Setting Up SSL For WebSphere

This section discusses how you can configure WebSphere to support SSL.

WebSphere manages keys in key store files. There are two types of files:

key stores
trust stores

These store types are very similar, however the trust store contains only trusted signers. The Certificate Authority (CA) certificates and other signing certificates are kept in a trust store. Personal certificates with private keys are stored in a key store.

The pskeymanager utility is a PeopleTools wrapper to Java's keytool, used to manage the predefined WebSphere keystore located in the following directory:

PIA_HOME\webserv\profilename\piabin\pskeymanager

Use the following steps to generate a self-signed certificate for the web container.

To generate a certificate using pskeymanager:

At a command prompt, change to the WebSphere domain directory, for example:
PIA_HOME \webserv\profilename\piabin
Create a new private key and certificate request for your server.
1. Run the following command:
```
pskeymanager.cmd -create
```
2. Follow the prompts and specify the required information for creating a certificate, such as alias, common name, organizational unit, location, and so on.
3. Make sure a Certificate Signing Request (CSR) file named alias_certreq.txt was created.
  You submit this data to a CA for obtaining a public key that you can load into your key store.
Decide which CA you wish to use.
You may use an CA that is compatible with Sun's Java JKS standard.

As an example, the following steps indicate how to submit the CSR that you generated to Verisign to obtain a trial certificate.
Submit your CSR to a CA.

For example, access Symantec’s site at:

https://www.verisign.com/products-services/index.html

When prompted, copy and paste the contents of your CSR, provide all necessary contact information, and submit the request.

Check your email for the certificate sent from the CA.

The certificate from the CA should look similar to the following:

Copy the entire certificate, including --BEGIN CERTIFICATE-- and --END CERTIFICATE--, and save it as a file named webservername-cert.pem.

Note: To save the file, don't use a word processor that inserts formatting or control characters.

Note: If you need to FTP your certificate to UNIX, you must FTP it in ASCII mode.
Download the CA root certificate:

For example, if downloading the Verisign\Symantec trial root CA certificate.
1. Download the Trial Root CA certificate from:
  https://www.verisign.com/support/verisign-intermediate-ca/Trial_Secure_Server_Root/index.html
2. From the specified link, click Select All, and copy the contents of the certificate into the verisignRootCA.cer file and save it to your WebSphere domain directory.
3. Download VeriSign's Trial Intermediate CA certificate from:
  https://www.verisign.com/support/verisign-intermediate-ca/trial-secure-server-intermediate/index.html
4. Click Select All and copy the contents of the certificate into the verisignInterCA.cer file, and save it into your WebSphere domain directory. You can also append the contents of this Trail Intermediate CA certificate to the Root CA certificate file verisignRootCA.cer.
  
  Note: If you need to FTP your certificate to UNIX, you must FTP it in ASCII mode to your WebSphere domain directory.
Import the CA's certificates into your key store.
To import the CA's public certificate into your key store, run:
```
pskeymanager.cmd -import -trustcacerts
```
For example, when prompted for an alias, specify the appropriate name to store the CA as, for example VerisignTrialCA. This name is only an alias for this certificate.

When prompted for the certificate file to import, specify the root certificate, such as verisignRootCA.cer file.

If any other certificates (such as the Verisign Intermediate certificate) are saved into a different file, run the command to import that certificate also.
Import your certificate into your keystore.
To import your public certificate into your keystore, run the following command from the command prompt

pskeymanager.cmd −import

When prompted for an alias, specify the same alias you did when you created your private key and certificate request.

When prompted for the certificate file to import, specify your certificate file, webservername-cert.pem.

To complete the SSL configuration, the web container must be modified to use the self-signed certificates you created.

To set up WebSphere Container SSL:

Start ISC, and select Security, SSL certificate and key management, Manage endpoint security configurations.
On the Local Topology tab, expand the Inbound tree, and click on the appropriate node, as in peoplesoftNode.
In the Related Items list on the right, click Key stores and certificates.
In the resource table, click NodeDefaultKeyStore in the Name column.
In the Additional Properties list on the right, click Personal certificates.
Click Import.
On the General Properties page, select the Key store file radio button, and complete the following:
1. In the Key file name field, enter the fully qualified path to the keystore file containing the certificate to import.
  For example,
  
  C:\PSHCM\webserv\peoplesoft\piabin\\pskeymanager
2. From the Type dropdown list, selectJKS.
3. In the Key file password, enter the password you specified when creating pskey.
4. Click Get Key File Aliases.
  The system searches the key store and should populate the Certificate alias to import list.
5. If you want to use a new alias, enter a new value in the Imported certificate alias field, otherwise leave it empty.
Click Apply and OK.
Save the configuration in the Administrative Console.

Note: To configure Outbound SSL, repeat the same steps within the Outbound tree.

Setting Up SSL For WebSphere

Understanding WebSphere Key Stores

Generating a Certificate Using pskeymanager

Configuring the WebSphere Container to Support SSL