179 lines
8.5 KiB
HTML
179 lines
8.5 KiB
HTML
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
|
<html>
|
||
|
<head>
|
||
|
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
|
||
|
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
|
||
|
|
||
|
<title>Configure SSL for java.net.URL HTTPS protocol</title>
|
||
|
</head>
|
||
|
|
||
|
<BODY>
|
||
|
<!-- Java sync-link -->
|
||
|
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
|
||
|
|
||
|
<h6><a name="secjavahttps"></a>Configure SSL for java.net.URL HTTPS protocol</h6>
|
||
|
|
||
|
<p>The java.net.URL class provides a direct connection to the Web server to retrieve the specified URL using the HTTPS protocol.</p>
|
||
|
|
||
|
<p>Configuring SSL for the Web server depends on the type of Web server. Consult your Web server documentation for instructions.</p>
|
||
|
|
||
|
<p><strong>Configure the client Java keystore</strong></p>
|
||
|
|
||
|
<p>If you already have a client Java keystore file that is populated with the required personal and signer certificates, you can omit this step.</p>
|
||
|
|
||
|
<p>To configure the client Java keystore, use Digital Certificate Manager (DCM) to extract the Local Certificate Authority (CA) certificate that is used by the Web server. You can then import the certificate into the client Java keystore file.</p>
|
||
|
|
||
|
<p>Perform these steps:</p>
|
||
|
|
||
|
<ol>
|
||
|
<li><a href="secdcmstr.htm">Start the Digital Certificate Manager (DCM)</a>.</li>
|
||
|
<li>Create a Local Certificate Authority (CA). If you already have a certificate authority created on your iSeries system, skip this step.</li>
|
||
|
<li>On the left pane, click <strong>Select a Certificate Store</strong>.</li>
|
||
|
<li>Select <strong>*System</strong> and click <strong>Continue</strong>.</li>
|
||
|
<li>On the Certificate Store and Password page, enter the password, then click <strong>Continue</strong>.</li>
|
||
|
<li>In the left pane, click <strong>Install CA certificate on your PC</strong>.</li>
|
||
|
<li>In the right pane, click <strong>Copy and paste certificate</strong>.</li>
|
||
|
<li>Create text file <tt><em>USER_INSTALL_ROOT</em>/etc/myLocalCA.txt</tt> on your PC, then paste the CA certificate into <tt>myLocalCA.txt</tt> and save the file. Ensure that the copy of the CA certificate ends with the new line character.</li>
|
||
|
<li>Click the <strong>Done</strong> button.</li>
|
||
|
</ol>
|
||
|
|
||
|
<p>Next, create a new key database file for the client Https application:</p>
|
||
|
<ol>
|
||
|
<li><p>Start iKeyman on your workstation. For more information, see <a href="ikeyman.htm">The iKeyman utility</a>.</p></li>
|
||
|
<li>Create a new key database file:
|
||
|
<ol type="a">
|
||
|
<li>Click <strong>Key Database File</strong> and select <strong>New</strong>.</li>
|
||
|
<li>Specify settings:
|
||
|
<ul>
|
||
|
<li><strong>Key database type</strong>: JKS</li>
|
||
|
<li><strong>File Name</strong>: httpsClientKeys.jks</li>
|
||
|
<li><strong>Location</strong>: your etc directory, such as <pre>USER_INSTALL_ROOT/etc/myKeys</pre>
|
||
|
</ul></li>
|
||
|
<li>Click <strong>OK</strong>.</li>
|
||
|
<li>Enter a password (twice for confirmation) and click <strong>OK</strong>.</li>
|
||
|
</ol><p></p></li>
|
||
|
|
||
|
<li><p>Delete all of the signer certificates.</p></li>
|
||
|
<li><p>Click <strong>Signer Certificates</strong> and select <strong>Personal Certificates</strong>.</p></li>
|
||
|
<li>Add a new self-signed certificate:
|
||
|
<ol type="a">
|
||
|
<li>Click <strong>New Self-Signed</strong> to add a self-signed certificate.</li>
|
||
|
<li>Specify settings:
|
||
|
<ul>
|
||
|
<li><strong>Key Label</strong>: httpsClientTest</li>
|
||
|
<li><strong>Common Name</strong>: use the DNS name for your iSeries server</li>
|
||
|
<li><strong>Organization</strong>: IBM</li>
|
||
|
</ul></li>
|
||
|
<li>Click <strong>OK</strong>.</li>
|
||
|
</ol><p></p></li>
|
||
|
|
||
|
<li>Extract the certificate from this self-signed certificate so that it can be imported into the Web server's SSL key file:
|
||
|
<ol type="a">
|
||
|
<li>Click <strong>Extract Certificate</strong>.</li>
|
||
|
<li>Specify settings:
|
||
|
<ul>
|
||
|
<li><strong>Data Type</strong>: Base64-encoded ASCII data</li>
|
||
|
<li><strong>Certificate file name</strong>: httpsClient.arm</li>
|
||
|
<li><strong>Location</strong>: the path to your etc directory</li>
|
||
|
</ul></li>
|
||
|
<li>Click <strong>OK</strong>.</li>
|
||
|
</ol><p></p></li>
|
||
|
|
||
|
<li>Import the Web server's certificate:
|
||
|
<ol type="a">
|
||
|
<li>Click <strong>Personal Certificates</strong> and select <strong>Signer Certificates</strong>.</li>
|
||
|
<li>Click <strong>Add</strong>.</li>
|
||
|
<li>Specify settings:
|
||
|
