ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatz_5.4.0.1/51/sec/secjsswa.htm

291 lines
18 KiB
HTML

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Configure SSL for WebSphere Application Server</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h4><a name="secjsswa"></a>Configure SSL for WebSphere Application Server</h4>
<p>See these topics for instructions on configuring SSL for WebSphere Application Server:</p>
<ul>
<li><a href="#cfgpi">Configure SSL for WebSphere plug-ins</a>
<ul>
<li><a href="#cfgpiprod">Using the product-provided certificates to configure SSL for WebSphere plug-ins</a></li>
<li><a href="#cfgpikey">Creating an SSL key file for the WebSphere Web server plug-in</a></li>
</ul><p></p></li>
<li><a href="#cfgap">Configuring SSL for the application server's HTTPS transport</a>
<ol>
<li><a href="#cfgap1">Create an SSL key file without the default signer certificates</a></li>
<li><a href="#cfgap2">Add the signer certificate of the application server to the plug-in's SSL key file</a></li>
<li><a href="#cfgap3">Grant access to the key files</a></li>
<li>(Optional) <a href="#cfgap4">Configure an alias for the SSL port</a></li>
<li><a href="#cfgap5">Configure HTTPS transport for the Web container</a></li>
</ol></li>
</ul>
<p><strong>Note:</strong> For these steps, it is assumed that you have a network drive mapped from your workstation to your iSeries system.</p>
<p><strong><a name="cfgpi"></a>Configure SSL for WebSphere plug-ins</strong></p>
<p>A WebSphere plug-in interfaces with a Web server to handle client requests for server-side resources and routes them to the application server for processing. WebSphere Application Server - Express includes plug-ins for IBM HTTP Server for i5/OS and Domino Web Server for iSeries.</p>
<p>After SSL is working between your browser and Web server, proceed to configure SSL between the Web server plug-in and the WebSphere Application Server - Express product. This is not required if the link between the plug-in and application server is known to be secure or if your applications are not sensitive. If privacy of application data is a concern, however, this connection should be an SSL connection.</p>
<p><strong><a name="cfgpiprod"></a>Using the product-provided certificates to configure SSL for WebSphere plug-ins</strong></p>
<p>WebSphere Application Server - Express Version 5.1 (and later) application server instance contain an SSL key file. The pathname for the key file is /QIBM/UserData/WebASE51/ASE/<em>instance</em>/etc/plugin-key.kdb, where <em>instance</em> is the name of your server instance.</p>
<p>The plugin-key.kdb file contains a digital certificate. The digital certificate is required for the Web server plug-in to trust the signer of the Web container's certificate when an HTTPS transport is configured with the default SSL repertoire. The default Web container is created with such an HTTPS transport.</p>
<p>This default HTTPS transport should be removed or reconfigured to replace the product-provided certificates before putting the server into production. Using the product-provided certificates to configure SSL for the WebSphere plug-ins significantly reduces configuration complexity, but they should not be used for production servers. The tasks below demonstrate how to create your own certificates. Alternatively, you can obtain certificates from a commercial certificate authority.</p>
<p><strong><a name="cfgpikey"></a>Creating an SSL key file for the WebSphere Web server plug-in</strong></p>
<p>The following is an example of how to create an SSL key file for your WebSphere plug-in:</p>
<ol>
<li><p><a href="secdcmstr.htm">Start the Digital Certificate Manager</a>.
<br>Procedures vary depending on the release of Digital Certificate Manager (DCM) you have installed on your iSeries system. The release of DCM used in this article is V5R1M0.</p></li>
<li><p><a href="secdcmcca.htm">Create a local certificate authority</a>.
