This article is the second in a three-part series on configuring Secure Sockets Layer (SSL) for IBM WebSphere 6.0x. In Part 1, I walked you through the process of creating a key database file and certificates. This article covers the process of enabling SSL itself.

Enabling SSL is required because Adobe Acrobat and Adobe Reader do not allow an unsecured HTTP connection to LiveCycle Policy Server. The requirement for a secure connection was put in place because the encryption keys that are used to policy protect (encrypt) a PDF document are sent to the client (upon successful user authentication) to allow the policy-protected  PDF document to be decrypted so it can be opened in Adobe Acrobat or Adobe Reader. By using SSL, the encryption key is itself encrypted while being delivered to the client machine.

Note: This document was created for WebSphere 6.0.x.x, but the steps to enable SSL on WebSphere 5.1.x are virtually identical. There are some UI changes between version 5.1.x and 6.0.x in WebSphere, but this guide should enable you to configure SSL on WebSphere version 5.1.x as well.

Requirements

In order to make the most of this article, you need the following software:

Microsoft Windows 2003 Enterprise Server

• Learn more

IBM WebSphere

• Learn more

Prerequisite knowledge

• General understanding of the digital certificate technology
• Understanding of the purpose of SSL
• General knowledge of the WebSphere Administration User Interface

Adding a JSEE repertoire

Now we will configure SSL itself by creating a JSEE repertoire to access the keystore you created in Part 1 so that your WebSphere server can use the keystore's certificates:

1. Select Security > SSL (see Figure 1).

   

   Figure 1. Select SSL to see its configuration repertoires

2. Click New JSEE Repertoire. The Configuration tab is displayed (see Figure 2).

3. Enter a value for Alias. For the purposes of this tutorial, use lcSSL.

   

   Figure 2. Set the properties of the new SSL repertoire

4. Scroll to the bottom of the panel to locate the Key File section. In the Key File Name field, enter the full path and filename of the .jks file. For the purposes of this tutorial, make sure ${USER_INSTALL_ROOT}/etc/ServerCredentials.jks; ${USER_INSTALL_ROOT} is set equal to C:\Program Files\IBM\WebSphere\AppServer\profiles\default\.
5. In the Key File Password field, enter the password for the .jks file.
6. From the Key File Format pop-up menu, select JKS.
7. Locate the Trust File section. In the Trust File Name field, enter the name of the .jks file.
8. In the Trust File Password field, enter the password for the .jks file.
9. From the Trust File Format pop-up menu, select JKS.

10. Click OK, and then save your changes. You should see your new entry in the SSL repertoires list (see Figure 3).

    

    Figure 3. You should now see your new repertoire in the list

Configuring authentication

Now you need to configure the protocols your WebSphere server uses for authentication:

1. Select Security > Global security. In the Authentication area, expand the Authentication Protocol list (see Figure 4).

   

   Figure 4. Expand the Authentication Protocol list

2. Click CSIv2 inbound authentication.
3. In the Basic Authentication section, select Supported.
4. In the Client Certificate Authentication section, select Supported.

5. Click OK and then save your changes (see Figure 5).

   

   Figure 5. Set the global security properties for CSIv2 inbound authentication

6. Click CSIv2 Outbound Authentication from the Authentication Protocol list.
7. In the Basic Authentication section, select Supported.
8. In the Client Certificate Authentication section, select Supported.
9. Click OK and then save your changes.
10. Click CSIv2 Inbound Transport from the Authentication Protocol list.
11. In the Transport section, select SSL-Supported.
12. From the SSL Settings pop-up menu, select the SSL repertoire that you configured earlier in "Adding a JSEE Repertoire." For the purposes of this tutorial, use win3ktrainingOSNode1/lcSSL. Click OK.
13. Select CSIv2 Outbound Transport from the Authentication Protocol list.
14. Click the Transport section, select SSL-Supported.
15. From the SSL Settings pop-up menu, select the SSL repertoire that you configured earlier in "Adding a JSEE Repertoire." For the purposes of this tutorial, use win3ktrainingOSNode1/lcSSL. Click OK.

Connecting your application servers to your repertoire

Now that you've created a JSEE repertoire to access your keystore and set up your authentication protocols, the final step in enabling SSL for WebSphere is to link your application servers to the JSEE repertoire. This way they can use the repertoire and your associated settings to make SSL connections with clients:

1. Select Servers > Application servers (see Figure 6).

   

   Figure 6. Open the Application servers page

2. From the Application Servers list, select the server you are configuring. For the purposes of this tutorial, use server1.
3. In the Container Settings section, expand the Web Container Settings list.

4. From the Web Container Settings list, select Web Container Transport Chains (see Figure 7).

   

   Figure 7. Select Web Container Transport Chains from the Web Container Settings list

5. From the Transport Chain list, select WCInboundAdminSecure. The Configuration tab appears (see Figure 8).

   

   Figure 8. Open the Configuration tab for WCInboundAdminSecure

6. Click SSL Inbound Channel (SSL 1).
7. From the SSL Repertoire pop-up menu, select the SSL repertoire that you configured earlier. For the purposes of this tutorial, use win3ktrainingOSNode1/lcSSL.
8. Click OK and confirm that the correct SSL repertoire was set.
9. Click OK and then save your changes.
10. From the Transport Chain list, select WCInboundDefaultSecure.
11. Select SSL Inbound Channel (SSL 2).
12. From the SSL Repertoire pop-up menu, select the SSL repertoire that you configured earlier. For the purposes of this tutorial, use win3ktrainingOSNode1/lcSSL.
13. Click OK and confirm that the correct SSL Repertoire was set.
14. Click OK and then save your changes.
15. Stop and restart the WebSphere application server.

Where to go from here

You're done! You've successfully enabled SSL on your WebSphere server by creating a JSEE repertoire to access your keystore, setting up authentication protocols, and connecting your application servers to your repertoire. Now your WebSphere server is ready to make secure connections to clients using SSL. In Part 3, the final article in this series, you'll enable the client to trust the server's SSL certificate.

You can also get more information about SSL in WebSphere from IBM:

• IBM WebSphere 6.0x Online Manual, Secure Sockets Layer

About the author