Configuring the Liberty profile for data grids that are accessed with SSL enabled

If you have client applications that are deployed in the WebSphere® Application Server Liberty profile, then you can configure the Liberty profile for HTTPS, which automatically uses SSL and data encryption for secured web servers.

Procedure

  1. Run the following command to create the SSL certificate and enable HTTPS:
    cd to lib_dir\bin
    securityUtility createSSLCertificate --server=server_name --password=xc10test
  2. Set the following JAVA_HOME property from a command line. Be sure to issue the command from the directory where the Liberty profile is installed; for example:
    JAVA_HOME=/opt/liberty/java
  3. Add the following JVM argument in the etc/jvm.options directory:
    -Dobjectgrid.client.props=/opt/liberty/objectGridClient.properties
  4. Set the following properties in the objectGridClient.properties file:
    For client machines with multiple IP addresses:
    listenerHost=10.1.1.13
    Specifies the host name to which the Object Request Broker (ORB) transport protocol binds for communication. The value must be a fully qualified domain name or IP address. If your configuration involves multiple network cards, set the listener host and port to let the transport mechanism in the JVM know the IP address for which to bind. If you do not specify which IP address to use, symptoms such as connection timeouts, unusual API failures, and clients that seem to hang can occur. In this topic, 10.1.1.13 is used as the IP address for example purposes only.
    securityEnabled=true
    Enables WebSphere eXtreme Scale client security.

    Default: false

    credentialAuthentication=Never
    Specifies the client credential authentication support. Use one of the following valid values:
    • Never: The client does not support credential authentication.
    • Supported: The client supports credential authentication if the server also supports credential authentication. (Default)
    • Required: The client requires credential authentication.
    For secure transport:
    keyStoreType=JKS
    Indicates the type of keystore. If you indicate a value that is not valid, a runtime security exception occurs.

    Valid values: JKS, JCEK, PKCS12, and so on.

    trustStoreType=JKS
    Indicates the type of truststore. If you indicate a value that is not valid, a runtime security exception results.

    Valid values: JKS, JCEK, PKCS12, and so on.

    keyStore=/opt/liberty/xsakeystore.jks
    Specifies a fully qualified path to the keystore file.

    Example:

    etc/test/security/client.private

    trustStore=/opt/liberty/xsatruststore.jks
    Specifies a fully qualified path to the truststore file.

    Example:

    etc/test/security/server.public

    keyStorePassword
    Specifies the string password to the keystore. You can encode this value or use the actual value.
    trustStorePassword
    Specifies a string password to the truststore. You can encode this value or use the actual value.
    contextProvider=IBMJSSE2
    Specifies the name of the context provider for the trust service. If you indicate a value that is not valid, a security exception results that indicates that the context provider type is incorrect.

    Valid values: IBMJSSE2, IBMJSSE, IBMJSSEFIPS, and so on.

    alias=ibm websphere datapower xc10
    Specifies the alias name in the keystore. This property is used if the keystore has multiple key pair certificates and you want to select one of the certificates.

    Default: No value

    FIPS requires TLS:
    transportType=SSL-Required
    Specifies the client transport type. The possible values are:
    • TCP/IP: Indicates that the client only supports TCP/IP connections.
    • SSL-Supported: Indicates that the client supports both TCP/IP and Secure Sockets Layer (SSL) connections. (Default)
    • SSL-Required: Indicates that the client requires SSL connections.
    protocol=SSL
    Indicates the type of security protocol to use for the client. Set this protocol value based on which security provider you use. If you indicate a value that is not valid, a security exception results that indicates that the protocol value is incorrect.

    Valid values: SSL, SSLv2, SSLv3, TLS, TLSv1, and so on.

