Configuring SSL for the Server

SSL is the most popular standard for securing Internet communications and transactions. Web applications use HTTPS (HTTP over SSL), which uses digital certificates to ensure secure, confidential communications between server and clients. In an SSL connection, both the client and the server encrypt data before sending it, then decrypt it upon receipt.

When a Web browser (client) wants to connect to a secure site, an SSL handshake happens:

• The browser sends a message over the network requesting a secure session (typically, by requesting a URL that begins with https instead of http).

• The server responds by sending its certificate (including its public key).

• The browser verifies that the server's certificate is valid and is signed by a CA whose certificate is in the browser's database (and who is trusted). It also verifies that the CA certificate has not expired.

• If the certificate is valid, the browser generates a one time, unique session key and encrypts it with the server's public key. The browser then sends the encrypted session key to the server so that they both have a copy.

• The server decrypts the message using its private key and recovers the session key.

After the handshake, the client has verified the identity of the Web site, and only the client and the Web server have a copy of the session key. From this point forward, the client and the server use the session key to encrypt all their communications with each other. Thus, their communications are ensured to be secure.

The newest version of the SSL standard is called TLS (Transport Layer Security).

Use the command create-cert-request to generate a request and send the request to your CA. Later, when you receive the certificate from the CA you'll need to install it using the install-cert command. If you have a key and a certificate in a Java keystore which you're looking to migrate, use the command migrate-jks-keycert. For a development/test server, the easiest way to get going is to generate a self-signed certificate using the command create-selfsigned-cert.

wadm> create-selfsigned-cert --server-name=hostname --nickname=MyServerCert 
--token=internal

Check the man pages for more options and examples.

With the certificate installed, you need a listener on a port which will have SSL enabled.

wadm> create-http-listener --user=admin --password-file=admin.pwd --host=serverhost 
--port=8989 --listener-port=18003 --config=config1 --server-name=config1.com 
--default-virtual-server-name=config1_vs_1 config1_ls_1

Next enable SSL for the listener and associate the listener with the nickname of the certificate.

wadm> set-ssl-prop --http-listener=http-listener-ssl enabled=true
wadm> set-ssl-prop --http-listener=http-listener-ssl server-cert-nickname=MyServerCert

After this setup, deploy the configuration and start the instance.

wadm> deploy-config config_name
wadm> start-instance --config config_name hostname

Using Administration Console

To create a self-signed certificate through Administration Console, perform the tasks as mentioned in Requesting a Certificate and select 'Self-Signed Certificate' as the certificate type.