+

Search Tips   |   Advanced Search


Secure WSRP by SSL for a Consumer portal

If the Producer from whom you consume WSRP services in your Consumer portal has enabled security by Secure Socket Layer (SSL), configure your Consumer portal for Secure Socket Layer (SSL) with Client Certificate Authentication. Security notice: Do not use portlets that utilize the Credential Vault over WSRP in conjunction with SSL client certificate authentication. If you configure SSL client certificate authentication for WSRP services, the Consumer portal uses a proxy user ID to authenticate on behalf of its individual users. You configure the proxy user ID by consumer-side SSL client certificate. This means that the WSRP Consumer provides the individual personalization information to the WSRP Producer, but authenticates for all users by using the same identity information. Consequently, if a portlet on the Producer portal utilizes the Credential Vault, all users from one Consumer portal access the same credential slot and can read and override individual settings in the credential slot. Therefore, do not use portlets that utilize the Credential Vault over WSRP in conjunction with SSL client certificate authentication.


Parent topic:

Prepare security for a WSRP Consumer portal


Related information


WAS information center


Configure the WSRP Consumer portal for SSL

You configure security by SSL for the WSRP Consumer portal by using HTTP over SSL (HTTPS) for the communication. Performing this task is mandatory. To do this, enable transport layer security in the administrative console for each of the four WSRP ports. Proceed by the following steps:

  1. Make the appropriate selection, depending on your version of WAS:

    • For WAS v6.1:

      Click Applications > Enterprise Applications > wps.

    • For WAS v7:

      Click Applications > Application Types > WebSphere enterprise applications > wps.

  2. Under Modules, click Manage Modules > wps.war > Web Services: Client Security Bindings.

  3. Select the appropriate HTTP SSL configuration. Perform this step for each of the four WSRP ports.

  4. Obtain the required information about the public client certificates of the HTTP servers from the Producer.

  5. Import the client certificates from the Producer into the corresponding truststores in your Consumer portal.

If the communication with the Producer is set up to use Secure Socket Layer communication, use https to address the Producer URL:

https://producer_portal_host:producer_port/wp_contextRoot/wsdl/wsrp_service.wsdl

For more information about securing Web services refer to the WAS information center.

Configure the WSRP Consumer to use client certificate authentication

If the portal acts as a WSRP Consumer and uses client certificate authentication to integrate other Producers, you have the option to configure the portal as described in the following.

This task is optional. To configure your Consumer portal to use client certificate authentication...

  1. Create the client certificate for the proxy user ID.

  2. Tell the Producer the client certificate so that the Producer can add it into the keystore on the Producer side.

  3. Add the required client certificate to the keystore that is defined for the SSL configuration of the Web service ports on the Consumer side.

  4. Add the required client certificate to the default trust or keystore as configured for JSSE on the Consumer side. This is usually CACERTS. To determine this, locate it in AppServer_root/java/jre/lib/security.