  5. Configure the Liberty profile to use the appliance by setting the Liberty profile webapp feature, which supports replication of HTTP session data for fault tolerance, in the server.xml file:
    <server description="new server">
    
        <!-- Enable features -->
        <featureManager>
            <feature>jsp-2.2</feature>
            <feature>eXtremeScale.webapp-1.1</feature>
            <feature>servlet-3.0</feature>
        </featureManager>

    In the previous example, the servlet 3.0 and jsp 2.2 features are enabled in a secure data grid with SSL. The jsp 2.2 feature provides support for JavaServer Pages (JSP) files that are written to the JSP 2.2 specification. JavaServer Pages enable the separation of the Hypertext Markup Language (HTML) code from the business logic in web pages so that HTML programmers and Java™ programmers can more easily collaborate in creating and maintaining pages. If you include the jsp 2.2 feature, you also include the servlet-3.0 feature. To deploy web applications and to enable web security, you must specify the servlet 3.0 feature in the server.xml file.

  6. Add the following SSL feature to the server.xml file to configure the Liberty profile to run SSL data encryption: [Version 2.1 only]
    <featureManager>
            <feature>ssl-1.0</feature>
        </featureManager>
        <keyStore id="defaultKeyStore" password="{xor}MjowbTI+Kyw=" />
  7. Configure the server.xml file to make a secure connection to the data grid. Specify the keystore and truststore information to establish trusted communicate between the data grid and the Liberty profile. The WebApp feature contains properties that create a secure connection between the appliance and the Liberty profile. For example, catalogHostPort specifies the data grid port number that Liberty profile connects to.
    <keyStore id="defaultKeyStore" location="/opt/liberty/xsakeystore.jks" password="xc10pass" type="jks"/>
        <keyStore id="defaultTrustStore" location="/opt/liberty/xsatruststore.jks" password="xc10pass" type="jks"/>
    
        <xsWebApp 
    							credentialGeneratorClass="com.ibm.websphere.objectgrid.security.plugins.builtins.UserPasswordCredentialGenerator"
                     useURLEncoding="false" 
                     applianceIdentifier="10.1.1.135" 
                     useCookies="true" 
                     objectGridType="REMOTE" 
                     securityEnabled="true" 
                     credentialGeneratorProps="xcadmin xcadmin" 
                     reuseSessionId="false" 
                     catalogHostPort="10.1.1.135:2809" 
                     objectGridName="Session" 
                     replicationInterval="10" 
                     sessionTableSize="1000" 
                     fragmentedSession="true" 
                     sessionManagementType="XC10SessionManagement" 
                     enableSessionStats="true" 
                     sessionStatsSpec="session.all=enabled" />
    
    </server>
  8. Start the Liberty profile using the following command:
    ./server start server_name
    A PID is displayed.
  9. Open the session application using the following URL:
    http://server:securedport/A/
  10. Perform session testing to verify that the data is written to the session grid in the appliance.

SSL-enabled server definition file example

Some lines of code are displayed on multiple lines for publication purposes.See the following example of an advanced server.xml file configuration that uses the SSL feature. This example is displayed on multiple lines for publication purposes.
[Version 2.1 only]
<server description="new server">

    <!-- Enable features -->
    <featureManager>
        <feature>jsp-2.2</feature>
        <feature>eXtremeScale.server-1.1</feature>
      <feature>eXtremeScale.webApp-1.1</feature>
       <feature>ssl-1.1</feature>
    </featureManager>

      <httpEndpoint id="defaultHttpEndpoint"
                  host="*"
                  httpPort="9080"
                  httpsPort="9443">
        <!--tcpOptions soReuseAddr="true" / -->
    </httpEndpoint>

    <keyStore id="defaultKeyStore" password="{xor}MjowbTI+Kyw=" />

 <xsWebApp objectGridName="session" catalogHostPort="remoteHost:2809" securityEnabled="true"       
credentialGeneratorClass="com.ibm.websphere.objectgrid.security.plugins.builtins.UserPasswordCredentialGenerator" 
   credentialGeneratorProps="xcadmin xcadmin"/>
    <applicationMonitor updateTrigger="mbean"/>
    <application id="A" location="A.ear" name="A" type="ear"/>
    <httpSession cloneId="A_test"/>

</server>