JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Configuring Oracle Java CAPS for SSL Support     Java CAPS Documentation
search filter icon
search icon

Document Information

Configuring Java CAPS for SSL Support

Secure Sockets Layer (SSL) Overview

Public Keys, Private Keys, and Certificates

Keytool Program

OpenSSL Project

SSL and Adapters

KeyStores and TrustStores

Generating a KeyStore and TrustStore

Creating a KeyStore in JKS Format

Creating a KeyStore in PKCS12 Format

Creating a TrustStore

Configuring a Oracle Java CAPS JMS IQ Manager to Use SSL

Configuring the Message Server URL

To Configure the Message Server URL

External JMS Clients

Changing the Self-Signed Server Certificate

To Change the Self-Signed Server Certificate

Configuring the Repository to Use SSL

Generating a Key Pair and a Self-Signed Certificate

To Generate a Key Pair and a Self-Signed Certificate

Obtaining a Signed Certificate

To Obtain a Digitally Signed Certificate from a Certificate Authority

To Obtain a Self-Signed Certificate from a Local Keystore

Importing the Certificate

To Import the Certificate

Configuring the server.xml File

To Configure the server.xml File

Testing the New SSL Connection

To Test the New SSL Connection

Configuring Enterprise Manager to Use SSL

Creating the Keystore and Trust Store

To Create the Keystore and Trust Store

Importing the Domain Certificate

To Import the Domain Certificate

Enabling Security on the Application Server

To Enable Security on the Application Server

Logging In to Enterprise Manager

To Log In to Enterprise Manager

Using SSL With the WebSphere MQ Adapter

Creating a Certification Authority

To Create a Certification Authority

To Issue a Certificate to a Queue Manager

To Issue a Certificate to Java CAPS

Using the OpenSSL Utility for the LDAP and HTTPS Adapters

Creating a Sample CA Certificate

To Create a Sample CA Certificate

Signing Certificates With Your Own CA

To Create a CSR with keytool and Generate a Signed Certificate for the Certificate Signing Request

Windows OpenSSL.cnf File Example

Index

Configuring Enterprise Manager to Use SSL

To enable Enterprise Manager to use SSL, perform the tasks in the following sections:


Note - The instructions in this topic use port number 8443 as the SSL port. The instructions in Configuring the Repository to Use SSL also use port number 8443 as the SSL port. If you are configuring the Repository and Enterprise Manager on the same computer, then ensure that the port numbers are different.


Creating the Keystore and Trust Store

The first task involves creating a keystore and a trust store on the computer where the Enterprise Manager server is installed.

For basic information about keystores and trust stores, see Secure Sockets Layer (SSL) Overview.

The examples in this topic show passwords being entered on the command line. You can omit these passwords, and be prompted to enter them.

To Create the Keystore and Trust Store

  1. Go to the computer where the Enterprise Manager server is installed.
  2. If the Enterprise Manager server is running, then shut down the Enterprise Manager server.
  3. Set the path variable to include the Java Runtime Environment (JRE) software used by the Enterprise Manager server. For example:
    set PATH="C:\Program Files\Java\jdk1.6.0_06\jre\bin";%PATH%
  4. Create a directory for the keystore and trust store. For example:
    C:\JavaCAPS6\keystore
  5. Navigate to the directory that you created, and use the keytool program to create a certificate in a new keystore.
    keytool -genkey -alias mykey -keyalg RSA -keypass changeit -keystore keystore.jks 
    -storepass changeit

    When you are prompted to enter your first and last name, do not enter your first and last name. Instead, enter the fully qualified computer name. For example:

    What is your first and last name?
      [Unknown]:  example.company.com
    What is the name of your organizational unit?
      [Unknown]:  Development
    What is the name of your organization?
      [Unknown]:  Oracle Corporation
    What is the name of your City or Locality?
      [Unknown]:  Monrovia
    What is the name of your State or Province?
      [Unknown]:  California
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=example.company.com, OU=Development, O=Oracle Corporatino, L=Monrovia, 
    ST=California, C=US correct?
      [no]:  yes
  6. Export the certificate to a file.
    keytool -export -alias mykey -file mykey.cer -keystore keystore.jks -storepass changeit

    The certificate is stored in the file that you specified.

