200

Configure
Websphere
Application Server
for SSL on Windows
Test SSL in WASCE by self signed
certificate using Java keytool
Configure WASCE for Secure Socket layer, generation and
installation of a self signed certificate using Java keytool.

J. M. V. Swamy Naidu, MCA

7/30/2009
 Configure Websphere Application Server
2
for SSL

Secure Socket Layer [SSL], provides the secure

connection to the server in client – server environment and
encrypts the data that exchanges in between these two
parties. For this various algorithms are available to encrypt
the data before transmitting from either client or server and
at the receivers side the encrypted data should be
decrypted. Ex algorithms are RSA, DES, and 3DES….etc.
In order to use SSL in WASCE we must provide a
certificate that was signed from a CA [Certificate Authority,
ex: VeriSign]. For testing purpose there is a tool in java that
generates a self signed certificate for us, named as keytool.
Here I am going to explain how to create a self signed
certificate using java keytool and installation of certificate in
Webshere Application Server Community Edition. The
following are the steps involved in this process.

• Create a self signed certificate in java using keytool.

• Make it available for the WASCE.
• Configure the WASCE’s config.xml for the self
signed certificate.

Here I am assuming that the installation directory

structures for Java and WASCE are the default places,
C:/Program Files/Java/
C:/Program Files/IBM/
And the applicable platform for this article is Windows;
however the similar configuration and installation steps are
required for the Linux platform.
Caution:
 Configure Websphere Application Server
3
for SSL

You must stop the server before going to make

the changes to the file config.xml. If not the server may
crashes or it functions in undesired way.

• Using Java keytool to create a self signed

certificate:

• Open the Command prompt and then go to Java

installation directory,
C:/Program Files/Java/jdk1.6.0_10/bin>
• Then type the following command that uses the
keytool for creating a self signed certificate,
Prompt> keytool –genkey –alias WASCE –
keyalg RSA
• The above command creates a .keystore file at
user’s home directory, if you doesn’t find it then use
the java property usre.home to find it.
class FindUserHome {
public static void main(String arg[]) {
System.out.println(System.getProperty(“use
r.home”);
}
}
• If you want to change the location of the keystore file
then issue the keytool command with –keystore
property followed by the directory structure, where
you want to save the keystore file.
• Similarly In the same way you can export and import
an already existing keystore file by using appropriate
keytool commands.
 Configure Websphere Application Server
4
for SSL

• Make the certificate available for WASCE:

• Place the certificate you just created by keytool in

the WASCE folder for the convenience and security
purpose.
• So now where to place the certificate is our issue,
just follow the path as shown below –
C:\Program Files\IBM\WebSphere\
AppServerCommunityEdition\var\security\keystores
By placing certificate here you can easily manage
them whenever they need changes, here you can
also find that the default certificate already
generated for your server –
geronimo-default .
• Now it’s the time to configure the config.xml in
order to server uses the generated certificate. The
next step will explain it in detail.

• Configure the WASCE’s config.xml for the self

signed certificate:

• Open the file

C:\Program Files\IBM\WebSphere\
AppServerCommunityEdition\var\config\config.xml in
any of your favorite editor that supports the editing.
• Now find the following tag in that,
<gbean name="TomcatWebSSLConnector">
and it’s a container tag, so it’s also has the closing
tag as you found there.
• And you founds the attributes list for the above tag
as given below,
 Configure Websphere Application Server
5
for SSL

<gbean name=”TomcatWebSSLConnector”>
<attribute name="host">${ServerHostname}</attribute>
<attribute name="port">${HTTPSPort +
PortOffset}</attribute>
<attribute name="maxHttpHeaderSize">8192</attribute>
<attribute name="maxThreads">150</attribute>
<attribute name="minSpareThreads">25</attribute>
<attribute name="maxSpareThreads">75</attribute>
<attribute name="enableLookups">false</attribute>
<attribute name="acceptCount">100</attribute>
<attribute
name="disableUploadTimeout">false</attribute>
<attribute name="clientAuth">false</attribute>
<attribute name="algorithm">Default</attribute>
<attribute name="sslProtocol">TLS</attribute>
<attribute name="keystoreFile">var/security/keystores/
geronimo-default</attribute>
<attribute name="keystorePass">secret</attribute>
<attribute name="keystoreType">JKS</attribute>
</gbean>

The above attribute values are all default ones. For

our task the last 3 tags are enough,

 keystoreFile
 keystorePass
 keystoreType

For the first one we already done, mean you already

place the generated certificate there exactly. Aren’t
you?
For the second attribute it is up to you, the default
value is secret. If you change this value to some other
then you must change it new value.
 Configure Websphere Application Server
6
for SSL

For the last and third attribute, the keystoreType, by

using the Java keytool the default value JKS [Java
KeyStore] is the correct one.

• Test the installation of certificate on server:

• After making all the above configuration and changes

now it’s time to restart/start the server.
• Open the browser and then type the following URL,
https://localhost:8443
• Some kind of exceptions were displayed for the
localhost about the self signed certificate by your
browser [Fire fox], don’t worry about all of them and
simply add exceptions for the localhost and inspect
the information provided by certificate, it’s all
provided by you simply.
• Now from onwards all the data transmitted in
between the server and browser is encrypted.

Regards
Naidu, MCA
NaiduMCA1@gmail.com
http://www.NaiduMCA.co.cc
 Configure Websphere Application Server
7
for SSL

Email me for any queries or correction/suggestions on

this article.