Setting Up SSL For WebSphere
This section provides an overview and discusses how to:
Generate a certificate using pskeymanager.
Configure the WebSphere container to support SSL.
Understanding WebSphere Key Stores
WebSphere manages keys in key store files. There are two types of files:
These store types are very similar, however the trust store contains only trusted signers. The Certificate Authority (CA) certificates and other signing certificates are kept in a trust store. Personal certificates with private keys are stored in a key store.
The pskeymanager utility is a PeopleTools wrapper to Java's keytool, used to manage the predefined WebSphere keystore located in the following directory:
Generating a Certificate Using pskeymanager
Use the following steps to generate a self-signed certificate for the web container.
To generate a certificate using pskeymanager:
At a command prompt, change to the WebSphere domain directory, for example:
Create a new private key and certificate request for your server.
Run the following command:
Follow the prompts and specify the required information for creating a certificate, such as alias, common name, organizational unit, location, and so on.
Make sure a Certificate Signing Request (CSR) file named alias_certreq.txt was created.
You submit this data to a CA for obtaining a public key that you can load into your key store.
Decide which CA you wish to use.
You may use an CA that is compatible with Sun's Java JKS standard.
As an example, the following steps indicate how to submit the CSR that you generated to Verisign to obtain a trial certificate.
Submit your CSR to a CA.
For example, access Symantec’s site at:
When prompted, copy and paste the contents of your CSR, provide all necessary contact information, and submit the request.
Check your email for the certificate sent from the CA.
The certificate from the CA should look similar to the following:
-----BEGIN CERTIFICATE----- DMICHDCCAcYCEAHSeRkM2guFL+6OvHr4AS0wDQYJKoZIhvcNAQEEBQAwgakxFjAP AANVBAoTDVZlcmlTaWduLCBLbAMxRzBFBgNVBAsTPnd3dy52ZXJpc2lnbi5jb20S VcVwb3NpdG9yeS9UZXN0Q1ETIEluY29ycC4gQnkgUmVmLiBMaWFiLiBMVEQuMUYF LIGEc3VyYW5jZXMgKEMpVRMxOSDFertdsfh67TIwNDAwMDAwMFoXDTAwMTIxODIA ONT1LVoweTELMAkGA1UERhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNK VBAUCOBsZWFzYW50b24BEzARBgNVBAoUClBlb3BsZVNvZnQxFDASBgNVBAsUC1BT Eb3sZVVvb2xzMRUwEwADVQQDFAxEQlJPV04xMTE0MDAwXDANBgkqhkiG9w0BAQET SAALADBEAkEAucfM/GOQhdkk4Q0ZD5i1l4gp6WTYMc4IaReoCYkEAmDKAVcYzY3R Mdbp4RC8SABd3bjjDOHcoCak9U6oSwL+HQIDAQABMA0GCSqGSIb3DQEBBAUAA0EO Arm3uf634Md0fqgNxhAL+e9rbY0ia/X48Axloi17+kLtVI1YPOp+Jy6Slp5iNIFC DhskdDFH45AjSDAFhjruGHJK56SDFGqwq23SFRfgtjkjyu673424yGWE5Gw4576K DosdDFG256EDHY45yTRH67i345314GQE356mjsdhhjuwbtrh43Gq3QEVe45341tS YDY6d47lDmQxDs9wGt1bkQ== -----END CERTIFICATE-----
Copy the entire certificate, including --BEGIN CERTIFICATE-- and --END CERTIFICATE--, and save it as a file named webservername-cert.pem.
Note: To save the file, don't use a word processor that inserts formatting or control characters.
Note: If you need to FTP your certificate to UNIX, you must FTP it in ASCII mode.
Download the CA root certificate:
For example, if downloading the Verisign\Symantec trial root CA certificate.
Download the Trial Root CA certificate from:
From the specified link, click Select All, and copy the contents of the certificate into the verisignRootCA.cer file and save it to your WebSphere domain directory.
Download VeriSign's Trial Intermediate CA certificate from:
Click Select All and copy the contents of the certificate into the verisignInterCA.cer file, and save it into your WebSphere domain directory. You can also append the contents of this Trail Intermediate CA certificate to the Root CA certificate file verisignRootCA.cer.
Note: If you need to FTP your certificate to UNIX, you must FTP it in ASCII mode to your WebSphere domain directory.
Import the CA's certificates into your key store.
To import the CA's public certificate into your key store, run:
pskeymanager.cmd -import -trustcacerts
For example, when prompted for an alias, specify the appropriate name to store the CA as, for example VerisignTrialCA. This name is only an alias for this certificate.
When prompted for the certificate file to import, specify the root certificate, such as verisignRootCA.cer file.
If any other certificates (such as the Verisign Intermediate certificate) are saved into a different file, run the command to import that certificate also.
Import your certificate into your keystore.
To import your public certificate into your keystore, run the following command from the command prompt
When prompted for an alias, specify the same alias you did when you created your private key and certificate request.
When prompted for the certificate file to import, specify your certificate file, webservername-cert.pem.
Configuring the WebSphere Container to Support SSL
To complete the SSL configuration, the web container must be modified to use the self-signed certificates you created.
To set up WebSphere Container SSL:
Start ISC, and select Security, SSL certificate and key management, Manage endpoint security configurations.
On the Local Topology tab, expand the Inbound tree, and click on the appropriate node, as in peoplesoftNode.
In the Related Items list on the right, click Key stores and certificates.
In the resource table, click NodeDefaultKeyStore in the Name column.
In the Additional Properties list on the right, click Personal certificates.
On the General Properties page, select the Key store file radio button, and complete the following:
In the Key file name field, enter the fully qualified path to the keystore file containing the certificate to import.
From the Type dropdown list, selectJKS.
In the Key file password, enter the password you specified when creating pskey.
Click Get Key File Aliases.
The system searches the key store and should populate the Certificate alias to import list.
If you want to use a new alias, enter a new value in the Imported certificate alias field, otherwise leave it empty.
Click Apply and OK.
Save the configuration in the Administrative Console.
Note: To configure Outbound SSL, repeat the same steps within the Outbound tree.