  7. Import the certificate into a new trust store.
    keytool -import -v -trustcacerts -alias mykey -keypass changeit -file mykey.cer 
    -keystore cacerts.jks -storepass changeit

    The trust store is created. The trust store includes the imported certificate.

Importing the Domain Certificate

After you perform the steps in Creating the Keystore and Trust Store, you must import the certificate of the application server domain into the trust store.

In addition, you must perform the following edits to files on the Enterprise Manager server:

The examples in this topic show passwords being entered on the command line. You can omit these passwords, and be prompted to enter them.

To Import the Domain Certificate

  1. Go to the computer where the application server is installed.
  2. Navigate to the JavaCAPS-install-dir/appserver/domains/domain-name/config directory.
  3. Export the domain certificate to a file.
    keytool -export -alias s1as -file ascert.cer -keystore keystore.jks -storepass changeit

    The certificate is stored in the file that you specified.

  4. Copy the file to the directory that you created in Creating the Keystore and Trust Store.
  5. Import the domain certificate into the trust store that you created in Creating the Keystore and Trust Store.
    keytool -import -v -trustcacerts -alias s1as -keypass changeit -file ascert.cer 
    -keystore cacerts.jks -storepass changeit

    The certificate is added to the trust store.

  6. Using a text editor, open the server.xml file in the JavaCAPS-install-dir/emanager/server/conf directory.
  7. Within the <Service> element, comment out the first <Connector> element.
  8. Comment in the second <Connector> element. Add the keystoreFile and keystorePass attributes.

    Set the value of the keystoreFile attribute to the fully qualified name of the keystore that you created in Creating the Keystore and Trust Store. Set the value of the keystorePass attribute to the corresponding password.

    <Connector port="8443"
       maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
       enableLookups="false" disableUploadTimeout="true"
       keystoreFile="C:\JavaCAPS6\keystore\keystore.jks"
       keystorePass="changeit"
       acceptCount="100" debug="0" scheme="https" secure="true"
       clientAuth="false" sslProtocol="TLS" />
  9. Save the server.xml file.
  10. Using a text editor, open the startserver batch file in the JavaCAPS-install-dir/emanager directory.
  11. Add the javax.net.ssl.trustStore option. Set the value to the fully qualified name of the trust store that you created in Creating the Keystore and Trust Store.
    set JAVA_OPTS=-Xmx512m -Djavax.net.ssl.trustStore=C:\JavaCAPS\keystore\cacerts.jks
  12. Save the startserver batch file.

Enabling Security on the Application Server

In the final configuration task, you enable security for one of the default HTTP listeners on the GlassFish Application Server. The listener is called admin-listener.

To Enable Security on the Application Server

  1. Log in to the Admin Console.
  2. In the left pane, expand the Configurations node, the HTTP Service node, and the HTTP Listeners node.
  3. In the left pane, select the admin-listener node.
  4. Click the SSL tab.
  5. In the Certificate NickName field, type s1as.
  6. Click Save.
  7. Click the Edit HTTP Listener tab.
  8. Select the Enable check box to the right of the Security label.
  9. Click Save.
  10. Stop and restart the application server.

Logging In to Enterprise Manager

When Enterprise Manager has been configured to use SSL, the URL that you use to log in has a different scheme and port number. For detailed information about Enterprise Manager user names and passwords, see Managing Java CAPS Users.

To Log In to Enterprise Manager

  1. Start the Enterprise Manager server.
  2. In a supported browser, enter the following URL:
    https://hostname:portnumber

    The scheme must be https. The port number must be the value used in the <Connector> element in the server.xml file. For example:

    https://example.company.com:8443/

    The Enterprise Manager Security Gateway screen appears.

  3. In the User ID field, enter an Enterprise Manager user name.
  4. In the Password field, enter the corresponding password.
  5. Click Login.

    Enterprise Manager appears.