Skip Navigation Links | |
Exit Print View | |
Configuring Oracle Java CAPS for SSL Support Java CAPS Documentation |
Configuring Java CAPS for SSL Support
Secure Sockets Layer (SSL) Overview
Public Keys, Private Keys, and Certificates
Generating a KeyStore and TrustStore
Creating a KeyStore in JKS Format
Creating a KeyStore in PKCS12 Format
Configuring a Oracle Java CAPS JMS IQ Manager to Use SSL
Configuring the Message Server URL
To Configure the Message Server URL
Changing the Self-Signed Server Certificate
To Change the Self-Signed Server Certificate
Configuring the Repository to Use SSL
Generating a Key Pair and a Self-Signed Certificate
To Generate a Key Pair and a Self-Signed Certificate
Obtaining a Signed Certificate
To Obtain a Digitally Signed Certificate from a Certificate Authority
To Obtain a Self-Signed Certificate from a Local Keystore
Configuring the server.xml File
To Configure the server.xml File
Testing the New SSL Connection
To Test the New SSL Connection
Configuring Enterprise Manager to Use SSL
Creating the Keystore and Trust Store
To Create the Keystore and Trust Store
Importing the Domain Certificate
To Import the Domain Certificate
Enabling Security on the Application Server
To Enable Security on the Application Server
Using SSL With the WebSphere MQ Adapter
Creating a Certification Authority
To Create a Certification Authority
To Issue a Certificate to a Queue Manager
To Issue a Certificate to Java CAPS
Using the OpenSSL Utility for the LDAP and HTTPS Adapters
Creating a Sample CA Certificate
To Create a Sample CA Certificate
Signing Certificates With Your Own CA
To Create a CSR with keytool and Generate a Signed Certificate for the Certificate Signing Request
To enable Enterprise Manager to use SSL, perform the tasks in the following sections:
Note - The instructions in this topic use port number 8443 as the SSL port. The instructions in Configuring the Repository to Use SSL also use port number 8443 as the SSL port. If you are configuring the Repository and Enterprise Manager on the same computer, then ensure that the port numbers are different.
The first task involves creating a keystore and a trust store on the computer where the Enterprise Manager server is installed.
For basic information about keystores and trust stores, see Secure Sockets Layer (SSL) Overview.
The examples in this topic show passwords being entered on the command line. You can omit these passwords, and be prompted to enter them.
set PATH="C:\Program Files\Java\jdk1.6.0_06\jre\bin";%PATH%
C:\JavaCAPS6\keystore
keytool -genkey -alias mykey -keyalg RSA -keypass changeit -keystore keystore.jks -storepass changeit
When you are prompted to enter your first and last name, do not enter your first and last name. Instead, enter the fully qualified computer name. For example:
What is your first and last name? [Unknown]: example.company.com What is the name of your organizational unit? [Unknown]: Development What is the name of your organization? [Unknown]: Oracle Corporation What is the name of your City or Locality? [Unknown]: Monrovia What is the name of your State or Province? [Unknown]: California What is the two-letter country code for this unit? [Unknown]: US Is CN=example.company.com, OU=Development, O=Oracle Corporatino, L=Monrovia, ST=California, C=US correct? [no]: yes
keytool -export -alias mykey -file mykey.cer -keystore keystore.jks -storepass changeit
The certificate is stored in the file that you specified.
keytool -import -v -trustcacerts -alias mykey -keypass changeit -file mykey.cer -keystore cacerts.jks -storepass changeit
The trust store is created. The trust store includes the imported certificate.
After you perform the steps in Creating the Keystore and Trust Store, you must import the certificate of the application server domain into the trust store.
In addition, you must perform the following edits to files on the Enterprise Manager server:
Enable the SSL connector in the server.xml configuration file. A connector represents an endpoint by which requests are received and responses are returned.
The examples in this topic show passwords being entered on the command line. You can omit these passwords, and be prompted to enter them.
keytool -export -alias s1as -file ascert.cer -keystore keystore.jks -storepass changeit
The certificate is stored in the file that you specified.
keytool -import -v -trustcacerts -alias s1as -keypass changeit -file ascert.cer -keystore cacerts.jks -storepass changeit
The certificate is added to the trust store.
Set the value of the keystoreFile attribute to the fully qualified name of the keystore that you created in Creating the Keystore and Trust Store. Set the value of the keystorePass attribute to the corresponding password.
<Connector port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" keystoreFile="C:\JavaCAPS6\keystore\keystore.jks" keystorePass="changeit" acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />
set JAVA_OPTS=-Xmx512m -Djavax.net.ssl.trustStore=C:\JavaCAPS\keystore\cacerts.jks
In the final configuration task, you enable security for one of the default HTTP listeners on the GlassFish Application Server. The listener is called admin-listener.
When Enterprise Manager has been configured to use SSL, the URL that you use to log in has a different scheme and port number. For detailed information about Enterprise Manager user names and passwords, see Managing Java CAPS Users.
https://hostname:portnumber
The scheme must be https. The port number must be the value used in the <Connector> element in the server.xml file. For example:
https://example.company.com:8443/
The Enterprise Manager Security Gateway screen appears.
Enterprise Manager appears.