Transcription
SSL Configuration on WebSphereOracle FLEXCUBE Investor BankingRelease 12.0.1.0.0[November] [2012]
Table of Contents1.CONFIGURING SSL ON WEBSPHERE . 1-11.1INTRODUCTION . 1-11.2CERTIFICATES . 1-11.2.1Creating SSL Connection between Application Server and Client . 1-11.2.2Creating Self Signed Certificate . 1-11.2.3Path Details . 1-31.3ADDING KEY STORE TO APPLICATION SERVER . 1-31.4CREATING SSL CONFIGURATION. 1-61.5MANAGING ENDPOINT SECURITY CONFIGURATIONS . 1-81.6SSL SETTINGS AT APPLICATION SERVER LEVEL . 1-101.7RUNNING APPLICATION WITH SSL . 1-131.8CERTIFICATE EXCHANGE FOR TWO WAYS SSL . 1-131.8.1Extracting Certificate for Server1 . 1-131.8.2Extracting Certificate for Server2 . 1-141.8.3Importing Certificate into Keystore for Server1 . 1-141.8.4Importing Certificate into Keystore for Server2 . 1-171.8.5Importing Certificate into Truststore for Server1 . 1-181.8.6Importing Certificate into Truststore for Server2 . 1-211.9MANAGING ENDPOINT SECURITY CONFIGURATIONS . 1-221.10 PROTECTION QUALITY. 1-281.11 IMPORTING OR ADDING SERVER CERTIFICATES USING BATCH . 1-291-1
1.1.1Configuring SSL on WebSphereIntroductionThis chapter guides you through the process of configuring SSL on IBM WebSphere application server.1.2Certificates1.2.1 Creating SSL Connection between Application Server and ClientTo establish SSL connection between WebSphere and client work stations, follow the steps given below: Create SSL certificate (this certificate is required during real time production) Self signed certificate (SSL) will be used for testing purpose1.2.2 Creating Self Signed CertificateTo create a self signed certificate, you may use various tools including IBM (Keyman). For illustrationpurpose, this guide explains the method of generating SSL using a tool available in JAVA. The keytool isavailable in the folder ‘JAVA HOME\jdk\bin’.Go to the folder ‘bin’ of JRE from command prompt and type the following command.keytool -genkeypair -alias alias -keyalg keyalg -keysize keysize -sigalgsigalg -validity valDays -keystore keystoreNote: The texts highlighted in blue are placeholders. You need to replace them with the suitable valueswhile running the command.In the above command, alias is used to identify the public and private key pair created. This alias is required forconfiguring the SSL attributes for the managed servers in Oracle WebLogic application server. keyalg is the key algorithm to generate the public and private key pair. The RSA key algorithm isrecommended. keysize is the size of the public and private key pair generated. A key size of 1024 or more isrecommended. Consult your CA on the key size support for different types of certificates. sigalg is the algorithm used to generate the signature. This algorithm must be compatible withthe key algorithm. This has to be one of the values specified in the Java Cryptography APISpecification and Reference. valdays is the number of days for which the certificate is considered to be valid. Consult yourCA on this period. keystore is to specify the location of the JKS file. If JKS file is not present in the path provided,this will create it.The command will prompt for the following attributes of the certificate and keystore: Keystore password: Specify a password that will be used to access the keystore. This passwordneeds to be specified later, when configuring the identity store in Oracle WebLogic Server.1-1
Key password: Specify a password that will be used to access the private key stored in thekeystore. This password needs to be specified later, when configuring the SSL attributes of themanaged server(s) in Oracle WebLogic Server. First and last name (CN): Specify the domain name of the machine used to access OracleFLEXCUBE UBS. For instance, www.example.com. Name of your organizational unit: Specify the name of the department or unit making therequest. For example, BPD. Use this field to identify the SSL Certificate you are creating. Forexample, by department or by physical server. Name of your organization: Specify the name of the organization making the certificate request.For example, Oracle Financial Services Software. It is recommended to use the formal name ofthe company or organization. This name must match the name in the official records. Name of your City or Locality: Specify the name of the city in which your organization isphysically located. For example Mumbai. Name of your State or Province: Specify the state/province in which your organization isphysically located. For example Maharashtra. Two-letter country code for this unit: Specify the country in which your organization isphysically located. For example, US, UK, IN etc.ExampleListed below is the result of a sample execution of the command:C:\Program Files\IBM\WebSphere\AppServer\bin keytool -genkeypair alias cvrhp0729 -keyalg RSA -keysize 1024 -sigalg SHA1withRSA validity 365 -keystore D:\keystores\FCUBSKeyStore.jksEnter keystore password: Enter a password to protect the keystore Re-enter new password: Confirm the password keyed above What is your first and last name?[Unknown]:cvrhp0729.i-flex.comWhat is the name of your organizational unit?[Unknown]:BPDWhat is the name of your organization?[Unknown]:Oracle Financial ServicesWhat is the name of your City or Locality?[Unknown]:MumbaiWhat is the name of your State or Province?[Unknown]:MaharashtraWhat is the two-letter country code for this unit?[Unknown]:INIs CN cvrhp0729.i-flex.com, OU BPD, O Oracle Financial Services,L Mumbai, ST Maharashtra, C IN correct?[no]:yesEnter key password for cvrhp0729 (RETURN if same as keystore password): Enter a password toprotect the key 1-2
