Liberty settings guide

Question

We are using IBM CLM application (6.0.5) with bundled liberty profile.For each 7 applications, there are separate liberty profiles in different servers and all this applications are running behind IHS server where we already have ihs.kdb file and self signed certificate.

In each liberty profiles we already have default keystore and server.xml & server.startup with default settings.

Now our requirement is to enable mutual ssl authentication between each liberty profiles (Since IHS is in front of these applications, we are thinking to make mutual ssl authentication between IHS and each liberty profile).

So how we can achieve this?

what configurations we have to do in liberty server side and IHS serer.

do we need to specify IHS servers keystore file and location things in each server.xml file ? Could you guide somebody here as we are very new here.

Is your goal to authenticate the webserver to Liberty, or to authenticate your end- users as they come through IHS, or both? — covener, Mar 20 '18 at 14:04
Here the requirement is to make mutual authentication between all applications which are hosted on seperate liberty profiles in different servers.But Since the IHS is the frontend server for all communications with all liberty servers, we thought to make the mutual ssl authentication with IHS and Liberty servers. — saran, Mar 21 '18 at 06:12
In Liberty profile, How can we remove the default keystore and add new keystore file ? in server.xml file we have onlydefault configuration and we have below requirement. — saran, Mar 22 '18 at 15:30
1) we created a new keystore file using ikeyman named ccm.jks 2) opened the ccm.jks keystore file using ikeyman and under "personal certificate" content, created a new self signed certificate with common name as servers FQDN name and given the key alias name as "ccm". Now the personel certificate displays "ccm" certificate. (Refer Screenshot1) 2) we created a new truststore file using ikeyman named ccmtrust.jks 3) then we edited the server.xml values with new parameters as below. — saran, Mar 22 '18 at 15:30
4) Since we have to enable ssl trusting with our client DB server, we imported the DB servers self signed certificate to the the created truststore.jks file using ikeyman , signer certificate session (screenshot2). 5) All these setup we restarted the service and when we tried to connect the DB, getting the below error. — saran, Mar 22 '18 at 15:32
Caused by: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:654) at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:368) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) at com.ibm.jsse2.util.f.a(f.java:61) — saran, Mar 22 '18 at 15:32
Please let us know if we missed something there in the configuration. Also we couldnt identify that whether the server.xml configuration which we made are reflecting . ? — saran, Mar 22 '18 at 15:33

score 0 · Answer 1 · answered Mar 16 '18 at 20:42

Here's the general process for setting up https. You'll need this in your server.xml:

<featureManager>       
        <feature>ssl-1.0</feature>
          ..... more features here....
</featureManager>
<keyStore id="defaultKeyStore" password="keyspass" /> 
<httpEndpoint host="*" httpPort="19080" httpsPort="19045" 
            id="defaultHttpEndpoint"/>

Then you add the public keys of the servers you want to communicate with (IHS) to Liberty's truststore file as explained here:

https://github.com/brutif/miscdocs/blob/master/Adding_trusted_certificates.txt

Restart Liberty after updating the truststore.

Then configure IHS as explained here:

https://www.ibm.com/support/knowledgecenter/en/SSEQTJ_9.0.0/com.ibm.websphere.ihs.doc/ihs/tihs_install_config_liberty.html

Hi Bruce.. Thanks a lot. The first session is very clear but, the IHS part is still confusing us. I think there is no links between both the shared docs. — saran, Mar 19 '18 at 08:57

Liberty settings guide

1 Answers1