<br>Skip this step if you already have a certificate authority (CA) created on you
iSeries system.</p></li>
<li>Create a key store for the HTTP server plug-in:
<ol type="a">
<li>In the left pane, click <strong>Create New Certificate Store</strong>.</li>
<li>Select <strong>Other System Certificate Store</strong> and click <strong>Continue</strong>.</li>
<li>On the Create a Certificate in New Certificate Store page, select <strong>Yes - Create a certificate in the certificate store</strong>, and click <strong>Continue</strong>.</li>
<li>On the Select a Certificate Authority (CA) page, select <strong>Local Certificate Authority</strong> and click the <strong>Continue</strong> button.</li>
<li>Fill in the form to create a certificate and certificate store. Use this pathname for the certificate store:
<pre>/QIBM/UserData/WebASE51/ASE/<em>instance</em>/etc/plugin-key.kdb</pre>
<p>where <em>instance</em> is the name of your instance. (The remainder of these instructions refers to the directory above <tt>etc</tt> as <em>USER_INSTALL_ROOT</em>.)</p>
<p>Use <tt>MyPluginCert</tt> as the key label. Fill in the other required fields, and then click <strong>Continue</strong>.</p></li>
</ol></li>
<li>Set the default system certificate:
<ol type="a">
<li>In the left pane, click to expand <strong>Fast Path</strong>.</li>
<li>Select <strong>Work with server and client certificates</strong>.</li>
<li>Select certificate MyPluginCert.</li>
<li>Click <strong>Set default</strong>.</li>
</ol><p></p></li>
<li>Remove all trusted signers except the Local CA:
<ol type="a">
<li>On the left pane, click <strong>Select a Certificate Store</strong></li>
<li>Select <strong>Other System Certificate Store</strong> and click <strong>Continue</strong>.</li>
<li>On the Certificate Store and Password page, enter the <strong>Certificate store path and filename</strong> (<em>USER_INSTALL_ROOT</em>/etc/plugin-key.kdb) and the password. Click <strong>Continue</strong>.</li>
<li>On the left pane, click <strong>Fast Path</strong>.</li>
<li>Select <strong>Work with CA certificates</strong> and click <strong>Continue</strong>.</li>
<li>On the Work with CA Certificates page, for all CA certificates except the LOCAL_CERTIFICATE_AUTHORITY, select the certificate and then click <strong>Delete</strong>. Respond with <strong>Yes</strong> when asked if you are sure you want to delete this certificate.</li>
</ol><p></p></li>
<li>Extract the Local CA certificate so that you can import the certificate into the application server key file later:
<ol type="a">
<li>In the left pane, click <strong>Install CA certificate on your PC</strong>.</li>
<li>In the right pane, click <strong>Copy and paste certificate</strong>.</li>
<li>Create text file <em>USER_INSTALL_ROOT</em>/etc/myLocalCA.txt on your workstation's mapped drive to the iSeries, then paste the CA certificate into <tt>myLocalCA.txt</tt> and save the file.</li>
<li>Click <strong>Done</strong>.</li>
</ol><p></p></li>
</ol>
<p>Use SSL configuration repertoires to manage SSL settings for resources in the administrative domain. The default repertoire is DefaultNode/DefaultSSLSettings. You can use DefaultNode/DefaultSSLSettings for testing or create new SSL configuration repertoires for production applications and associate them with individual resources. For more information, see <a href="seccsslr.htm">Use SSL configuration repertoires</a>.</p>
<p><strong><a name="cfgap"></a>Configuring SSL for the application server's HTTPS transport</strong></p>
<p>To configure SSL for the application server's HTTPS transport, you must first create an SSL key file. The contents of this file depend on whom you want to allow to communicate directly with the application server over the HTTPS port (in other words, you are defining the HTTPS server security policy).</p>
<p>This topic presents a restrictive security policy, in which only a well-defined set of clients (those whose certificates are signed by your local certificate authority) are allowed to connect to the application server HTTPS port. It is recommended that you follow this security policy when your application's deployment descriptor specifies the use of the client certificate authentication method. The procedure for creating an SSL key file without the default signer certificates conforms to this policy.</p>
<p>To configure SSL for the application server's HTTPS transport, follow these steps:</p>
<p><strong><a name="cfgap1"></a>Step 1: Create an SSL key file without the default signer certificates.</strong></p>
