You can configure Transport Layer Security (TLS) by adding
a keystore, truststore, and choosing the certificate alias for your
configuration.
Before you begin
You can configure TLS with Version 1.0.0.4
or later.
- You must be using WebSphere® eXtreme
Scale Client Version
7.1 Fix 1 or later.
- You must be assigned the Appliance administration permission to
perform these steps.
- You must have a keystore, truststore, and associated passwords
that you want to add to the appliance configuration.
- To avoid browser warnings when you access the user interface from
different appliances, consider including a wildcard in the Common
Name (CN) of the certificate in the keystore. Each appliance uses
the same certificate for TLS configuration, as specified by the certificate
alias. For example, you might use *.mycompany.com instead
of myhost.mycompany.com to make the certificate
valid for all hosts in the mycompany domain.
- If you have global security enabled in WebSphere Application
Server, this setting determines
how that server attempts connections to theWebSphere DataPower® XC10 Appliance.
You must add the public certificate of the appliance to the WebSphere Application
Server truststores. If yourWebSphere DataPower XC10 Appliance has TLS
required configured, or you want WebSphere Application
Server to use TLS when TLS supported
is configured, you must enable global security. For more information
about configuring global security, see Global security settings.
About this task
The TLS settings apply to the user interface and data grids.
The settings are applied to all of the appliances in the collective.
Procedure
- Go to the Settings panel. To
manage your security options, go to the Settings panel
with one of the following paths:
- From the menu bar in the WebSphere DataPower XC10 Appliance user
interface, click .
- From the Welcome page, click the Customize
settings link in the Step 1: Set up the appliance section.
- Expand Transport Layer Security (TLS).
- Upload new keystore and truststore information. After
you upload a keystore or truststore, you must update the associated
password. If you are using the default truststore, the password is xc10pass.
- If you uploaded a keystore, select the certificate alias
for the collective to use.
- Specify the transport type. If you want to support both
TCP/IP and TLS protocols, select TLS supported.
If you want to require connections through the TLS protocol, select TLS
required.
- To require the client to send a trusted certificate to enable
communication, select Enable client certificate authentication.
- Click Submit TLS settings to save
the changes to your configuration.
Results
The configured truststore is active. The collective must restart
to complete the TLS configuration changes.
Limited portions of the
user interface are accessible when the collective is restarting. If
you cannot access portions of the user interface, wait for an appropriate
time and submit the request again. The Tasks panel shows completion
for some TLS changes automatically by displaying a success status.
You
might need to restart the browser, log out and log back in to the
user interface, or trust new certificates from a browser prompt.
If
the user interface seems to be unavailable when client authentication
is enabled, verify that you have a trusted client certificate imported
into the browser. If a trusted client certificate is not imported
into the browser, you cannot access the user interface. After you
successfully log on to the user interface, the task indicates the
success of the TLS configuration.
To download the active truststore
at any time, click Download active truststore.
Downloading the active truststore is useful if you are adding trusted
entries for client authentication. After the download, you can verify
that you are changing the latest truststore. If you are uploading
a new truststore, the truststore becomes available for download after
you submit the new settings. The file name of the downloaded truststore
is not the same as the original file name that was used when the truststore
was uploaded.
What to do next
- If you are configuring a data grid with WebSphere Application
Server and you have TLS required,
or you want WebSphere Application
Server to use
TLS, you must also enable global security. For more information about
configuring global security, see Global security settings. If you have global
security enabled, you also must add the public certificate of the
appliance to the WebSphere Application
Server truststores.
Use one of the following options:
- If you are using the default appliance truststore: Run
the addXC10PublicCert.py script from the WAS_HOME/bin directory
on the deployment manager to add the appliance public certificate
to the WebSphere Application
Server default truststores.
- If you are using custom keys for the appliance: Run the addXC10PublicCert.py script
from the WAS_HOME/bin directory on the deployment
manager with the -certPath command line option
to insert the appliance public certificate to the WebSphere Application
Server default truststores. The
value of the -certPath command line option is
disk location of the public certificate that corresponds to the alias
that is configured for the keystore on the appliance
If you generate new key pairs for the appliance and are using
HTTP session management , regardless of the TLS settings, you must
move the new appliance public certificate into the WebSphere Application
Server truststores for the WebSphere DataPower XC10 Appliance HTTP
session management administration to work.
- You might want to use a private certificate authority (CA) to
sign the certificate that is associated with the certificate alias
that you chose for your TLS configuration. You can then import the
CA certificate into the browser and trust any collective with a certificate
signed by the private CA without being prompted. Using a private CA
is generally only appropriate for access on a private intranet.