JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Configuring Oracle Java CAPS for SSL Support     Java CAPS Documentation
search filter icon
search icon

Document Information

Configuring Java CAPS for SSL Support

Secure Sockets Layer (SSL) Overview

Public Keys, Private Keys, and Certificates

Keytool Program

OpenSSL Project

SSL and Adapters

KeyStores and TrustStores

Generating a KeyStore and TrustStore

Creating a KeyStore in JKS Format

Creating a KeyStore in PKCS12 Format

Creating a TrustStore

Configuring a Oracle Java CAPS JMS IQ Manager to Use SSL

Configuring the Message Server URL

To Configure the Message Server URL

External JMS Clients

Changing the Self-Signed Server Certificate

To Change the Self-Signed Server Certificate

Configuring the Repository to Use SSL

Generating a Key Pair and a Self-Signed Certificate

To Generate a Key Pair and a Self-Signed Certificate

Obtaining a Signed Certificate

To Obtain a Digitally Signed Certificate from a Certificate Authority

To Obtain a Self-Signed Certificate from a Local Keystore

Importing the Certificate

To Import the Certificate

Configuring the server.xml File

To Configure the server.xml File

Testing the New SSL Connection

To Test the New SSL Connection

Configuring Enterprise Manager to Use SSL

Creating the Keystore and Trust Store

To Create the Keystore and Trust Store

Importing the Domain Certificate

To Import the Domain Certificate

Enabling Security on the Application Server

To Enable Security on the Application Server

Logging In to Enterprise Manager

To Log In to Enterprise Manager

Using SSL With the WebSphere MQ Adapter

Creating a Certification Authority

To Create a Certification Authority

To Issue a Certificate to a Queue Manager

To Issue a Certificate to Java CAPS

Using the OpenSSL Utility for the LDAP and HTTPS Adapters

Creating a Sample CA Certificate

To Create a Sample CA Certificate

Signing Certificates With Your Own CA

To Create a CSR with keytool and Generate a Signed Certificate for the Certificate Signing Request

Windows OpenSSL.cnf File Example

Index

Configuring the Repository to Use SSL

The HTTPS service of the Repository will not run unless a server certificate has been installed. Use the following procedure to set up a server certificate that can be used by the Repository to enable SSL.


Note - If you configure the Repository to use SSL, then NetBeans IDE users cannot connect to the Repository.


To enable the Repository to use SSL, perform the tasks in the following sections:


Note - The instructions in this topic use port number 8443 as the SSL port. The instructions in Configuring Enterprise Manager to Use SSL also use port number 8443 as the SSL port. If you are configuring the Repository and Enterprise Manager on the same computer, then ensure that the port numbers are different.


Generating a Key Pair and a Self-Signed Certificate

The genkey command of the keytool program enables you to generate a key pair.

To Generate a Key Pair and a Self-Signed Certificate

  1. Navigate to the JAVA_HOME/bin directory, where JAVA_HOME is the installation directory of the Java SDK.
  2. Enter the following command:
    keytool -genkey -keyalg RSA -alias CAPS -keystore keystore_filename
  3. When prompted, enter your keystore password.
  4. When prompted, enter the Distinguished Name information.
    1. What is your first and last name?

      Caution

      Caution - When prompted for your first and last name, make sure you enter the machine hostname.


    2. What is the name of your organizational unit?
    3. What is the name of your organization?
    4. What is the name of your City or Locality?
    5. What is the name of your State or Province?
    6. What is the two-letter country code for this unit?
    7. Is CN=first_and_last_name, OU=organizational_unit, O=organization_name, L=city_or_locality, ST=state_or_province, C=two_letter_country_code correct?
  5. When prompted, enter a password for the keystore entry. If the password is same as the keystore password, press Return.

    Note - If you want to use a keystore, it is recommended to use the sbyn.keystore file in the JavaCAPS-install-dir/repository/repository/server directory.


Obtaining a Signed Certificate

You must obtain either a digitally signed certificate from a certificate authority or a self-signed certificate from a local keystore.

To Obtain a Digitally Signed Certificate from a Certificate Authority

  1. Enter the following command to generate a Certificate Signing Request (CSR):

    keytool -certreq -alias CAPS -keyalg RSA -file csr_filename -keystore keystore_filename

  2. Send the CSR for signing.
  3. Store the signed certificate in a file.

    Note - If you want to use a keystore, it is recommended to use the sbyn.keystore file in the JavaCAPS-install-dir/repository/repository/server directory.


To Obtain a Self-Signed Certificate from a Local Keystore

Importing the Certificate

If you are using a self-signed certificate or a certificate signed by a CA that your browser does not recognize, a dialog box will appear the first time you try to access the server. You can then choose to trust the certificate for this session only or permanently.

To Import the Certificate

Configuring the server.xml File

You now edit the server.xml file in the Repository to enable SSL support.

To Configure the server.xml File

  1. If the Repository is running, then shut down the Repository.
  2. Using a text editor, open the server.xml file in the JavaCAPS-install-dir/repository/repository/server/conf directory.
  3. Within the <Service> element, comment out the first <Connector> element, which uses the non-SSL port (12000 by default).
  4. Uncomment the second <Connector> element, which defines an SSL connector.
    <!--  Define an SSL Coyote HTTP/1.1 Connector on port 8443  -->
    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
        port="8443" minProcessors="5" maxProcessors="75"
        enableLookups="true"
        acceptCount="100" debug="0" scheme="https" secure="true"
        useURIValidationHack="false" disableUploadTimeout="true">
    <Factory
        className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
        clientAuth="false" protocol="TLS"
        keystoreFile="sbyn.keystore" keystorePass="changeit" />
    </Connector>
  5. Save the server.xml file.
  6. Start the Repository.

Testing the New SSL Connection

This procedure verifies that SSL support has been correctly installed.

To Test the New SSL Connection

  1. Load the default Repository server introduction page with the following URL:
    https://localhost:8443/

    The https portion indicates that the browser should use the SSL protocol.

    The port 8443 is where the SSL Connector was created in Configuring the server.xml File.

  2. The first time that you load this application, the New Site Certificate dialog box appears. Select Next to move through the series of New Site Certificate dialog boxes. Select Finish when you reach the last dialog box.

    Note - You should still have the option to use HTTP to connect to the NetBeans IDE. System administrators should not block the HTTP port.