<ol>
<li><p>Start iKeyman on your workstation. For more information, see <a href="ikeyman.htm">IBM Key Managment Tool (iKeyman)</a>.</p></li>
<li>Create a new key database file:
<ol type="a">
<li>Click <strong>Key Database File</strong> and select <strong>New</strong>.</li>
<li>Specify settings:
<ul>
<li><strong>Key database type</strong>: JKS</li>
<li><strong>File Name</strong>: appServerKeys.jks</li>
<li><strong>Location</strong>: your etc directory, such as <em>USER_INSTALL_ROOT</em>/etc</li>
</ul></li>
<li>Click <strong>OK</strong>.</li>
<li>Enter a password (twice for confirmation) and click <strong>OK</strong>.</li>
</ol><p></p></li>
<li><p>Delete all of the signer certificates.</p></li>
<li><p>Click <strong>Signer Certificates</strong> and select <strong>Personal Certificates</strong>.</p></li>
<li>Add a new self-signed certificate:
<ol type="a">
<li>Click <strong>New Self-Signed</strong> to add a self-signed certificate.</li>
<li>Specify settings:
<ul>
<li><strong>Key Label</strong>: appServerTest</li>
<li><strong>Common Name</strong>: use the DNS name for your iSeries server</li>
<li><strong>Organization</strong>: IBM</li>
</ul></li>
<li>Click <strong>OK</strong>.</li>
</ol><p></p></li>
<li>Extract the certificate from this self-signed certificate so that it can be imported into the plug-in's SSL key file:
<ol type="a">
<li>Click <strong>Extract Certificate</strong>.</li>
<li>Specify settings:
<ul>
<li><strong>Data Type</strong>: Base64-encoded ASCII data</li>
<li><strong>Certificate file name</strong>: appServer.arm</li>
<li><strong>Location</strong>: the path to your etc directory</li>
</ul></li>
<li>Click <strong>OK</strong>.</li>
</ol><p></p></li>
<li>Import the Local CA public certificate:
<ol type="a">
<li>Click <strong>Personal Certificates</strong> and select <strong>Signer Certificates</strong>.</li>
<li>Click <strong>Add</strong>.</li>
<li>Specify settings:
<ul>
<li><strong>Data Type</strong>: Base64-encoded ASCII data</li>
<li><strong>Certificate file name</strong>: myLocalCA.txt</li>
<li><strong>Location</strong>: the path to your etc directory</li>
</ul></li>
<li>Click <strong>OK</strong>.</li>
</ol><p></p></li>
<li><p>Enter <tt>plug-in</tt> for the label and click <strong>OK</strong>.</p></li>
<li><p>Click <strong>Key Database File</strong>.</p></li>
<li><p>Select <strong>Exit</strong>.</p></li>
</ol>
<p><strong><a name="cfgap2"></a>Step 2: Add the signer certificate of the application server to the plug-in's SSL key file.</strong></p>
<ol>
<li><a href="secdcmstr.htm">Start the Digital Certificate Manager (DCM)</a></li>
<li>On the left pane, click <strong>Select a Certificate Store</strong></li>
<li>Select <strong>Other System Certificate Store</strong> and click <strong>Continue</strong>.</li>
<li>On the Certificate Store and Password page, enter the <strong>Certificate store path and filename</strong> (<em>USER_INSTALL_ROOT</em>/etc/plugin-key.kdb) and the password, then click <strong>Continue</strong>.</li>
<li>On the left pane, click <strong>Fast Path</strong>.</li>
<li>Select <strong>Work with CA certificates</strong> and click <strong>Continue</strong>.</li>
<li>Click <strong>Import</strong>.</li>
<li>Specify <em>USER_INSTALL_ROOT</em>/etc/appServer.arm for the <strong>Import file</strong> field value and click <strong>Continue</strong>.</li>
<li>Specify appServer for the <strong>CA certificate label</strong> field value and click <strong>Continue</strong>.</li>
</ol>
<p><strong><a name="cfgap3"></a>Step 3: Grant access to the key files.</strong></p>
<p>It is very important to protect your key files from unauthorized access. Set the following protections by using the i5/OS Change Authority (CHGAUT) command:</p>
<ul>
<li><p>appServerKeys.jks</p>
<table border="1" cellpadding="3">
<tr>
<th>PROFILE</th>
<th>ACCESS</th>
</tr>
<tr>
<td>*PUBLIC</td>
<td>*EXCLUDE</td>
</tr>
<tr>
<td>QEJBSVR</td>
<td>*R</td>
</tr>
</table><p></p></li>
<li><p>plugin-key.kdb</p>
<table border="1" cellpadding="3">
<tr>
<th>PROFILE</th>
<th>ACCESS</th>
</tr>
<tr>
<td>*PUBLIC</td>
<td>*EXCLUDE</td>
</tr>
<tr>
<td>QTMHHTTP</td>
<td>*RX</td>
</tr>
</table><p></p></li>
<li><p>All other files you created in the <em>USER_INSTALL_ROOT</em>/etc directory should have *EXCLUDE authority set for *PUBLIC.</p></li>
</ul>
<p><strong>Note:</strong> QTMHHTTP is the default user profile for the IBM HTTP Server for i5/OS. If your Web server runs under another profile, grant that profile *RX authority for plug-inKeys.kdb instead of QTMHHTTP.</p>
