For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.

Configure SSL between MobileFirst adapters and back-end servers by using self-signed certificates

We can configure SSL between MobileFirst adapters and back-end servers by importing the server self-signed SSL certificate to the MobileFirst keystore.

Procedure

1. Export the server public certificate from the back-end server keystore.

   Note: Export back-end public certificates from the back-end keystore by using keytool or openssl lib. Do not use the export feature in a web browser.

2. Import the back-end server certificate into the MobileFirst keystore.
3. Deploy the new the MobileFirst keystore. For more information, see Configure the MobileFirst Server keystore.

Example

The CN name of the back-end certificate must match what is configured in the adapter-descriptor adapter.xml file. For example, consider an adapter.xml file that is configured as follows:

<protocol>https</protocol>
 <domain>mybackend.com</domain>

The back-end certificate must be generated with CN=mybackend.com.

As another example, consider the following adapter configuration:

<protocol>https</protocol>
<domain>123.124.125.126</domain>

The back-end certificate must be generated with CN=123.124.125.126.

The following example demonstrates how you complete the configuration by using the Keytool program.

1. Create a back-end server keystore with a private certificate for 365 days.

   keytool -genkey -alias backend -keyalg RSA -validity 365 -keystore backend.keystore -storetype JKS

   Note: The First and Last Name field contains your server URL, which we use in theadapter.xml configuration file, for example mydomain.com or localhost.

2. Configure your back-end server to work with the keystore. For example, in Apache Tomcat, you change the server.xml file:

   <Connector port="443" SSLEnabled="true" maxHttpHeaderSize="8192" 
     maxThreads="150" minSpareThreads="25" maxSpareThreads="200"
     enableLookups="false" disableUploadTimeout="true"         
     acceptCount="100" scheme="https" secure="true"
     clientAuth="false" sslProtocol="TLS"
     keystoreFile="backend.keystore" keystorePass="password" keystoreType="JKS"
     keyAlias="backend"/>

3. Check the connectivity configuration in the adapter.xml file:

   <connectivity>
     <connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
       <protocol>https</protocol>
       <domain>mydomain.com</domain>
       <port>443</port>
       <!-- The following properties are used by adapter's key manager for choosing a specific certificate from the key store
       <sslCertificateAlias></sslCertificateAlias> 
       <sslCertificatePassword></sslCertificatePassword>
       -->		
     </connectionPolicy>
     <loadConstraints maxConcurrentConnectionsPerNode="2"/>
   	</connectivity>

4. Export the public certificate from the created back-end server keystore:

   keytool -export -alias backend -keystore backend.keystore -rfc -file backend.crt

5. Import the exported certificate into the MobileFirst Server keystore:

   keytool -import -alias backend -file backend.crt -storetype JKS -keystore mfp.keystore

6. Check that the certificate is correctly imported in the keystore:

   keytool -list -keystore mfp.keystore

7. Deploy the new the MobileFirst Server keystore.

Parent topic: Deploy MobileFirst applications to test and production environments