Secure > Enhance site security
Enable SSL for outbound Web services
You can enable SSL for Web services created using WebSphere Commerce Web services or Rational Application Developer. If you require additional security measures, you should consider alternatives such as creating JAX-WS/JAX-RPC Web service clients using the Rational Application Developer wizard.
If using the Rational Application Developer wizard, the client should be created under an EJB project using a stateless session bean facade to access the service, not in the Stores.war project. That is, if you define the Web Service client in the Stores Web Module, the service reference will not be visible if you are running outside the Stores context. For example, if you attempt to use the Web Service Client from a scheduler job, the call will fail.
For further reference, see the following IBM Redbooks:
- IBM WebSphere Application Server V7.0 Web Services Guide
- Rational Application Developer V7.5 Programming Guide
Before you begin
Ensure that you have completed the following task:
- Installed WebSphere Commerce v7
Procedure
- When client authentication is not required.
If the server does not require client authentication, that is, it does not validate the client certificate, the configuration is not complex. The server certificate is added to the default Trust Store:
- Open the WAS Administrative Console.
- Under Security, navigate to SSL certificate and key managementKey stores and certificates.
- Select NodeDefaultTrustStore.
- Under Additional Properties, click Signer Certificates.
- You can either:
- Click Retrieve from port and enter the HTTPS hostname and port. This automatically retrieves the certificate for you.
- Click Add to import the Base64-encoded certificate file.
The server is now trusted.
- When client authentication is required.
If client authentication is required, the server verifies the client certificate and refuses the connection if the client is untrusted. The server must add the client certificate to its own trust store.
- Create the key and trust stores.
For testing purposes, you can create a new key and trust store and use a self-signed certificate. However, in production, use a certificate from a trusted certificate authority.
You have created a new Key store which contains the self-signed certificate. The following steps create the trust store.
- Open ikeyman to create the certificate stores. ikeyman is located in the AppServer/bin directory.
- In the Key Database File menu, select New....
- For the key database type, select JKS. Other formats such as PKCS12 can also be selected.
- Select a name and path for the KeyStore. For example, CommerceKeyStore.jks
- Enter a password. It is important that you remember this password as it will be needed in later steps.
- When Personal Certificates is selected, click New Self-Signed...
- Complete the form and click Accept.
- In the Key Database File menu, select New....
- Create a new file which will be used for the trust store, for example, CommerceTrustStore.jks. The trust store contains the certificates this server trusts. The server certificate will need to be added to this trust store.
- The server certificate can be added later using the user interface but you can also do it with ikeyman. The server certificate will typically be a .arm (Base64-encoded) certificate file or be included in a key database such as jks or p12.
- To import the server certificate from an arm file, ensure the Signer Certificates drop-down is selected and click Add.... If the certificate is an jks/p12 file you can extract it as an asm file.
- Define the new Trust and Key stores in WebSphere Commerce.
- Open the WAS Administrative Console.
- Under Security, navigate to SSL certificate and key managementKey stores and certificates.
- Click New. Use CommerceKeyStore for the name and populate the path and password for the CommerceKeyStore.jks file and remaining options.
- After creation, click Personal certificates to see the details of the self signed certificate. This test ensures the key store is correctly defined.
- Repeat these steps and define CommerceTrustStore from CommerceTrustStore.jks. Click Signer certificates for the trust store to see the server certificate.
- Create a new SSL configuration.
- Under Security, navigate to SSL certificate and key managementKey stores and certificates and click New.
- Enter CommerceSSLConfig as the name.
- For the Trust store name, select CommerceTrustStore.
- For the Key store name, select CommerceKeyStore.
- Click Get certificate aliases.
- For the Default server certificate alias and Default client certificate alias, select the alias for the self-signed certificate or the client certificate.
- Under Additional properties, click Quality of protection (QoP) settings.
- Set Client Authentication to Required.
- Associate the SSL Configuration to the Web Service.
- Under SSL certificate and key management, click Dynamic outbound endpoint SSL configurations and click New. On this page, you can configure outbound requests made in a particular protocol to a particular hostname and port to use a non-default SSL configuration.
- Select the combination of protocol, host and port that matches the one used by the outbound Web service.
- Under SSL Configuration select CommerceSSLConfig and click Get certificate aliases.
- Select the client certificate.