IBM Worklight Server and self-signed certificates
IBM Worklight Server does not recognize self-signed certificates unless you import them to a JRE keystore.
IBM Worklight Server uses a JRE keystore. By default, a JRE keystore only contains certificates issued by a known Certificate Authority (CA). When IBM Worklight Server tries to establish a communication with a backend that is protected by a self-signed certificate, it does not recognize the certificate and the connection fails. The solution to this problem is to import your self-signed certificates to a JRE keystore.
To create a self-signed certificate, perform the following steps. If you already have your self-signed certificate as a file, skip to step 8.
- Install OpenSSL. Linux and Mac operating systems should already have it, a Windows version can be downloaded at: OpenSSL Binary Distributions.
- Run OpenSSL and perform the following command:
s_client -connect your-server-url:your-server-port
This causes OpenSSL to connect to a remote server protected by a self-signed SSL certificate to retrieve the certificate data. A substantial amount of output is visible. The important part of the output is shown in the following figure:
Certificate data output for creating a self-signed certificate
- Create a text file and copy this part into it including: -----BEGIN CERTIFICATE---- and -----END CERTIFICATE-----.
- Save this text file as your -certificate-name.cer, for example my-self-signed-cert.cer.
- Navigate to the JRE folder that your IBM Worklight Server is using:
- If IBM Worklight Server is running on Jetty, it's the JRE used by Eclipse.
- If IBM Worklight Server is running on Tomcat, it's the JRE used by Tomcat.
- If IBM Worklight Server is running on WebSphere , it's the JRE that came with WebSphere. Keep in mind that your JRE might be inside JDK. The jre\lib\security\cacerts file is a keystore of JRE certificates.
- Using the keytool found in the JRE bin\ folder, import the certificate created previously to the cacerts file, by using the following syntax:keytool -import \ -trustcacerts \ -alias "your-certificate-alias" \ -keystore path-to-cacerts-file \ -file path-to-your-cer-file
For example:cd c:/Java/jre6/bin keytool.exe -import -trustcacerts -alias "my-cert" -keystore lib\security\cacerts \ -file c:\my-self-signed-certificate.cer
- Enter your keystore password. The default password is changeit.
- When your self-signed certificate is imported to the JRE keystore, restart your Jetty/Tomcat/WebSphere for changes to take place. The solution is verified by working with Jetty/Tomcat/WebSphere.
Parent topic IBM Worklight Server administration