Re-enter new password: Confirm the password keyed above The self signed certificate needs to be added to the web server.1.2.3 Path DetailsYou need to copy or move the keystore file name of the file .jks to the application server location givenbelow:/oracle1/WAS61/Appserver nodes/ips014dorNode02ips014dorCell01 -- ips014dor name of the machine and Cell01 ips014dorNode02 -- ips014dorNode name of the machine and Node02 1.3Adding Key Store to Application ServerTo add keystore to the WebSphere application server, follow the instructions given below.Log in to the WAP console as the user ‘admin’.Specify the user ID of the administrator and the password set while installing the software. Click ‘Log In’.1-3
The following screen is displayed:On the left pane, expand ‘Security’ and click ‘SSL certificate and key management’. The screen displaysthe details of SSL.Under ‘Related items’ on the right side, click ‘Key stores and certificates’.1-4
The following screen is displayed:This screen is used for attaching the key store to the application server.Click ‘New’ button to add a new key to store.1-5
Specify the following details:NameSpecify the key store name.PathSpecify the location of the key store generated.This has to be a relative path.Example {CONFIG jf3sslstore.jksPasswordSpecify the password given in the ‘store pass’ parameter during key store generation.Click ‘Apply’ and save the changes.1.4Creating SSL ConfigurationTo create SSL configuration, on the left pane, click ‘SSL certificate and key management’.Under the section ‘Related items’, click ‘SSL configurations’.1-6
The following screen is displayed:Click ‘New’ button. The following screen is displayed.Specify the following details:NameSpecify the name of the SSL configuration.1-7
Trusted Store NameSelect the added key store.Key Store NameSelect the added key store.Click the button ‘Get Certificate aliases’. Further, click ‘Apply’ and save the changes.1.5Managing Endpoint Security ConfigurationsThis section explains the process of managing endpoint security configurations.On the left pane, expand ‘Security’ and click ‘SSL certificate and key management’. Under ‘Configurationsettings’, click ‘Manage endpoint security configurations’.1-8
The following screen is displayed:Click the first link under ‘Inbound tree’. The following screen is displayed:Under SSL configurations, select the configured SSL from the drop-down list.Click the button ‘Update certificate alias list’. Click ‘Apply’ and save the changes.1-9
1.6SSL Settings at Application server levelGo to the servers available on the left and click the application servers link which will refresh the windowon the right side to display the details pertaining to application serversClick the server to which SSL configuration has to be applied. The following screen is displayed.Go to Configuration tab and click ‘Web container transport chains’ under ‘Container settings’.1-10
The following screen is displayed.Against their respective names, the secured connection is available under the column ‘SSL Enabled’.Click ‘WCInboundDefaultSecure’.1-11
The following screen is displayed:Click ‘SSL Inbound channel (SSL 2).Select the configured SSL from the list of SSL configurations. Click ‘Apply’ and save the changes.1-12
1.7Running Application with SSLTo run the application with SSL, use the following syntax:https:// ip address or host name : port number / context 1.8Certificate Exchange for Two Ways SSL1.8.1 Extracting Certificate for Server1The process of extracting certificate for Server 1 is described below.On the left pane of the screen, expand ‘Security’. Go to ‘SSL certificate and key management Keystores and certificates ELCMKeyStore Personal certificates.Select the installed certificate and click ‘Extract’ button.1-13
Specify the location to save the certificate. This will be used to add in the other server. Ensure that the filehas been created in the location.Eg: \ localfolder \ server1.cer Similarly extract the certificate for the second server.Eg: \ localfolder \ server2.cer 1.8.2 Extracting Certificate for Server2You can follow the steps for server 1 described under ‘Extracting Certificate for Server1’ to extract thecertificate for Server2.1.8.3 Importing Certificate into Keystore for Server1Go to the other server. Expand ‘Security SSL certificate and key management Key stores andcertificates Server7Keystore (which is created now).1-14
Click ‘Signer certificates’.1-15
The following screen is displayed:Click ‘Add’ button to add the certificate of the other server.1-16
