+

Search Tips   |   Advanced Search

Configure SSL between MobileFirst adapters and back-end servers using self-signed certificates

We can configure SSL between MobileFirst adapters and back-end servers by importing the server self-signed SSL certificate to the MobileFirst keystore.

  1. Check the configuration in worklight.properties. The configuration might look like this example: 
    #######################################################################################################################
#    Worklight SSL keystore 
#######################################################################################################################
#SSL certificate keystore location.
ssl.keystore.path=conf/default.keystore
#SSL certificate keystore type (jks or PKCS12)
ssl.keystore.type=jks
#SSL certificate keystore password.
ssl.keystore.password=worklight

  2. Make sure that the keystore file exists in the server/conf folder of the project.

  3. Export the server public certificate from the back-end server keystore.

    Export back-end public certificates from the back-end keystore using keytool or openssl lib. Do not use the export feature in a web browser.

  4. Import the back-end server certificate into the MobileFirst keystore.

  5. Restart the MobileFirst Server.


Example

The CN name of the back-end certificate must match what is configured in the adapter.xml file. For example, consider an adapter.xml file that is configured as follows: 

<protocol>https</protocol>
 <domain>mybackend.com</domain>
The back-end certificate must be generated with CN=mybackend.com.

As another example, consider the following adapter configuration: 

<protocol>https</protocol>
<domain>123.124.125.126</domain>
The back-end certificate must be generated with CN=123.124.125.126.

The following example demonstrates how you complete the configuration using the Keytool program.

  1. Create a back-end server keystore with a private certificate for 365 days.

      keytool -genkey -alias backend -keyalg RSA -validity 365 -keystore backend.keystore -storetype JKS

    The First and Last Name field contains the server URL, which we use in theadapter.xml configuration file, for example mydomain.com or localhost.

  2. Configure the back-end server to work with the keystore. For example, in Apache Tomcat, you change the server.xml file: 
    <Connector port="443" SSLEnabled="true" maxHttpHeaderSize="8192" 
  maxThreads="150" minSpareThreads="25" maxSpareThreads="200"
  enableLookups="false" disableUploadTimeout="true"         
  acceptCount="100" scheme="https" secure="true"
  clientAuth="false" sslProtocol="TLS"
  keystoreFile="backend.keystore" keystorePass="password" keystoreType="JKS"
  keyAlias="backend"/>

  3. Check the connectivity configuration in the adapter.xml file: 
    <connectivity>
  <connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
    <protocol>https</protocol>
    <domain>mydomain.com</domain>
    <port>443</port>
    <!-- The following properties are used by adapter's key manager for choosing a specific certificate from the key store     <sslCertificateAlias></sslCertificateAlias> 
    <sslCertificatePassword></sslCertificatePassword>
    --> 
  </connectionPolicy>
  <loadConstraints maxConcurrentConnectionsPerNode="2"/>
 </connectivity>

  4. Export the public certificate from the created back-end server keystore:

      keytool -export -alias backend -keystore backend.keystore -rfc -file backend.crt

  5. Import the exported certificate into the MobileFirst Server default.keystore file in the server/conf directory of the project.

      keytool -import -alias backend -file backend.crt -storetype JKS -keystore default.keystore

  6. Check that the certificate is correctly imported in the keystore:

      keytool -list -keystore backend.keystore


Parent topic: Configure MobileFirst Server