Siperian Tech Note. Case Reference # 4022

Technical Note - Securing Siperian Hub Console Communication for Siperian Hub Server Running on WebSphere 6.0.2

This technical note describes how to configure the WebSphere server and Siperian Hub to use the IIOP over SSL for your Siperian Hub Console connection. The document describes the:

  • Changes required in the WAS configuration for enabling SSL
  • Process for creating test certificates
  • Process for importing the production certificates into the server keystore files used by the WebSphere Application Server and the client keystore files that are stored inside the Siperian server and used by the Siperian Console
  • Additional steps required for test certificates to be recognized
  • Tasks for enabling IIOP over SSL in the Siperian server

Before You Start

Before you start, ensure that you are running Siperian Hub XT SP2 GA or higher for Oracle or Siperian Hub XT SP1 DB2.

WebSphere Security Environment Configuration

For test environments, you can use the default SSL configuration that WAS provides.

To enable SSL using the default SSL WAS configuration with the factory-set server keystore and truststore names and locations:

  1. Open the WAS administrative console and login.
  2. Click on the “Security” node in the left pane to open the security configuration.
  3. Set up WAS SSL:
  1. Click on the “SSL”node under“Security “.
  2. Click on the link in the right side of the console to access the“SSL configuration repertories”.
  3. Choose the “DefaultSSLSetting”in the “Configuration” pane:
  4. Set security Level to HIGH.
  5. Set Predefined JSSE provider to IBMJSSE.
  6. Set Protocol to SSLv3.
  7. Apply and save the change.
  1. Set up User Registries:
  1. Go back to the “Global Security” configuration page.
  2. Click the “Local OS” link under “User Registries”.
  3. On the “Local OS user registry” pane, provide the “Server User ID” and “Server User Password” which match your local OS username and password.
  4. Apply and save the change.
  1. Set up Global Security:
  1. Click on the “Global Security” item under the “Security”node on the left panel.
  2. Check the “Enabled” box and uncheck “Enforce Java 2 Security”.
  3. Set “Active Protocol” to CSI.
  4. Set “Active Authentication Mechanism” to LTPA.
  5. Set “Active User Registry” to Local OS.
  6. Apply and save the change.
  1. Set up Authentication Mechanisms:
  1. Open the “Authentication Mechanisms”node under the “Configuration” pane in the right side.
  2. Click the “LTPA”link to the LTPA configuration page.
  3. Provide “WebAS” to both the“Password” and “Confirm Password” text fields.
  4. Apply and save the change.
  1. Set up Authentication Protocol:
  2. Open the “Authentication Protocol” node in the “Global security” configuration pane.
  3. Click the “CSIv2 Inbound Authentication” link under “Authentication Protocol”.
  4. Set “Basic Authentication” to be “Supported”.
  5. Set “Certificate Authentication” to be “Supported”.
  6. Check the “Stateful” box.
  7. Open the “CSIv2 Inbound Transport” node under “Authentication Protocol”.
  8. Set “Transport” to “SSL_Required”.
  9. Set “SSL Setting” to “DefaultSSLSettings”.
  10. Apply and save the changes.
  11. Restart the WAS.

Configuring Certificates

Your production environments should use certificates issued by a recognized certificate authority (CA). For test environments you can create your own test certificate using the ikeyman GUI utility provided with the WebSphere. This process describes the minimal configuration required for establishing the SSL communication between Siperian Hub Server and Siperian Hub Console. This configuration uses the server-side certificate only and does not rely on certificate-based client authentication.

Creating a Test Certificate

To test using self-signed test certificates:

  1. Start the ikeyman console: {WAS install location}/AppServer/bin/ikeyman.sh.
  2. Click “new”entry under the “Key Database File” menu.
  3. Click browse to specify the Location and the file name, click OK.
  4. Provide your password and click OK.
  5. Select “Personal Certificates” from the pull-down list.
  6. Select “New Self-Signed Certificate”item under the “Create” menu.
  7. In the prompt window, enter the computer domain name as the Common Name, use the default setting for “Version” and “Key Size” fields.
  8. Other fields can be filled with the information related to your company. Click OK, and you will see a new self-signed certificate list in the “Personal Certificates”.
  9. Click Extract Certificate button.
  10. Provide location and file name for the public key file.

