It's all about the answers!

Ask a question

6.03 installation with mutal authentication

vowner owner (25431) | asked Feb 27 '18, 1:14 a.m.

 in our clm 6.0.3 setup plan, our applications (JTS,CCM,QM,RM,DNG,DM,DCC,LQE, JRS,RELM) need to be hosted in 9 different linux servers with bundled liberty profile.And also we have one IHS server in front of them.

So as per the installation process, we have installed these applications in 9 linux servers and installed IHS server.

In IHS Server

We created a kdb file and created a csr and raised the certificate request to CA.

Here we would need some more clarification on the below queries.

1) Once we got the Certificate from the CA, can we add the certificate to the IHS server kdb file (in personal certificate)

2) As per the installation guide, the next step will be making the ssl handshake with IHS and Liberty profiles. so we need to import the keystore of each liberty profiles (9 liberty profile here) to IHS keystore .

  ***But  Here the customer needs mutual ssl authentication between all the application servers (eg: 1 application to all other 8 applications, for all  and IHS also should be in mutual authentication.)along with IHS ( Means, IHS<->JTS<->CCM<->QM<->RM<->DNG<->DM<->DCC<->LQE<-> JRS<->RELM)

So we are planning to raise and get a Certificate from CA for each server using the liberty default key store and for IHS also by using the IHS kdb file. once we get the certificates for all 9 servers, and IHS, 

a) first we will import the IHS SSL certificate to all 9 applications default keystore using ikeyman. (But in personal or Signer?)
b) from each applications, created certificates from CA, will import to all other applications keystore file ( is it in personal certificate or signer certificate?)
c) once all the applications key store are imported with other applications certificates. we will copy the updated keystore from each applications  servers to IHS server and will Import to  IHS kdb file for ssl authentication.

is this approach is correct or guide as for any changes need to be done ?

Accepted answer

permanent link
Richard Rakich (1113) | answered Mar 16 '18, 12:23 p.m.

 IHS only needs to know about the Liberty profiles self signed certificates, as when the applications hosted in the Liberty profiles contact each other, it is through the public side of IHS, which has the validated certificate from a root CA provider. 

In this case, you do not need to cross certify all of the systems with each other as IHS is the single point of entry.  The base java keystore contains the publicly available root certificates to validate the certificate on the front side of IHS.

If this doesn't answer your question and you are still confused, you may want to reach out to the Websphere support team and they can walk you through the configuration and answer your questions a bit better than we can here.

vowner owner selected this answer as the correct answer

6 other answers

permanent link
Donald Nong (14.5k414) | answered Feb 27 '18, 1:42 a.m.

Which document are you following? I guess this one?

Since you have IHS as a reverse proxy, there should be no traffic between any two of the Liberty profiles. So you only need to care about the SSL handshake between IHS and each Liberty profile. Depending on your company's security policy, you can use self-signed SSL certificates for the Liberty profiles. In other words, you only need to request a CA-signed certificate for IHS.

permanent link
vowner owner (25431) | answered Feb 27 '18, 3:17 a.m.

  Hi, Donald,

Thanks for your quick reply.
yes, I referred the same link only.
So i could understand from your answer that there wont be any communication between the different applications liberty profiles if IHS is there.
So i can avoid those steps to configure mutual authentication in between applications.

So making IHS and Liberty profile with mutual authentication, what process we can   take here.
so for liberty profiles, we can process with self signed certificates? .
if client is okay for generating CA signed, we can use that for each liberty profile ?
for making IHS to Liberty ssl mutual handshake, is this process sounds good ?

1) will raise a csr with IHS kdb file to get a certificate.
2) once the certificate is delivered, will add that to the ihs server personel certificate.
3) how to make this IHS server certificate imported to each liberty profile ?
   a) can we extract the certificate from IHS server kdb file and copy and import this to each liberty profile default keystore
   b) for making the libert severs to IHS server ssl authentication, viceversa, can we copy and iport the keystore files to IHS server.

Donald Nong commented Feb 28 '18, 12:14 a.m.

