WebSphere

 

Portal Express, Version 6.0
Operating systems: i5/OS, Linux, Windows

 

Securing WSRP by SSL for a Consumer portal

If the Producer from whom you consume WSRP services in your Consumer portal has enabled security by Secure Socket Layer (SSL), you need to configure your Consumer portal for Secure Socket Layer (SSL) with Client Certificate Authentication.

Security notice: Do not use portlets that utilize the Credential Vault over WSRP in conjunction with SSL client certificate authentication. If you configure SSL client certificate authentication for WSRP services, the Consumer portal uses a proxy user ID to authenticate on behalf of its individual users. You configure the proxy user ID by consumer-side SSL client certificate. This means that the WSRP Consumer provides the individual personalization information to the WSRP Producer, but authenticates for all users by using the same identity information. Consequently, if a portlet on the Producer portal utilizes the Credential Vault, all users from one Consumer portal access the same credential slot and can read and override individual settings in the credential slot. Therefore, do not use portlets that utilize the Credential Vault over WSRP in conjunction with SSL client certificate authentication.

 

Parent topic:

Preparing security for a WSRP Consumer portal

 

Related tasks
Securing WSRP by SSL for a Producer portal

 

Configuring the WSRP Consumer portal for SSL

You configure security by SSL for the WSRP Consumer portal by using HTTP over SSL (HTTPS) for the communication.

Performing this task is mandatory. To do this, enable transport layer security in the administrative console for each of the four WSRP ports. Proceed by the following steps:

  1. Click Applications > Enterprise Applications > wps.

  2. Under Related Items, click Web Module > wps.war > Web Services: Client Security Bindings.

  3. Under HTTP SSL Configuration, click Edit . . . and activate HTTP SSL enabled.

  4. Select the appropriate HTTP SSL configuration. Perform this step for each of the four WSRP ports.

  5. Obtain the required information about the public client certificates of the HTTP servers from the Producer.

  6. Import the client certificates from the Producer into the corresponding truststores in your Consumer portal.

If the communication with the Producer is set up to use Secure Socket Layer communication, use https to address the Producer URL: 

 https://producer_portal_host:producer_port/wp_contextRoot/wsdl/wsrp_service.wsdl

For more information about securing Web services refer to the WebSphere Application Server information center.

 

Configuring the WSRP Consumer to use client certificate authentication

If the portal acts as a WSRP Consumer and uses client certificate authentication to integrate other Producers, you have the option to configure the portal as described in the following.

This task is optional. To configure your Consumer portal to use client certificate authentication, proceed by the following steps:

  1. Create the client certificate for the proxy user ID.

  2. Tell the Producer the client certificate so that the Producer can add it into the keystore on the Producer side.

  3. Add the required client certificate to the keystore that is defined for the SSL configuration of the Web service ports on the Consumer side.

  4. Add the required client certificate to the default trust or keystore as configured for JSSE on the Consumer side. This is usually CACERTS. To determine this, locate it in app_server_root/java/jre/lib/security.

  5. If you have configured the ContentAccessService for a different SSL truststore or keystore, you also need to add the required client certificates to the truststore or keystore that you have configured for the ContentAccessService. For details about the ContentAccessService refer to Content Access Service.