This section includes the following steps to configure SSL with your IBM WebSphere Application Server.
For enabling SSL, WebSphere needs access to a user account in the local OS user registry that has permission to administer the system:
Log in as the root user.
Create a user by entering the following command in a command prompt:
useradd
mkuser
Set the password of the new user by entering passwd
in the command prompt.
(Linux and Solaris) Create a shadow password file by entering pwconv
(with no parameters) in the command prompt.
(Linux and Solaris) For WebSphere Application Server Local OS security registry to work, a shadow password file must exist. The shadow password file is usually named /etc/shadow and is based on the /etc/passwd file. If the shadow password file does not exist, an error occurs after enabling global security and configuring the user registry as Local OS.
Open the group file from the /etc directory in a text editor.
Add the user who you created in step 2 to the root
group.
Save and close the file.
(UNIX with SSL enabled) Start and stop WebSphere as the root user.
Administrators
, click Check Names to ensure that the group name is correct.Ensure that WebSphere is running.
In WebSphere Administrative Console, select Security > Global Security.
Under Administrative security, select Administrative user roles.
Click Add and do the following:
Click OK and save your changes.
Restart the WebSphere profile.
In WebSphere Administrative Console, select Security > Global Security.
Click Security Configuration Wizard.
Ensure Enable Application Security checkbox is enabled. Click Next.
Select Federated Repositories and click Next.
Specify the credentials you want to set and click Next.
Click Finish.
Restart the WebSphere profile.
WebSphere starts using the default keystore and truststore.
Truststores and keystores can be created using ikeyman utility or admin console. To make ikeyman work properly, enure that the WebSphere installation path does not contain parentheses.
In WebSphere Administrative Console, select Security > SSL certificate and key management.
Click Keystores and certificates under Related items.
In the Key store usages dropdown, ensure that SSL Keystores is selected. Click New.
Type a logical name and description.
Specify the path where you want your keystore to be created. If you have already created a keystore through ikeyman, specify the path to the keystore file.
Specify and confirm the password.
Choose the keystore type and click Apply.
Save the master configuration.
Click Personal Certificate.
If you had added already created a keystore using ikeyman, your certificate will appear. Otherwise, you need to add a new self-signed certificate by performing the following steps:
Repeat steps 2 through 10 for creating a truststore.
In WebSphere Administrative Console, select Security > SSL certificate and key management.
Click Manage endpoint security configuration. The local topology map opens.
Under Inbound, select direct child of nodes.
Under Related items, select SSL configurations.
Select NodeDeafultSSLSetting.
From the truststore name and keystore name drop-down lists, select the custom truststore and keystore that you created.
Click Apply.
Save the master configuration.
Restart the WebSphere profile.
Your profile now runs on custom SSL settings and your certificate.
To convert a URL that begins with https, add a Signer certificate for that URL to the WebSphere server.
Create a Signer certificate for a https enabled site
Ensure that WebSphere is running.
In WebSphere Administrative Console, navigate to Signer certificates and then click Security > SSL Certificate and Key Management > Key Stores and Certificates > NodeDefaultTrustStore > Signer Certificates.
Click Retrieve From Port and perform these tasks:
www.paypal.com
.443
. This port is the default SSL port.Click Retrieve Signer Information and then verify that the information is retrieved.
Click Apply and then click Save.
HTML-to-PDF conversion from the site whose certificate is added will now work from the Generate PDF service.
For an application to connect to SSL sites from inside WebSphere, a Signer certificate is required. It is used by Java Secure Socket Extensions (JSSE) to validate certificates that the remote side of the connection sent during an SSL handshake.
IBM WebSphere does not allow multiple calls to ORB.init() when Global Security is enabled. You can read about the permanent restriction at https://www-01.ibm.com/support/docview.wss?uid=swg1PK58704.
Perform the following steps to set the port to be dynamic and resolve the issue:
In WebSphere Administrative Console, select Servers > Server Types > WebSphere application server.
In the Preferences section, select your server.
In the Configuration tab, under Communications section, expand Ports, and click Details.
Click the following port names, change the port number to 0, and click OK.
ORB_LISTENER_ADDRESS
SAS_SSL_SERVERAUTH_LISTENER_ADDRESS
CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS
CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS
Open [aem-forms_root]
\crx-repository\launchpad\sling.properties file for editing.
Locate the sling.bootdelegation.ibm
property and add com.ibm.websphere.ssl.*
to its value field. The updated field look like the following:
sling.bootdelegation.ibm=com.ibm.xml.*, com.ibm.websphere.ssl.*
Save the file and restart the server.