<ul>
|
||
|
<li><strong>Data Type</strong>: Base64-encoded ASCII data</li>
|
||
|
<li><strong>Certificate file name</strong>: myLocalCA.txt</li>
|
||
|
<li><strong>Location</strong>: the path to your etc directory</li>
|
||
|
</ul></li>
|
||
|
<li>Click <strong>OK</strong>.</li>
|
||
|
</ol><p></p></li>
|
||
|
|
||
|
<li><p>Enter <tt>web-server</tt> for the label and click <strong>OK</strong>.</p></li>
|
||
|
<li><p>Click <strong>Key Database File</strong>.</p></li>
|
||
|
<li><p>Select <strong>Exit</strong>.</p></li>
|
||
|
</ol>
|
||
|
|
||
|
<p><strong>Configure the Web server's certificate store</strong></p>
|
||
|
|
||
|
<p>Add the signer certificate of the client HTTPS application to the Web server's SSL key file and to the list of trusted CA certificates for the Web server's secure application. This step is needed if the Web server configuration requires client authentication:</p>
|
||
|
<ol>
|
||
|
<li><a href="secdcmstr.htm">Start the Digital Certificate Manager (DCM)</a>.</li>
|
||
|
<li>On the left pane, click <strong>Select a Certificate Store</strong></li>
|
||
|
<li>Select <strong>*SYSTEM</strong> and click <strong>Continue</strong>.</li>
|
||
|
<li>On the Certificate Store and Password page, enter the password, then click <strong>Continue</strong>.</li>
|
||
|
<li>On the left pane, click <strong>Fast Path</strong>.</li>
|
||
|
<li>Select <strong>Work with CA certificates</strong>.</li>
|
||
|
<li>Click the <strong>Import</strong> button.</li>
|
||
|
<li>Specify <tt><em>USER_INSTALL_ROOT</em>/etc/httpsClient.arm</tt> for the <strong>Import file:</strong>
|
||
|
field value and click <strong>Continue</strong>.</li>
|
||
|
<li>Specify <tt>httpsClient</tt> for the <strong>CA certificate label</strong> field value and click <strong>Continue</strong>.</li>
|
||
|
<li>On the left pane, select <strong>Work with server applications</strong>. On this page, select the application used by the Web server's configuration, and click <strong>Work with Application</strong>.</li>
|
||
|
<li>Click <strong>Define CA Trust List</strong>.</li>
|
||
|
<li>Click the check box for the httpsClient<strong> CA</strong>, then click <strong>OK</strong>.</li>
|
||
|
</ol>
|
||
|
|
||
|
<p><strong>Configure WebSphere Application Server - Express</strong></p>
|
||
|
|
||
|
<p>You must specify some Java virtual machine properties for the application server. Use the WebSphere administrative console to perform these steps:</p>
|
||
|
|
||
|
<ol>
|
||
|
<li>In the navigation menu, expand <strong>Servers</strong>, and click <strong>Application Servers</strong>.</li>
|
||
|
<li>In the Application Servers page, click the name of your server.</li>
|
||
|
<li>Under Additional Properties, click <strong>Process Definition</strong>.</li>
|
||
|
<li>Under Additional Properties, click <strong>Java Virtual Machine</strong>.</li>
|
||
|
<li>Under Additional Properties, click <strong>Custom Properties</strong>.</li>
|
||
|
<li><p>Click <strong>New</strong> to a new property. Add these properties:</p>
|
||
|
<table border="1" cellpadding="3">
|
||
|
<tr>
|
||
|
<th>Name</th>
|
||
|
<th>Value</th>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td><tt>java.protocol.handler.pkgs</tt></td>
|
||
|
<td><tt>com.ibm.net.ssl.internal.www.protocol</tt></td>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td><tt>javax.net.ssl.trustStore</tt></td>
|
||
|
<td><tt><em>USER_INSTALL_ROOT</em>/etc/httpsClientKeys.jks</tt>, where <em>USER_INSTALL_ROOT</em> is the root directory of your instance</td>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td><tt>javax.net.ssl.trustStorePassword</tt></td>
|
||
|
<td>(Enter your password.)</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>If the Web server requires client authentication, you need to additionally specify these properties:</p>
|
||
|
|
||
|
<table border="1" cellpadding="3">
|
||
|
<tr>
|
||
|
<th>Name</th>
|
||
|
<th>Value</th>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td><tt>javax.net.ssl.keyStore</tt></td>
|
||
|
<td><tt><em>USER_INSTALL_ROOT</em>/etc/httpsClientKeys.jks</tt>, where <em>USER_INSTALL_ROOT</em> is the root directory of your instance.</td>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td><tt>javax.net.ssl.keyStorePassword</tt></td>
|
||
|
<td>(Enter your password.)</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>Normally, javax.net.ssl.keyStore would be a different keystore file.</p>
|
||
|
<p>Click <strong>OK</strong>.</li>
|
||
|
</ol>
|
||
|
|
||
|
<p>For a code example of a servlet that uses HTTPS, see <a href="sechttpsx.htm">Example: HTTPS servlet</a>. The servlet retrieves the URL to display entered as a query string or as a servlet initialization parameter.</p>
|
||
|
|
||
|
</body>
|
||
|
</html>
|