ishitori - SSL for secure communication with remote server

SSL for secure communication with remote server

Friday, March 23, 2012 2:21:46 PM

post on how to configure SSL on WAS level so that installed web application could put text file onto remote server via https.

first of all we must have 3 things on hand:

remote server certificate
our private key
our self-signed certificate

server certificate we must obtain from another party we would like to interact with. our private key and certificate we should generate ourselves: it's better and much simpler to do it in WAS ISC. afterwards we should send this self-signed certificate to our counterpart so that we could be authenticated during SSL communication.

all operations set forth below are performed in WAS ISC. the first pair of square brackets lists the sequence of links to follow in left frame, the second pair of square brackets - corresponding sequence in right frame.

1. create new trust and key stores.

[Security -> SSL certificate and key management] -> [SSL certificate and key management -> Key stores and certificates]

I created two stores CellTradaTrustStore and CellTradaKeyStore in ${CONFIG_ROOT}/cells/ars01Cell01 folder where default cell stores are located. so eventually I had the following configuration:

2. create new self-signed certificate in our new key store.

[Security -> SSL certificate and key management] -> [SSL certificate and key management -> Key stores and certificates -> CellTradaKeyStore -> Personal certificates]

click Create a self-signed certificate button and enter certificate properties:

note that I set validity period to approximately 10 years since this is a test certificate.

3. add obtained server certificate to our new trust store.

[Security -> SSL certificate and key management] -> [SSL certificate and key management -> Key stores and certificates -> CellTradaTrustStore -> Signer certificates]

click Add button and enter signer certificate properties (its alias, location and type):

so now this certificate must be listed among other signer certificates in our trust store (these are just preinstalled dummy certificates for now).

4. create new SSL configuration.

[Security -> SSL certificate and key management] -> [SSL certificate and key management -> SSL configurations]

I created new SSL configuration CellTradaSSLSettings this way:

as you see just created trust and key stores were selected for this configuration. self-signed certificate is also selected here as default server and client certificate alias (I don't know yet whether this is strictly necessary to select it in order for SSL communication to work).
main reason for creating new SSL configuration was to isolate my experiments with SSL settings from existing perfectly working configuration in order not to break it accidentally.

5. set client authentication to Required in our new SSL configuration.

[Security -> SSL certificate and key management] -> [SSL certificate and key management -> SSL configurations -> CellTradaSSLSettings -> Quality of protection (QoP) settings]

I also doubt this step is necessary but setting this option to Required makes sense. according to page help: "If Required is selected, the server requests that a client certificate be sent. If the client does not have a certificate, the handshake fails". and we need exactly mutual client authentication.

6. set new SSL configuration on server scope.

[Security -> SSL certificate and key management] -> [SSL certificate and key management -> Manage endpoint security configurations -> PKVADServer]

so our test server here is PKVADServer. new SSL configuration must be applied to both inbound and outbound directions sequentially. configuration for inbound direction is shown on the following screenshot:

don't forget to check Override inherited values option otherwise new endpoint configuration won't be saved after clicking OK button.
after selecting new SSL configuration click Update certificate alias list button and specify certificate alias in the key store to use for certificate-based client authentication. this is self-signed ecls certificate in my case. if you don't select anything here JSSE key manager determines which certificate is used and it might be not the one you want (provided you have more than one certificate in associated key store).

final local topology should look like this:

pay attention to PKVADServer configuration.

7. now there comes the most tedious part - signer certificates exchange.

this is necessary for PKVADServer to communicate with nodeagent and dmgr. the procedure for doing it is described in this post. I won't retell it all here in detail but give some guidelines on what to do: