Configure one-way SSL authentication between WebSphere Commerce and Sterling Order Management agent server
Use the following information to configure one-way SSL authentication between WebSphere Commerce and Sterling Order Management by adding the WebSphere Commerce client certificate to the Sterling Order Management agent server.
Procedure
- Create and Extract WebSphere Commerce client certificate.
For your development environment using the Integrated Solutions console:
- Log on to the Integrated Solutions console, and go to Security > SSL certificate and key management > key stores and certificates.
- Click NodeDefaultKeyStore.
- Under Personal certificates, select Default.
- Create a self-signed certificate with the following details:
Set the alias as wcclient, and set the common name as WCIntegrationUser.
- Click Extract. Fill in the certificate file name (for example, c:/temp/wcclient.cer) and click OK.
- Go to SSL certificate and key management > Dynamic outbound endpoint SSL configurations.
- Add the following connection information: *,$sterling.hostname,*, where you replace the value with our own Sterling server host name. For example, samplesterling.cn.ibm.com.
- Set the alias as wcclient, which was created in the preceding sub steps.
For your production environment by using Run Engine commands:
- Use OpenSSL to generate a private key and certificate.
For example: openssl req -newkey rsa:2048 -nodes -keyout rsa_private.key -x509 -days 365 -out wcclient.cer Ensure that the Common Name (CN) value is set to WCIntegrationUser.
The resulting certificate might represent the following file: onewaycert.zip
- Run the command to import the self-signed certificate to the keystore.
- Create a sample JSON to save the private key and certificate. Note the following:
- Copy the private_key and certificate values from the rsa_private.key and cert.crt values generated in the previous step.
- For the issuing_ca value, the certificate must be imported to the trust store. In this case, in a one-way SSL authentication, the value can be null. (Conversely, in a two-way SSL authentication, the certificate from Sterling must be imported to the trust store in WebSphere Commerce. The value of issuing_ca must be copied from the certificate of Sterling. For example: scserver.cer).
- For destination_host, use your Sterling host name value, for example, in this task, samplesterlling.cn.ibm.com is used.
- Put the JSON file in the following directory: SETUP/certs/custom.
- Run the following script: updateLocalCerts.sh.
- Copy the certificate file to the Sterling Order Management runtime directory, where the agent server runs. For example, /tmp/wcclient.cer.
- Import the wcclient.cer file into the local trust store by executing the following keytool -import command:
keytool -import -alias wcclientcert -file /path to file/wcclient.cer -keystore /<INSTALL_DIR>/jdk/jre/lib/security/cacertsWhere <INSTALL_DIR> is the location where Sterling Order Management is installed.
Note: The default password is changeit.