Skip Navigation Links | |
Exit Print View | |
Configuring Oracle Java CAPS for SSL Support Java CAPS Documentation |
Configuring Java CAPS for SSL Support
Secure Sockets Layer (SSL) Overview
Public Keys, Private Keys, and Certificates
Generating a KeyStore and TrustStore
Creating a KeyStore in JKS Format
Creating a KeyStore in PKCS12 Format
Configuring a Oracle Java CAPS JMS IQ Manager to Use SSL
Configuring the Message Server URL
To Configure the Message Server URL
Changing the Self-Signed Server Certificate
To Change the Self-Signed Server Certificate
Configuring the Repository to Use SSL
Generating a Key Pair and a Self-Signed Certificate
To Generate a Key Pair and a Self-Signed Certificate
Obtaining a Signed Certificate
To Obtain a Digitally Signed Certificate from a Certificate Authority
To Obtain a Self-Signed Certificate from a Local Keystore
Configuring the server.xml File
To Configure the server.xml File
Configuring Enterprise Manager to Use SSL
Creating the Keystore and Trust Store
To Create the Keystore and Trust Store
Importing the Domain Certificate
To Import the Domain Certificate
Enabling Security on the Application Server
To Enable Security on the Application Server
Logging In to Enterprise Manager
To Log In to Enterprise Manager
Using SSL With the WebSphere MQ Adapter
Creating a Certification Authority
To Create a Certification Authority
To Issue a Certificate to a Queue Manager
To Issue a Certificate to Java CAPS
Using the OpenSSL Utility for the LDAP and HTTPS Adapters
Creating a Sample CA Certificate
To Create a Sample CA Certificate
Signing Certificates With Your Own CA
To Create a CSR with keytool and Generate a Signed Certificate for the Certificate Signing Request
The HTTPS service of the Repository will not run unless a server certificate has been installed. Use the following procedure to set up a server certificate that can be used by the Repository to enable SSL.
Note - If you configure the Repository to use SSL, then NetBeans IDE users cannot connect to the Repository.
To enable the Repository to use SSL, perform the tasks in the following sections:
Note - The instructions in this topic use port number 8443 as the SSL port. The instructions in Configuring Enterprise Manager to Use SSL also use port number 8443 as the SSL port. If you are configuring the Repository and Enterprise Manager on the same computer, then ensure that the port numbers are different.
The genkey command of the keytool program enables you to generate a key pair.
keytool -genkey -keyalg RSA -alias CAPS -keystore keystore_filename
Caution - When prompted for your first and last name, make sure you enter the machine hostname. |
You must obtain either a digitally signed certificate from a certificate authority or a self-signed certificate from a local keystore.
keytool -certreq -alias CAPS -keyalg RSA -file csr_filename -keystore keystore_filename
Note - If you want to use a keystore, it is recommended to use the sbyn.keystore file in the JavaCAPS-install-dir/repository/repository/server directory.
keytool -export -alias CAPS -keystore keystore_filename -rfc -file self_signed_cert_filename
If you are using a self-signed certificate or a certificate signed by a CA that your browser does not recognize, a dialog box will appear the first time you try to access the server. You can then choose to trust the certificate for this session only or permanently.
keytool -import -trustcacerts -alias CAPS -file ca-certificate-filename -keystore keystore_filename
Note - You must have the required permissions to modify the JAVA_HOME/jre/lib/security/cacerts file. You must import your certificate into the cacerts file also.
If you want to use a keystore, it is recommended to use the sbyn.keystore file in the JavaCAPS-install-dir/repository/repository/server directory.
You now edit the server.xml file in the Repository to enable SSL support.
<!-- Define an SSL Coyote HTTP/1.1 Connector on port 8443 --> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="100" debug="0" scheme="https" secure="true" useURIValidationHack="false" disableUploadTimeout="true"> <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" keystoreFile="sbyn.keystore" keystorePass="changeit" /> </Connector>
This procedure verifies that SSL support has been correctly installed.
https://localhost:8443/
The https portion indicates that the browser should use the SSL protocol.
The port 8443 is where the SSL Connector was created in Configuring the server.xml File.
Note - You should still have the option to use HTTP to connect to the NetBeans IDE. System administrators should not block the HTTP port.