The following screen is displayed:The extracted certificate of the second server has to be imported to the key-store and trust-store of firstserver. This has to be done using the same local path where the extract certificate was generated for thefirst server.Eg: \ localfolder \ server1.cer 1.8.4 Importing Certificate into Keystore for Server2You can follow the steps for server 1 described under ‘Importing Certificate into Keystore for Server1’ toimport the certificate into keystore for Server2.1-17
1.8.5 Importing Certificate into Truststore for Server1Expand ‘SSL certificate and key management Key stores and certificates and click‘NodeDefaultTrustStore’.1-18
The following screen is displayed.Click ‘Signer certificates’.1-19
The following screen is displayed.Click ‘Add’ button to add the extracted certificate of the second server.1-20
The following screen is displayed.Specify the ‘alias’ name to identify the other server.Eg: For server1, you can give the alias name ‘server2Alias’.Further, specify the location of the extracted certificate.1.8.6 Importing Certificate into Truststore for Server2You can follow the steps for server 1 described under ‘Importing Certificate into Truststore for Server2’ toimport the certificate into Truststore for Server2.1-21
1.9Managing Endpoint Security ConfigurationsTo manage the endpoint security configurations, follow the instructions given below.Expand ‘Security SSL certificate and key management’ and click ‘Manage endpoint securityconfigurations’.1-22
Change the inbound node settings. Expand ‘Inbound’ and ult)’.1-23
The following screen is displayed.Select the ‘SSL Configuration’ created which you just created. Click ‘Update certificate alias list ‘ button.Ensure that the proper certificate and SSL configuration are selected. Further, click ‘Apply’ and save thesettings.1-24
You can view the settings under ‘Inbound’.1-25
Repeat the above steps for ‘Outbound’ as well.1-26
You need to repeat the above steps for server2 also.1-27
1.10 Protection QualityExpand ‘SSL certificate and key management SSL configurations Server7Config’.On the right side, click ‘Quality of protection (QoP) settings’.1-28
The following screen is displayed.Under ‘Client authentication’ choose ‘Supported’ from the drop-down list.Click ‘Apply’ and save the changes.You need to repeat these steps for the second server. Once you have made the changes to both theservers, restart the servers. It is recommended to restart the servers after making the changes.// New Changes1.11 Importing or Adding Server Certificates using BatchAlternatively, you can import or add the server certificates using ikeyman.bat. This batch is available atthe following location: InstalledLocatio \IBM\WebSphere\AppServer\binFor security reasons, change the password for ‘defaultTruststore’ (trust.p12). The default password is‘WebAS’.SSL port information are available in the following screens.1-29
Click ‘Ports’.1-30
The details are displayed as follows.1-31
SSL Configuration on WebSphereNovember [2012]Version 12.0.1.0.0Oracle Financial Services Software LimitedOracle ParkOff Western Express HighwayGoregaon (East)Mumbai, Maharashtra 400 063IndiaWorldwide Inquiries:Phone: 91 22 6718 3000Fax: 91 22 6718 3001www.oracle.com/financialservices/Copyright [2007], [2012], Oracle and/or its affiliates. All rights reserved.Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed onthe hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to theapplicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure,modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on thehardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No otherrights are granted to the U.S. Government.This software or hardware is developed for general use in a variety of information management applications. It is not developed orintended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If youuse this software or hardware in dangerous applications, then you shall be responsible to take all appropriate failsafe, backup,redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damagescaused by use of this software or hardware in dangerous applications.This software and related documentation are provided under a license agreement containing restrictions on use and disclosure andare protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may notuse, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish or display any part, in anyform, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law forinteroperability, is prohibited.The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors,please report them to us in writing.This software or hardware and documentation may provide access to or information on content, products and services from thirdparties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect tothird-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, ordamages incurred due to your access to or use of third-party content, products, or services.1-1
To establish SSL connection between WebSphere and client work stations, follow the steps given below: Create SSL certificate (this certificate is required during real time production) Self signed certificate (SSL) will be used for testing purpos
