Академический Документы
Профессиональный Документы
Культура Документы
Agenda
SSL between Plug-in and WebSphere Application Server (WSAS)
(Plugin --- SSL --- WSAS)
SSL between WebSphere Application Server and LDAP
(WSAS --- SSL---- LDAP)
SSL between Deployment Manager (Dmgr) and Nodes profile (Node)
(Dmgr --- SSL --- Node)
SSL between WebSphere Application Server and Remote Server
(WSAS --- SSL --- MQ® or Backend DB, third party server, web
server, etc)
SSL between WebSphere Application Server client (like; stopServer,
stopManager, wsadmin, etc) --- SSL--- Remote process (like – dmgr,
nodeagent, appserver)
Topology Overview
Java™, JMX™,
2.Authenticate identity
Authenticating the server allows the client to be sure that the server represents the
entity that the client believes the server represents.
2. Programmatic selection
3. Dynamic selection
4. Direct selection
SSL Topology
Inbound/Outbound
Use same
keyStore/trustStore
key.p12
trust.p12
SSL Configuration
Node level
QoP
settings
Important
to keep at
Node
Change Custom
SSL config /
certificate alias
SSL between
Plug-in --- SSL---WebSphere
Application Server
SSL
SSL
Browser Plug-in
Note: Mutual
Authentication required plugin-key.kdb
two way SSL NodeDefaultKeyStore
NodeDefaultTrustStore
Handshake This
diagram shows only
one way SSL
Extract the certificate from AppServer keyStore and import to plugin kdb in signer section
WebSphere ® Support Technical Exchange 19
IBM Software Group
Failed in r_gsk_secure_soc_init:
GSK_ERROR_BAD_CERT(gsk rc = 414)
http://www.ibm.com/support/docview.wss?uid=swg21433593
Note:- If you open the plugin-cfg.xml file you can find which .kdb file is being used and
configured.
Change the
settings to
enable
SSL between
WebSphere Application Server --
- SSL --- LDAP
Centrally
managed
Specified SSL
New CUSTOM
SSL
LDAP Client
Config
key.p12 NodeDefaultKeyStore
trust.p12 NodeDefaultTrustStore LDAP Server
AppServer
WAS_HOME/profiles/profileName/config/cells/cellName/nodes/nodeName -
key.p12, trust.p12
NOTE: You might see a message in console or in logs saying Simple Bind Failed – this indicates a
problem with connection or certificate - Check certificate content, certificate chain order, firewall etc.
Dmgr AppServer
CellDefaultKeyStore SSL
-ND LDAP Server
CellDefaultTrustStore
WAS_HOME/profiles/profileName/config/cells/cellName/
WAS_HOME/profiles/profileName/config/cells/cellName/ nodes/nodeName/
key.p12 and trust.p12
key.p12 and trust.p12
Network Deployment environment, we recommend that you place this store at the cell level.
Note:- Ensure that security config is propagated with nodes (synchronized)
OR – LDAP Admin needs to provide LDAP extracted certificate into the .arm
file, Once you have that then import the certs into the trustStore signers
SSL between
Deployment Manager --- SSL ---
Nodes profile
By default
SOAP is the preferred connector, SSL is used to secure communications.
AppServer
SSL – SOAP key.p12
Dmgr - ND
RMI, IPC trust.p12
AppServer profile
keyStore – self signed certif icate - NodeDef aultKeyStore
Note:- AppServer keyStore (NodeDefaultKeyStore) – self signed certificate needs to
trustStore – exchange the signer with keyStore in AppServer –
Exchange the signer with dmgr trustStore (CellDefaultTrustS tore)
NodeDef aultTrustStore
A B
AppServer
SSL AppServer
SSL
Dmgr - ND SSL Dmgr - ND
In v6.1 the self signed certificate life span was only 1 year – not
renewing correctly and missing from Deployment Manager caused
synchronization break.
By following this technote it will setup the self signed certificate for
longer period and synchronization will not break.
• http://www.ibm.com/support/docview.wss?uid=swg21305596
SSL between
WebSphere Application Server
--- SSL --- Remote Server
CELL
DOMAIN
Outbound call
AppServer
SSL
Dmgr - ND SSL
Remote Server
Client Server
3. Best practice
Dynamic Outbound SSL configuration in WSAS
SSL between
WSAS client --- SSL --- Remote
process
WAS_HOME/profiles/profileName/bin/stopManager.
sh/bat Dmgr – ND Or AppServ
com.ibm.ssl.enableSignerExchangePrompt property in
properties/ssl.client.props file.
Summary
http://www.ibm.com/support/docview.wss?uid=swg
27046078
Recent dwAnswers
What is the procedure to replace the IBM default
certificate With External/Inernal CA certificate in
Websphere Application Server Network
Deployment via the admin console
https://developer.ibm.com/answers/questions/2069
42/what-is-the-procedure-to-replace-the-ibm-
default-c.html
View a webcast replay with step-by-step instructions for using the Service Request (SR)
tool for submitting problems electronically:
http://www.ibm.com/software/websphere/support/d2w.html
Sign up to receive weekly technical My Notifications emails:
http://www.ibm.com/software/support/einfo.html