Sunday, March 22, 2009

IBM WebSphere interserver authentication: LTPA and SSL

On some applications, if you have a two layer deployment, one server for the web layer and another server for the business logic layer, you may need to enable global security and then to allow the communication between servers you need to setup LTPA between servers. On version 5.x and 6.0 just by moving the LTPA key from the business server to the application server and setting up the authentication method does the deal, and it has no need of intermediate steps to allow communication between servers.

On 6.1 version is not quite that simple, because RMI between servers runs now over SSL, and guess what if an SSL session can’t be established, the comunication is not possible.

The error message might be something like: CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_CLIENT_SOCKET: JSSL0080E: javax.net.ssl.SSLHandshakeException - The client and server could not negotiate the desired level of security. Reason: com.ibm.jsse2.util.h: No trusted certificate found vmcid: IBM minor code: E07 completed: No]

The key lead here is the “No trusted certificate found”, which means that an SSL session could not be established do too the missing of a server certificate.

The solution: On the IBM Websphere server that needs to comunicate (in this case the server running the the web layer), execute the following steps:

1) Logon into the WAS console.

2) Goto Security -> SSL and Key Management

3) Select the NodeDefaultTrustStore and then Signer Certificates

4) Define your parameters, where the main issue is that the host must be the server you which to connect and the port is 9043.

5) Just give an alias name and press the button “Retrieve Signer Certificate”

6) Press apply and OK, and you’re done.

Try connecting again. It should work now.