Exporting/importing an SSL certificate should be the same regardless which truststore you are dealing with. What you need to care about is which certificate you import. The end result should be like this - a client (say, IHS) sends a request to the server (say, Liberty) to establish an SSL connection, the server returns a certificate, the client checks the certificate and verifies it's in its truststore (i.e. the certificate is trusted), and the client proceeds with the connection. It is also true if you make Liberty as the client and IHS as the server.

permanent link
vowner owner (25431) | answered Feb 27 '18, 5:16 a.m.

permanent link
Ralph Schoon (62.7k33643) | answered Feb 27 '18, 9:47 a.m.

If this is a duplicate of  let me know which one you want to keep so  can close the other one.

permanent link
vowner owner (25431) | answered Feb 27 '18, 11:10 p.m.

Hi Ralph,

Sure, You can close the other one.

But in both the requests am stuck there with how to implement the SSL mutual authentication with IHS server and each servers liberty profile.

I had given one scenario which we planned to implement, but need some more clarification on the activity...

permanent link
vowner owner (25431) | answered Mar 01 '18, 4:33 a.m.

Hi Donald,
The example was well clear .Thanks!

But again have one query that, by considering the scenario as follow.

1st communication):-Considering IHS as client and liberty profile as server.

       When establish an SSL connection, the server returns a certificate, the client (IHS)    checks the certificate and verifies it's in its truststore (i.e. the certificate is trusted) . How to make this trusting by details. which approach i can take care . I am using IKEYMAN.

 a) Liberty profiles already have default key sore file. can we directly copy this and import to IHS kdb file  ? will it make it trusted here ?

  b)  or do we need  extract the certificates from Liberty profiles default keystore and copy and import the certificate to ihskdb file ?
  Both are same?..
and one more clarification needed as, We dont have a trust file in IHS, So same .kdb file will act as the trust store here?

2) Considering Liberty to IHS communication.

For making IHS certificates trusted in Liberty profile trust store. What approach we can take here ?

can we follow the same way as extracting the certificate frrom IHS servers kdb file and import in liberty server keystore.


Donald Nong commented Mar 01 '18, 11:54 p.m.

The operation you need is export/import, not copy. You export the SSL certificate from the server's keystore, then import it into the client's truststore (can be the same as the keystore). As long as you identify the client and server, it does not matter whether it is IHS or Liberty.

vowner owner commented Mar 02 '18, 6:35 a.m.

Hi Donald,

We are using ikeyman for certificate activities. 
There we have two options with the opened kdb files. one is "export keys" and other is "extract Certificate".

which option we can take here to get the applications certificate and to import this into IHS kdb file.

Here we selected "extract certificate from keystore" option to get the certificate from each clm liberty profiles. Are we correct here ? 

Donald Nong commented Mar 04 '18, 7:42 p.m.

If you follow the document that I posted earlier, there is no "export" or "extract" involved. It says "Copy the certificate keystore from each liberty profile to Server1 hosting IHS", which means to take the keystore file as is.

vowner owner commented Mar 04 '18, 11:15 p.m.

Hi Donald,

Sorry to ask you again that the given information is not clear for me.

So you meant to say that copied keystore file of libery in IHs, no need to import the IHS kdb  file ? Just copy as its ? Any location or specific configuration we need to do ?

Also how to make the IHS mutualy authenticated with this libert servers . We have kdb file in IHS. So what process can do for this. 

vowner owner commented Mar 04 '18, 11:18 p.m.

Also I couldn't find any document which is posted by you as you mentioned in previous comment,

vowner owner commented Mar 05 '18, 10:54 p.m.

Any advise please 

Donald Nong commented Mar 06 '18, 1:25 a.m.

vowner owner commented Mar 06 '18, 11:25 a.m.

any suggestion here 

vowner owner commented Mar 16 '18, 8:37 a.m.

Hi Donald,

But here its not describing anything about how to make the mutual ssl authentication with the IHS,

I meant in liberty server what need to do make mutual authentication with IHS, in the given link its describing only about IHS side and no configuration steps from liberty side..

showing 5 of 9 show 4 more comments

Your answer

Register or to post your answer.