If you have client applications that are deployed in the WebSphere® Application Server Liberty profile, then you can
configure the Liberty profile for HTTPS, which automatically uses
SSL and data encryption for secured web servers.
Procedure
- Run the following command to create the SSL certificate
and enable HTTPS:
cd to lib_dir\bin
securityUtility createSSLCertificate --server=server_name --password=xc10test
- Set the following JAVA_HOME property
from a command line. Be sure to issue the command from the directory
where the Liberty profile is
installed; for example:
JAVA_HOME=/opt/liberty/java
- Add the following JVM argument in the etc/jvm.options directory:
-Dobjectgrid.client.props=/opt/liberty/objectGridClient.properties
- Set the following properties in the objectGridClient.properties file:
For client machines with multiple IP addresses:
- listenerHost=10.1.1.13
- Specifies the host name to which the Object Request Broker (ORB) transport protocol
binds for communication. The value must be a fully qualified domain
name or IP address. If your configuration involves multiple network
cards, set the listener host and port to let the transport mechanism
in the JVM know the IP address for which to bind. If you do not specify
which IP address to use, symptoms such as connection timeouts, unusual
API failures, and clients that seem to hang can occur. In this topic, 10.1.1.13 is
used as the IP address for example purposes only.
- securityEnabled=true
- Enables WebSphere eXtreme Scale client
security.
Default: false
- credentialAuthentication=Never
- Specifies the client credential authentication support. Use one
of the following valid values:
- Never: The client does not support credential
authentication.
- Supported: The client supports credential
authentication if the server also supports credential authentication.
(Default)
- Required: The client requires credential
authentication.
For secure transport:
- keyStoreType=JKS
- Indicates the type of keystore. If you indicate a value that is
not valid, a runtime security exception occurs.
Valid values: JKS, JCEK, PKCS12,
and so on.
- trustStoreType=JKS
- Indicates the type of truststore. If you indicate a value that
is not valid, a runtime security exception results.
Valid values: JKS, JCEK, PKCS12,
and so on.
- keyStore=/opt/liberty/xsakeystore.jks
- Specifies a fully qualified path to the keystore file.
Example:
etc/test/security/client.private
- trustStore=/opt/liberty/xsatruststore.jks
- Specifies a fully qualified path to the truststore file.
Example:
etc/test/security/server.public
- keyStorePassword
- Specifies the string password to the keystore. You can encode
this value or use the actual value.
- trustStorePassword
- Specifies a string password to the truststore. You can encode
this value or use the actual value.
- contextProvider=IBMJSSE2
- Specifies the name of the context provider for the trust service.
If you indicate a value that is not valid, a security exception results
that indicates that the context provider type is incorrect.
Valid
values: IBMJSSE2, IBMJSSE, IBMJSSEFIPS,
and so on.
- alias=ibm websphere datapower xc10
- Specifies the alias name in the keystore. This property is used
if the keystore has multiple key pair certificates and you want to
select one of the certificates.
Default: No value
FIPS requires TLS:
- transportType=SSL-Required
- Specifies the client transport type. The possible values are:
- TCP/IP: Indicates that the client only
supports TCP/IP connections.
- SSL-Supported: Indicates that the client
supports both TCP/IP and Secure Sockets Layer (SSL) connections. (Default)
- SSL-Required: Indicates that the client
requires SSL connections.
- protocol=SSL
- Indicates the type of security protocol to use for the client.
Set this protocol value based on which security provider you use.
If you indicate a value that is not valid, a security exception results
that indicates that the protocol value is incorrect.
Valid
values: SSL, SSLv2, SSLv3, TLS, TLSv1,
and so on.
- Configure the Liberty profile to use the appliance
by setting the Liberty profile webapp feature,
which supports replication of HTTP session data for fault tolerance,
in the server.xml file:
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>jsp-2.2</feature>
<feature>eXtremeScale.webapp-1.1</feature>
<feature>servlet-3.0</feature>
</featureManager>
In the previous example, the servlet
3.0 and jsp 2.2 features are enabled in
a secure data grid with SSL. The jsp 2.2 feature
provides support for JavaServer Pages (JSP) files that are written
to the JSP 2.2 specification. JavaServer Pages enable the separation
of the Hypertext Markup Language (HTML) code from the business logic
in web pages so that HTML programmers and Java™ programmers can more easily collaborate
in creating and maintaining pages. If you include the jsp
2.2 feature, you also include the servlet-3.0 feature. To
deploy web applications and to enable web security, you must specify
the servlet 3.0 feature in the server.xml file.
- Add the following SSL feature to the server.xml file
to configure the Liberty profile to run SSL data encryption:
<featureManager>
<feature>ssl-1.0</feature>
</featureManager>
<keyStore id="defaultKeyStore" password="{xor}MjowbTI+Kyw=" />
- Configure the server.xml file to make
a secure connection to the data grid. Specify the keystore
and truststore information to establish trusted communicate between
the data grid and the Liberty profile.
The WebApp feature contains properties that create
a secure connection between the appliance and the Liberty profile. For example, catalogHostPort specifies
the data grid port number that Liberty profile connects to.
<keyStore id="defaultKeyStore" location="/opt/liberty/xsakeystore.jks" password="xc10pass" type="jks"/>
<keyStore id="defaultTrustStore" location="/opt/liberty/xsatruststore.jks" password="xc10pass" type="jks"/>
<xsWebApp
credentialGeneratorClass="com.ibm.websphere.objectgrid.security.plugins.builtins.UserPasswordCredentialGenerator"
useURLEncoding="false"
applianceIdentifier="10.1.1.135"
useCookies="true"
objectGridType="REMOTE"
securityEnabled="true"
credentialGeneratorProps="xcadmin xcadmin"
reuseSessionId="false"
catalogHostPort="10.1.1.135:2809"
objectGridName="Session"
replicationInterval="10"
sessionTableSize="1000"
fragmentedSession="true"
sessionManagementType="XC10SessionManagement"
enableSessionStats="true"
sessionStatsSpec="session.all=enabled" />
</server>
- Start the Liberty profile using the following command:
./server start server_name
A
PID is displayed.
- Open the session application using the following URL:
http://server:securedport/A/
- Perform session testing to verify that the data is written
to the session grid in the appliance.
SSL-enabled server definition file example
Some lines of code are displayed on multiple lines for publication
purposes.See
the following example of an advanced
server.xml file
configuration that uses the SSL feature. This example is displayed
on multiple lines for publication purposes.
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>jsp-2.2</feature>
<feature>eXtremeScale.server-1.1</feature>
<feature>eXtremeScale.webApp-1.1</feature>
<feature>ssl-1.1</feature>
</featureManager>
<httpEndpoint id="defaultHttpEndpoint"
host="*"
httpPort="9080"
httpsPort="9443">
<!--tcpOptions soReuseAddr="true" / -->
</httpEndpoint>
<keyStore id="defaultKeyStore" password="{xor}MjowbTI+Kyw=" />
<xsWebApp objectGridName="session" catalogHostPort="remoteHost:2809" securityEnabled="true"
credentialGeneratorClass="com.ibm.websphere.objectgrid.security.plugins.builtins.UserPasswordCredentialGenerator"
credentialGeneratorProps="xcadmin xcadmin"/>
<applicationMonitor updateTrigger="mbean"/>
<application id="A" location="A.ear" name="A" type="ear"/>
<httpSession cloneId="A_test"/>
</server>