the Deployment Manager, Node Agent and server.
- Navigate to https://localhost:9445/PASJava in your browser to make sure SSL works as expected.
- Log in to the application. If this action is successful, then SSL is set up correctly from the server side.
- Go to IBM_JAVA_HOME\bin and run the commands listed below.
- keytool -genkey -keystore ../lib/security/wsse.keystore -keyalg RSA -keysize 1024 -validity 1000 -alias localhost -dname "CN=localhost"
- keytool -export -keystore ../lib/security/wsse.keystore -alias localhost -file ./lib/security/localhost.cer
- keytool -import -keystore ../lib/security/wsse.truststore -trustcacerts -alias localhost -file ../lib/security/localhost.cer
- The step above will create two files within IBM_JAVA_SECLIB.
- wsse.keystore
- wsse.truststore
- Move wsse.keystore and wsse.truststore to the conf folder where all properties files reside.
For example: C:\ODS\conf
- Login to the WebSphere console, and go to Application servers > ODS > Process definition > Java Virtual Machine. Add the arguments listed below to JVM.
-Duser.language=en -Duser.region=US -Djava.net.preferIPv4Stack=true -Djava.net.preferPv6Addresses=false -javaagent:C:\ODS\lib\spring-instrument-4.2.3.RELEASE.jar -Dtangosol.coherence.override=C:\ODS\conf \coherence-config.xml -Dtangosol.coherence.cacheconfig=C:\ODS\conf \coherence-cache-config.xml -Dtangosol.pof.config=com-adminserver-pas-web-pof-config.xml -Djavax.net.ssl.trustStore=C:\ODS\conf\wsse.truststore -Djavax.net.ssl.trustStorePassword=Djavax.net.ssl.keyStore=C:\ODS\conf\wsse.keystore -Djavax.net.ssl.keyStorePassword=jbossws
- Go to IBM_JAVA_SECLIB and take a backup of the cacerts file.
- Create a new certification (cacerts) file by following the steps listed below.
- Copy InstallCert.class and InstallCert$SavingTrustManager.class in IBM_JAVA_HOME\bin.
- From IBM_JAVA_HOME\bin, run InstallCert through a command prompt like java InstallCert localhost:9445. The KeyStore jssecacerts will load and a connection will be opened. Then messages will be presented regarding the certificates.
- When the process is complete, the following message will appear: Enter certificate to add to trusted keystore or 'q' to quit. Type 1 to continue.
- When the process is complete, another message will appear: Added certificate to keystore 'jssecacerts' using 'jssecacers' using alias 'localhost-1'. Run java InstallCert localhost:9445 one more time, then enter q to exit. This will create a new jssecacerts keystore.
Note: Repeat step 3 to enable SSL for different port numbers.
- Stop the WebSphere application server (JVM, Node Agent, Deployment Manager).
- Restart the machine.
- Start the WebSphere application server (JVM, Node Agent, Deployment Manager).
- Navigate to https://machinename: 9445/PASJava in your browser to access the login page of ODS.
When ODS is running in HTTPS, Server shall be configured to set HSTS (HTTP Strict Transport Security) policy. This policy lets a web site inform the browser that it should never load the site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.
For security reasons, any cross-origin requests, i.e., requests coming from different domains to ODS Rest Services will be restricted by browsers. To enable cross-origin requests, the server shall be configured to add a header 'Access-Control-Allow-Origin' in the response. A list of allowed domains shall be set to this header. Setting Access-Control-Allow-Origin:*, allows all domains. ODS also supports this configuration by setting the property application.AccessControlAllowOrigin with list of allowed domains in System Properties document.
ODS does not support loading pages in an iframe, the property application.X-Frame-Options is set to DENY in all the service responses.