IBM Worklight Server and self-signed certificates

IBM Worklight Server does not recognize self-signed certificates unless you import them to a JRE keystore.

IBM Worklight Server uses a JRE keystore. By default, a JRE keystore only contains certificates issued by a known Certificate Authority (CA). When IBM Worklight Server tries to establish a communication with a backend that is protected by a self-signed certificate, it does not recognize the certificate and the connection fails. The solution to this problem is to import your self-signed certificates to a JRE keystore.

To create a self-signed certificate, perform the following steps. If you already have your self-signed certificate as a file, skip to step 8.

  1. Install OpenSSL. Linux and Mac operating systems should already have it, a Windows version can be downloaded at: OpenSSL Binary Distributions.

  2. Run OpenSSL and perform the following command:

      s_client -connect your-server-url:your-server-port

    This causes OpenSSL to connect to a remote server protected by a self-signed SSL certificate to retrieve the certificate data. A substantial amount of output is visible. The important part of the output is shown in the following figure:

    Certificate data output for creating a self-signed certificate

  3. Create a text file and copy this part into it including: -----BEGIN CERTIFICATE---- and -----END CERTIFICATE-----.

  4. Save this text file as your -certificate-name.cer, for example my-self-signed-cert.cer.

  5. Navigate to the JRE folder that your IBM Worklight Server is using:

    1. If IBM Worklight Server is running on Jetty, it's the JRE used by Eclipse.

    2. If IBM Worklight Server is running on Tomcat, it's the JRE used by Tomcat.

    3. If IBM Worklight Server is running on WebSphere , it's the JRE that came with WebSphere. Keep in mind that your JRE might be inside JDK. The jre\lib\security\cacerts file is a keystore of JRE certificates.

  6. Using the keytool found in the JRE bin\ folder, import the certificate created previously to the cacerts file, by using the following syntax:

    keytool -import  \
            -trustcacerts  \
            -alias "your-certificate-alias"  \
            -keystore path-to-cacerts-file  \
            -file path-to-your-cer-file

    For example:

    cd c:/Java/jre6/bin
    keytool.exe -import 
                -alias "my-cert" 
                -keystore lib\security\cacerts \
                -file c:\my-self-signed-certificate.cer

  7. Enter your keystore password. The default password is changeit.

  8. When your self-signed certificate is imported to the JRE keystore, restart your Jetty/Tomcat/WebSphere for changes to take place. The solution is verified by working with Jetty/Tomcat/WebSphere.

Parent topic IBM Worklight Server administration