6.03 installation with mutal authentication
in our clm 6.0.3 setup plan, our applications (JTS,CCM,QM,RM,DNG,DM,DCC,LQE, JRS,RELM) need to be hosted in 9 different linux servers with bundled liberty profile.And also we have one IHS server in front of them.
So as per the installation process, we have installed these applications in 9 linux servers and installed IHS server.
In IHS Server
___
We created a kdb file and created a csr and raised the certificate request to CA.
Here we would need some more clarification on the below queries.
1) Once we got the Certificate from the CA, can we add the certificate to the IHS server kdb file (in personal certificate)
2) As per the installation guide, the next step will be making the ssl handshake with IHS and Liberty profiles. so we need to import the keystore of each liberty profiles (9 liberty profile here) to IHS keystore .
***But Here the customer needs mutual ssl authentication between all the application servers (eg: 1 application to all other 8 applications, for all and IHS also should be in mutual authentication.)along with IHS ( Means, IHS<->JTS<->CCM<->QM<->RM<->DNG<->DM<->DCC<->LQE<-> JRS<->RELM)
So we are planning to raise and get a Certificate from CA for each server using the liberty default key store and for IHS also by using the IHS kdb file. once we get the certificates for all 9 servers, and IHS,
a) first we will import the IHS SSL certificate to all 9 applications default keystore using ikeyman. (But in personal or Signer?)
b) from each applications, created certificates from CA, will import to all other applications keystore file ( is it in personal certificate or signer certificate?)
c) once all the applications key store are imported with other applications certificates. we will copy the updated keystore from each applications servers to IHS server and will Import to IHS kdb file for ssl authentication.
is this approach is correct or guide as for any changes need to be done ?
|
Accepted answer
IHS only needs to know about the Liberty profiles self signed certificates, as when the applications hosted in the Liberty profiles contact each other, it is through the public side of IHS, which has the validated certificate from a root CA provider.
In this case, you do not need to cross certify all of the systems with each other as IHS is the single point of entry. The base java keystore contains the publicly available root certificates to validate the certificate on the front side of IHS.
If this doesn't answer your question and you are still confused, you may want to reach out to the Websphere support team and they can walk you through the configuration and answer your questions a bit better than we can here.
vowner owner selected this answer as the correct answer
|
6 other answers
Which document are you following? I guess this one?
|
Hi, Donald,
Thanks for your quick reply.
yes, I referred the same link only.
So i could understand from your answer that there wont be any communication between the different applications liberty profiles if IHS is there.
So i can avoid those steps to configure mutual authentication in between applications.
So making IHS and Liberty profile with mutual authentication, what process we can take here.
so for liberty profiles, we can process with self signed certificates? .
if client is okay for generating CA signed, we can use that for each liberty profile ?
for making IHS to Liberty ssl mutual handshake, is this process sounds good ?
1) will raise a csr with IHS kdb file to get a certificate.
2) once the certificate is delivered, will add that to the ihs server personel certificate.
3) how to make this IHS server certificate imported to each liberty profile ?
a) can we extract the certificate from IHS server kdb file and copy and import this to each liberty profile default keystore
b) for making the libert severs to IHS server ssl authentication, viceversa, can we copy and iport the keystore files to IHS server.
Comments
Donald Nong
commented Feb 28 '18, 12:14 a.m.
Exporting/importing an SSL certificate should be the same regardless which truststore you are dealing with. What you need to care about is which certificate you import. The end result should be like this - a client (say, IHS) sends a request to the server (say, Liberty) to establish an SSL connection, the server returns a certificate, the client checks the certificate and verifies it's in its truststore (i.e. the certificate is trusted), and the client proceeds with the connection. It is also true if you make Liberty as the client and IHS as the server.
|
|
Ralph Schoon (63.1k●3●36●45)
| answered Feb 27 '18, 9:47 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER If this is a duplicate of https://jazz.net/forum/questions/250037/clm-603-installation-with-ssl-mutual-authentication-between-applications-as-well-as-dbs let me know which one you want to keep so can close the other one.
|
Hi Ralph,
Sure, You can close the other one.
But in both the requests am stuck there with how to implement the SSL mutual authentication with IHS server and each servers liberty profile.
I had given one scenario which we planned to implement, but need some more clarification on the activity...
|
Hi Donald,
Comments
Donald Nong
commented Mar 01 '18, 11:54 p.m.
The operation you need is export/import, not copy. You export the SSL certificate from the server's keystore, then import it into the client's truststore (can be the same as the keystore). As long as you identify the client and server, it does not matter whether it is IHS or Liberty.
vowner owner
commented Mar 02 '18, 6:35 a.m.
Hi Donald,
We are using ikeyman for certificate activities.
There we have two options with the opened kdb files. one is "export keys" and other is "extract Certificate".
which option we can take here to get the applications certificate and to import this into IHS kdb file.
Here we selected "extract certificate from keystore" option to get the certificate from each clm liberty profiles. Are we correct here ?
Donald Nong
commented Mar 04 '18, 7:42 p.m.
If you follow the document that I posted earlier, there is no "export" or "extract" involved. It says "Copy the certificate keystore from each liberty profile to Server1 hosting IHS", which means to take the keystore file as is.
vowner owner
commented Mar 04 '18, 11:15 p.m.
Hi Donald,
Sorry to ask you again that the given information is not clear for me.
So you meant to say that copied keystore file of libery in IHs, no need to import the IHS kdb file ? Just copy as its ? Any location or specific configuration we need to do ?
Also how to make the IHS mutualy authenticated with this libert servers . We have kdb file in IHS. So what process can do for this.
vowner owner
commented Mar 04 '18, 11:18 p.m.
Also I couldn't find any document which is posted by you as you mentioned in previous comment,
vowner owner
commented Mar 05 '18, 10:54 p.m.
Any advise please
Donald Nong
commented Mar 06 '18, 1:25 a.m.
I was referring to this document:
vowner owner
commented Mar 06 '18, 11:25 a.m.
any suggestion here
vowner owner
commented Mar 16 '18, 8:37 a.m.
Hi Donald,
showing 5 of 9
show 4 more comments
|
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.