SSL example

The following example illustrates how to use WebSphere® V7.0 to create and use your own SSL-enabled port. Before WebSphere® Application Server V7.0 was released, certificates were managed through the use of an external tool called iKeyman. As of WebSphere® Application Server V7.0, you can use the Administrative Console to manage both certificates and keys.

For instructions on how to install and configure SSL for Tomcat, see Apache Tomcat documentation.

Create an SSL-enabled port

To create a sample SSL-enabled port, take the following steps. For more details, see your WebSphere® Application Server documentation.

Changing your keystore and truststore passwords

In the following procedure, you create a new self-signed certificate in your WebSphere® Application Server default keystore and import the certificate into your default truststore. Before you use the default key and truststores, change their passwords from the defaults to another value to create a more secure environment. To change your keystore and truststore passwords:
  1. Start your WebSphere® V7.0 server.
  2. Right click on the server and click Administration.
  3. Click Run administrative console.
  4. Log in to the Administrative Console.
  5. Expand Security and click SSL certificate and key management.
  6. Under Related Items, click Key stores and certificates.
  7. For WebSphere® V7.0, click NodeDefaultKeyStore. Click Change password.
  8. Type your new password into the Change password and Confirm password fields.
  9. Click OK.
  10. Repeat this process for NodeDefaultTrustStore.

Creating a personal certificate

A self-signed certificate is useful when you are testing or when your website is behind a firewall. Otherwise, obtain a certificate from a Certificate Authority. To create a personal certificate:
  1. From your list of keystores and truststores, click NodeDefaultKeyStore.
  2. Under Additional Properties, click Personal certificates.
  3. For WebSphere® V7.0, click Create > Self-signed certificate.
  4. Type the following values for the certificate:
    Alias
    SampleCert
    Common name
    Sample Server
    Organization
    IBM®
  5. Click OK.
In the list of certificates, you should now see samplecert.

Creating an SSL configuration

WebSphere® Application Server uses SSL configurations for SSL-based transports. To create an SSL configuration:
  1. From the left-hand pane, expand Security and click SSL certificates and key management.
  2. Under Related Items, click SSL configurations.
  3. Click New.
  4. Type the following values:
    Name
    SampleConfig
    truststore name
    NodeDefaultTrustStore
    Keystore name
    NodeDefaultKeyStore
  5. Click Get certificate aliases.
  6. Ensure that samplecert is selected as the Default server certificate alias and the Default client certificate alias.

Click OK, and click Save. In the list of SSL configurations, you should see SampleConfig.

Creating a web container transport chain

Create a web container transport chain to use the SSL configuration that you created:
  1. From the left-hand pane, expand Servers and Server Types. Click WebSphere application servers.
  2. Click server1 or your server name.
  3. Under Container Settings, expand Web Container Settings and click Web container transport chains.
  4. Click New.
  5. In the Transport chain name field, type SampleInboundSecure.
  6. To select the Transport chain template, from the drop-down list, click WebContainer-Secure(templates/chains | webcontainer-chains.xml#Chain_2).
  7. Click Next.
  8. In the Select a port page, type the following values:
    Port
    SamplePort
    Host
    *
    Port number
    9444

    If port 9444 is already in use, pick another port number and use that number for the rest of the exercise.

  9. Click Next.
  10. Click Finish > Save.
SampleInboundSecure is now listed as a web container transport chain. Associate the sample SSL configuration with this transport chain:
  1. Click SampleInboundSecure.
  2. Click SSL inbound channel.
  3. Under SSL Configuration, from the Select SSL Configuration drop-down list, select SampleConfig .
  4. Click OK > Save.

Adding the SSL-enabled port to the virtual host

Add port 9444 to the virtual host:
  1. In the left-hand pane, expand Environment and click Virtual Hosts .
  2. Click default_host.
  3. Under Additional Properties, click Host Aliases.
  4. On the Host Aliases page, click New.
  5. Keep * as the host name. Change the port to 9444.
  6. OK > Save. In the list of ports, you should see 9444.

Stop and restart the server. Port 9444 is now an SSL-enabled port.

Using the new SSL-enabled port to run a sample

To use your port, start a WebSphere® V7.0 server. On your WebSphere® server, install the EAR that contains your deployed Rich UI application. To request an HTML file such as RSSReader.html in the RSSReaderSample context, take one of the following steps:
  • Open a browser such as Internet Explorer, Safari, or Mozilla Firefox. Enter a URL in your browser using the newly-enabled SSL port: https://localhost:9444/RSSReaderSample/RSSReader.html
  • In your Project Explorer, right-click on an HTML file of an application that has been published to WebSphere®. Click Run As, then click Run on Server.

If you are using a self-signed certificate, you might see a "Security Alert", "Website Certified by an Unknown Authority", or another warning, depending upon the browser. This warning indicates that the certificate was signed by an unknown certifying authority. Click the "View Certificate" or "Examine Certificate" button to verify if the certificate is correct. If so, continue.

If the Common Name on the certificate does not match the domain name in the requested URL (localhost, in this case), you might also see a "Security Error: Domain Name Mismatch" error. To verify the certificate, click the View Certificate button, and continue as appropriate. To prevent "man-in-the-middle" attacks, where a rogue program intercepts all communication between a client and server, the client must verify the server domain name that is specified in the certificate.