On some applications, if you have a two layer deployment, one server for the web layer and another server for the business logic layer, you may need to enable global security and then to allow the communication between servers you need to setup LTPA between servers. On version 5.x and 6.0 just by moving the LTPA key from the business server to the application server and setting up the authentication method does the deal, and it has no need of intermediate steps to allow communication between servers.
On 6.1 version is not quite that simple, because RMI between servers runs now over SSL, and guess what if an SSL session can’t be established, the comunication is not possible.
The error message might be something like: CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_CLIENT_SOCKET: JSSL0080E: javax.net.ssl.SSLHandshakeException - The client and server could not negotiate the desired level of security. Reason: com.ibm.jsse2.util.h: No trusted certificate found vmcid: IBM minor code: E07 completed: No]
The key lead here is the “No trusted certificate found”, which means that an SSL session could not be established do too the missing of a server certificate.
The solution: On the IBM Websphere server that needs to comunicate (in this case the server running the the web layer), execute the following steps:
1) Logon into the WAS console.
2) Goto Security -> SSL and Key Management
3) Select the NodeDefaultTrustStore and then Signer Certificates
4) Define your parameters, where the main issue is that the host must be the server you which to connect and the port is 9043.
5) Just give an alias name and press the button “Retrieve Signer Certificate”
6) Press apply and OK, and you’re done.
Try connecting again. It should work now.
Showing posts with label ssl. Show all posts
Showing posts with label ssl. Show all posts
Sunday, March 22, 2009
Sunday, March 15, 2009
Replace a SSL Certificate
After i explained how to disable the auto generation of certificates in this post, i now want to explain how to replace an certificate manually.
1. In the administrative console go to Security > SSL certificates and key management > Manage endpoint security configurations
2. Select the node where you want to repleace the ssl certificate (under Inbound)
3. Click "Manage certificates"
4. Select the default certificate and click "Create a self-signed certificate"
5. Fill out the General properties values (compare with expired certificate)
6. Click "OK" and Save the changes
6. Go to Security > SSL certificates and key management > Manage endpoint security configurations > Select the node where you want to replease the ssl certificate (under Inbound) > Manage certificates
7. Select default and click "Replace"
8. You can now choose which certificate will replace the old certificate, normally its the newly created one. Do not select "Delete old certificate after replacement" and "Delete old signers".
9. Click "OK"
10. Select the old certificate and delete it (click "Delete")
11. Click "OK" and save the changes
1. In the administrative console go to Security > SSL certificates and key management > Manage endpoint security configurations
2. Select the node where you want to repleace the ssl certificate (under Inbound)
3. Click "Manage certificates"
4. Select the default certificate and click "Create a self-signed certificate"
5. Fill out the General properties values (compare with expired certificate)
6. Click "OK" and Save the changes
6. Go to Security > SSL certificates and key management > Manage endpoint security configurations > Select the node where you want to replease the ssl certificate (under Inbound) > Manage certificates
7. Select default and click "Replace"
8. You can now choose which certificate will replace the old certificate, normally its the newly created one. Do not select "Delete old certificate after replacement" and "Delete old signers".
9. Click "OK"
10. Select the old certificate and delete it (click "Delete")
11. Click "OK" and save the changes
Enable SSL (HTTPs) for IBM HTTP Server
To enable SSL on a IBM HTTP Server (Client -> IHS), you need to generate a proper certificate first.
Steps to generate self-signed-certificate for https traffic:
1. Open //bin/ikeyman
2. Select CMS as type and specify a file name and a location for the certificate file
3. When prompted for a password type in your desired password.
4. Click Create > New Self-Signed Certificate in iKeyman. Type in your desired values.
5. Exit iKeymen.
6. Verify that all needed files (3-4 files) are generated in your certificate location.
After generating a self-signed-certificate the IHS needs to be configured to use SSL.
1. Open //conf/httpd.conf
2. Add following line to load the SSL module. Add these line add the end of the Load Modules section.
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
3. Add a virtual host to enable SSL.
Link to example file
4. Save and restart the HTTPs Server (//bin/apachectl)
Troubleshooting 1:
If SSL isnt working check the Virtual Host defined in your WebSphere Server.
1. In Administrative Console go to Virtual > default host > Host Aliases and check if port 433 is defined.
To setup SSL between IHS and a WebSphere-Server see:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_httpserv.html
Troubleshooting 2:
Perhaps you need to update the default plugin key files.
1. In Administrative Console go to WebServer > > Plugin properties
2. Click "Copy to Web server key store directory" to override the old default certificates.
3. Restart the IHS and try again
Steps to generate self-signed-certificate for https traffic:
1. Open /
2. Select CMS as type and specify a file name and a location for the certificate file
3. When prompted for a password type in your desired password.
4. Click Create > New Self-Signed Certificate in iKeyman. Type in your desired values.
5. Exit iKeymen.
6. Verify that all needed files (3-4 files) are generated in your certificate location.
After generating a self-signed-certificate the IHS needs to be configured to use SSL.
1. Open /
2. Add following line to load the SSL module. Add these line add the end of the Load Modules section.
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
3. Add a virtual host to enable SSL.
Link to example file
4. Save and restart the HTTPs Server (/
Troubleshooting 1:
If SSL isnt working check the Virtual Host defined in your WebSphere Server.
1. In Administrative Console go to Virtual > default host > Host Aliases and check if port 433 is defined.
To setup SSL between IHS and a WebSphere-Server see:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_httpserv.html
Troubleshooting 2:
Perhaps you need to update the default plugin key files.
1. In Administrative Console go to WebServer >
2. Click "Copy to Web server key store directory" to override the old default certificates.
3. Restart the IHS and try again
Subscribe to:
Posts (Atom)