<p>For example, to grant read and execute (*RX) authority for plugin-key.kdb to the QTMHHTTP user profile, run the Change Authority (CHGAUT) command. For example:</p>
<pre> CHGAUT OBJ('/QIBM/UserData/WebASE51/ASE/myInstance/etc/plugin-key.kdb')
USER(QTMHHTTP) DTAAUT(*RX)</pre>
<p><strong><a name="cfgap4"></a>Step 4: (Optional) Configure an alias for the SSL port</strong></p>
<p>If you have not already configured an alias for your Web server's SSL port in your WebSphere virtual host, do so now.</p>
<p><strong><a name="cfgap5"></a>Step 5: Configure HTTPS transport for the Web container</strong></p>
<p>For more information, see <a href="secchttps.htm">Configure HTTPS transport for your application server's Web container</a>.</p>
<p>Manual update of the plug-in configuration file is required if you are using a key file other than the one that is provided with the product to configure SSL for the Web server plug-in. Before updates are applied, your regenerated plug-in configuration file should contain an entry that is similar to the following:</p>
<pre>&lt;Transport Hostname=&quot;MYISERIES&quot; Port=&quot;10175&quot; Protocol=&quot;https&quot;&gt;
&lt;Property name=&quot;keyring&quot; value=&quot;/QIBM/UserData/WebASE51/ASE/<em>myinst</em>/etc/plugin-key.kdb&quot;/&gt;
&lt;Property name=&quot;stashfile&quot; value=&quot;/QIBM/UserData/WebASE51/ASE/<em>myinst</em>/etc/plugin-key.sth&quot;/&gt;
&lt;/Transport&gt;</pre>
<p>When you use your own key file, you must manually update your plug-in configuration file with the name of your key file and remove the stashfile property definition. For example:</p>
<pre>&lt;Transport Hostname=&quot;MYISERIES&quot; Port=&quot;10175&quot; Protocol=&quot;https&quot;&gt;
&lt;Property name=&quot;keyring&quot; value=&quot;/QIBM/UserData/WebASE51/ASE/myinst/etc/myplugin-key.kdb&quot;/&gt;
&lt;/Transport&gt;</pre>
<p><strong>Note:</strong> Configuring the WebSphere Web plug-in for SSL can require manual updates to the plug-in configuration file. Manual changes can be lost when the plug-in configuration file is regenerated. If you have manually changed the plug-in configuration file, check the file to see determine if your changes have been lost, and reapply them if necessary.</p>
<p>The configuration is complete.</p>
<p>As an alternative, you can implement an even more restrictive security policy by configuring the plugin to use a self signed certificate for authenticating to the application server's Web container. Assuming you have successfully completed all steps in the above task, follow these steps to implement this more restrictive policy:</p>
<ol>
<li><p>Use iKeyman to create a keystore.</p></li>
<li><p>Create a self signed certificate in the keystore.</p></li>
<li><p>Export the self signed certificate (with the private key) from the keystore.</p></li>
<li><p>Extract the self signed certificate (also known as a signer certificate since it doesn't contain the the private key) from the keystore.</p></li>
<li><p>Again using iKeyman, add the extracted signer certificate to the HTTPS transport's trust store (appServerKeys.jks in the above example).</p></li>
<li><p>Remove all other signer certificates from the HTTPS transport's trust store.</p></li>
<li><p>Using DCM, import the self signed certificate (with the private key) into the plugin's key store (plugin-key.kdb). Record the label you use when importing the certificate.</p>
<p><strong>Note</strong>: DCM treats self signed certificates as signer certificates and adds the certificate to the list of signer certificates, even though the certificate contains a private key.</p></li>
<li><p>Restart the application server.</p></li>
<li><p>Regenerate the Web plugin configuration file.</p></li>
<li><p>Specify the certificate the plugin is to use for authenticating to the Web container by manually adding the certLabel property to the HTTPS transport in the Web plugin configuration file (<em>USER_INSTALL_ROOT</em>/config/cell/plugin-cfg.xml). Set the certLabel property value to the label you used when importing the self signed certificate into the plugin's key store. For example:</p>
<pre>&lt;Transport Hostname=&quot;MYISERIES&quot; Port=&quot;10175&quot; Protocol=&quot;https&quot;&gt;
&lt;Property name=&quot;keyring&quot;
value=&quot;/QIBM/UserData/WebASE51/ASE/myinst/etc/plugin-key.kdb&quot;/&gt;
&lt;Property name=&quot;certLabel&quot; value=&quot;selfsigned&quot;/&gt;
&lt;/Transport&gt;</pre></li>
<li><p>Restart the Web server.</p></li>
</ol>
</body>
</html>