Importing the Certificate into the Server Keystore

This section describes the process for importing the certificate into the server keystore files used by the WebSphere Application Server.

  1. Start the ikeyman console if not already running.
  2. Open the DummyServerKeyFile.jks located in the <WAS_HOME>/AppServer/profiles/default/etc
  3. Provide the password and click OK. The default password used by WebSphere for this keystore file is WebAS
  4. Select the Personal Certificates from the pull-down list.
  5. Click the import menu on right pane.
  6. Click browse to locate the java key store file containing the certificate that you intend to use.
  7. Provide the password for the key store.
  8. Select the keys from the key list to import.
  9. The imported certificate will show in the key database content pane.

Importing Certificate’s Public Key into the Client Trust Store

This step is only required for the test (self signed) certificates.

To import a certificate’s public key into the client trust store:

  1. Start the ikeyman console if not already running.
  2. Open the SiperianClientTrustFile.jks in <SIP_HOME>/server/resources/filesx/security/websphere.
  3. Provide the password and click ok. The default password used by Siperian for this keystore file is WebAS.
  4. Select Signer Certificates from the pull-down list.
  5. Click the Add menu on the right pane.
  6. Click browse to locate the public key that you created as part of the test certificate creation process.
  7. Type a label and click ok
  8. The new certificate will show on the key database content.

Enable Security in the Siperian Hub Server

Required Configuration Steps

You must configure Siperian Hub Server to use secure SSL over IIOP for securing the communication between Hub Server and Hub Console. These steps are required.

To configure security in Hub Server:

  1. Change cmx.appserver.naming.protocolsetting in the <SIP_HOME>/server/resources/cmxserver.properties file to “iiops”.
  2. Verify that you have sas.client.props, SiperianClientKeyFile.jks, and SiperianClientTrustFile.jks files in the <SIP_HOME>/server/resources/filesx/security/websphere directory.

Setting up Client Machine to use IBM JRE

The Siperian Console requires IBM 1.4.2 JRE to be installed on all machines that will be using Siperian Hub Console if security is enabled on Siperian Hub Server.To configure the client machines:

1Install the IBM Application Client for WebSphere Application Server 6.0.

2If a client machine has multiple JREs installed, you must configure WebStart to use the IBM JRE for running Hub Console using the following alternatives:

aChange JNLP file’s “Windows Association” to use the WebSphere AppClient’s JRE explicitly. The AppClient JRE path is
IBM JRE HOME\bin\javaw.exe

bIf the default JRE associated with your web browser is SUN’s JRE, start SUN JRE’s “Java Web Start Application Manager”, choose “File -> Preferences -> Java”, then register/enable the IBM JRE and disable all other JREs to prevent conflicts.

3If you still have issues with running Hub Console on the clients that have multiple JVMs, you can invoke the console directly by running
“<IBM_JRE_HOME> \javaws\javaws.exe host>:<port>/cmx/siperian-console.jnlp” directly to start the Hub Console. Replace the host and port with the values for WSA host and port specific to your environment.

Troubleshooting Tips

Deployment is slow when deploying to WebSphere with Global Security and SSL enabled

Description:

Global Security and SSL settings affect the Siperian Hub Server and Siperian Hub Cleanse/Match Server deployment process and have it take considerably more time than usual. The script may appear hung for 30 minutes or more when deploying Siperian Server and Siperian Cleanse/Match Server application archives.

Resolution:

Alternative1: Disable Global Security before deploying the Siperian application archives, deploy the applications by running the postInstallSetup.sh (postInstallSetup.bat) script and re-enable the Global Security

Alternative 2: Manually deploy the application to the WebSphere Administration Console.

ConfidentialPage 11/18/2019

Information in this document is subject to change without notice