Configure SSL for java.net.URL HTTPS protocol

The java.net.URL class provides a direct connection to the Web server to retrieve the specified URL using the HTTPS protocol.

Configure SSL for the Web server depends on the type of Web server. Consult your Web server documentation for instructions.

Configure the client Java keystore

If you already have a client Java keystore file that is populated with the required personal and signer certificates, you can omit this step.

To configure the client Java keystore, use Digital Certificate Manager (DCM) to extract the Local Certificate Authority (CA) certificate that is used by the Web server. You can then import the certificate into the client Java keystore file.

Perform these steps:

  1. Start the Digital Certificate Manager (DCM).

  2. Create a Local Certificate Authority (CA). If you already have a certificate authority created on your iSeries system, skip this step.

  3. On the left pane, click Select a Certificate Store.

  4. Select *System and click Continue.

  5. On the Certificate Store and Password page, enter the password, then click Continue.

  6. In the left pane, click Install CA certificate on your PC.

  7. In the right pane, click Copy and paste certificate.

  8. Create text file USER_INSTALL_ROOT/etc/myLocalCA.txt on your PC, then paste the CA certificate into myLocalCA.txt and save the file. Ensure that the copy of the CA certificate ends with the new line character.

  9. Click the Done button.

Next, create a new key database file for the client Https application:

  1. Start iKeyman on your workstation. For more information, see IBM Key Managment Tool (iKeyman).

  2. Create a new key database file:
    1. Click Key Database File and select New.
    2. Specify settings:

      • Key database type: JKS
      • File Name: httpsClientKeys.jks
      • Location: your etc directory, such as 
        USER_INSTALL_ROOT/etc/myKeys

    3. Click OK.
    4. Enter a password (twice for confirmation) and click OK.

  3. Delete all of the signer certificates.

  4. Click Signer Certificates and select Personal Certificates.

  5. Add a new self-signed certificate:
    1. Click New Self-Signed to add a self-signed certificate.
    2. Specify settings:

      • Key Label: httpsClientTest
      • Common Name: use the DNS name for your iSeries server
      • Organization: IBM

    3. Click OK.

  6. Extract the certificate from this self-signed certificate so that it can be imported into the Web server's SSL key file:
    1. Click Extract Certificate.
    2. Specify settings:

      • Data Type: Base64-encoded ASCII data
      • Certificate file name: httpsClient.arm
      • Location: the path to your etc directory

    3. Click OK.

  7. Import the Web server's certificate:
    1. Click Personal Certificates and select Signer Certificates.
    2. Click Add.
    3. Specify settings:

      • Data Type: Base64-encoded ASCII data
      • Certificate file name: myLocalCA.txt
      • Location: the path to your etc directory

    4. Click OK.

  8. Enter web-server for the label and click OK.

  9. Click Key Database File.

  10. Select Exit.

Configure the Web server's certificate store

Add the signer certificate of the client HTTPS application to the Web server's SSL key file and to the list of trusted CA certificates for the Web server's secure application. This step is needed if the Web server configuration requires client authentication:

  1. Start the Digital Certificate Manager (DCM).

  2. On the left pane, click Select a Certificate Store

  3. Select *SYSTEM and click Continue.

  4. On the Certificate Store and Password page, enter the password, then click Continue.

  5. On the left pane, click Fast Path.

  6. Select Work with CA certificates.

  7. Click the Import button.

  8. Specify USER_INSTALL_ROOT/etc/httpsClient.arm for the Import file: field value and click Continue.

  9. Specify httpsClient for the CA certificate label field value and click Continue.

  10. On the left pane, select Work with server applications. On this page, select the application used by the Web server's configuration, and click Work with Application.

  11. Click Define CA Trust List.

  12. Click the check box for the httpsClient CA, then click OK.

Configure WebSphere Application Server

You must specify some Java virtual machine properties for the application server. Use the WebSphere administrative console to perform these steps:

  1. In the navigation menu, expand Servers, and click Application Servers.

  2. In the Application Servers page, click the name of your server.

  3. Under Additional Properties, click Process Definition.

  4. Under Additional Properties, click Java Virtual Machine.

  5. Under Additional Properties, click Custom Properties.

  6. Click New to a new property. Add these properties:

    Name Value
    java.protocol.handler.pkgs com.ibm.net.ssl.internal.www.protocol
    javax.net.ssl.trustStore USER_INSTALL_ROOT/etc/httpsClientKeys.jks, where USER_INSTALL_ROOT is the root directory of your instance
    javax.net.ssl.trustStorePassword (Enter your password.)

    If the Web server requires client authentication, you need to additionally specify these properties:

    Name Value
    javax.net.ssl.keyStore USER_INSTALL_ROOT/etc/httpsClientKeys.jks, where USER_INSTALL_ROOT is the root directory of your instance.
    javax.net.ssl.keyStorePassword (Enter your password.)

    Normally, javax.net.ssl.keyStore would be a different keystore file.

    Click OK.

For a code example of a servlet that uses HTTPS, see Example: HTTPS servlet. The servlet retrieves the URL to display entered as a query string or as a servlet initialization parameter.