Configuring two-way SSL authentication for inbound traffic

You can configure two-way SSL authentication for inbound traffic to the WebSphere Application Server (WAS).

When two-way SSL authentication is configured, external systems can initiate calls to WAS. Then, WAS completes the SSL handshake and authentication. If a web server is deployed, traffic passes anonymously to the WAS server, which then completes the SSL handshake and authentication.

To enable two-way SSL authentication, you must:

  • Import the public certificate of the external system to the WAS trust store.
  • Import the client certificate for WAS into the WAS keystore. This client certificate may already exist or it must be provisioned by a Certificate Authority.
  • Generate and add a Base-64 encoded copy of the public certificate to the HTTPConnection parameter in the environment file.
  • Create a new user in the WebSphere user account repository (in Active Directory (AD), Lightweight Directory Access Protocol (LDAP), or the internal file repository) using the user name from the public certificate for the external system.
Before configuring two-way SSL for the application server, ensure that you have the following certificates.
Certificate Description
client.cer The public certificate for the external system.
client.pfx The PKCS#12 keystore for the external system.
server.cer The public certificate for the WAS.
server.pfx The PKCS#12 keystore for the WAS.

You must also generate a Base-64 encoded copy of the client.cer certificate.

To configure two-way SSL for WAS:
  1. On the WebSphere Application Server host machine, back up all WebSphere profiles.
  2. Restart all WebSphere processes.
  3. In WebSphere, import the following certificates:
    1. Import the client.cer certificate into the CellDefaultTrustStore.
    1. Import the server.pfx certificate into the CellDefaultKeyStore.
  4. In NexJ Studio, in the environment file, copy the Base-64 encoded client.cer certificate into the Trust field for the inbound HTTPConnection channel. When you copy the certificate, ensure that you preserve newline characters for the certificate, as shown in the following example: 
    -----BEGIN CERTIFICATE-----
MIIFGTCCBAGgAwIBAgIQDglpv5N//FO17+tKwyGMtDANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTQwODA2MDAwMDAwWhcN
MTYwOTA3MTIwMDAwWjBvMQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEQ
MA4GA1UEBxMHVG9yb250bzEaMBgGA1UEChMRTmV4SiBTeXN0ZW1zIEluYy4xCzAJ
BgNVBAsTAklUMRMwEQYDVQQDDAoqLm5leGouY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAt2hNQUcIuZLCAbnNCnHE6NWkzo4+Jr+fswvoaCY8lQvu
eA9jKdcLQxLRtfK6q4i/pmSEFiYnxODsrxf7ACiqia8s/itBlDa0xwWOrGPzygFa
odSSVXgS8rGo2VjKWhjSXQYC8EkVUs1mLsKAcG8n3K3Fp0xAf7YOF5BPJQUq9XSG
tGySchZDlTPPYbhWtRj3lDpDMOAoS7S9qB55RxjOL1GSsLiGKP+YUG6wjWB4CQwl
8ZSoqFsq0NKG0HPMFtoe6N4G4myFtX8MoKDYLKxGtr7eFeurv0S1UlyBm5gMPbS4
bCSXRl8K2X6ntwaBRaQl1wt34VKtoRoXiO+EmXtJMQIDAQABo4IB0TCCAc0wHwYD
VR0jBBgwFoAUD4BhHIIxYdUvKOeNRji0LOHG2eIwHQYDVR0OBBYEFCeln20KJoCz
psdW0UcEzp4X9LyOMB8GA1UdEQQYMBaCCioubmV4ai5jb22CCG5leGouY29tMA4G
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYD
VR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Etc2hh
Mi1nMy5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLXNo
YTItZzMuY3JsMEIGA1UdIAQ7MDkwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEW
HGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwfAYIKwYBBQUHAQEEcDBuMCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYBBQUHMAKG
Omh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVT
ZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAG395
LDTPwvm88mTy+QfO1AEMChO9cj82rsBmsBldblPnSY1PGsmwml29DFYrz1BISufp
kqx3zLdcfBsp78B5pmfyDbjZtHiUbDuNZfMGK0MoOiqt4chBwbo3sf9SerbKfYig
FfGr2dtlddm2i9RU98G0NDNwthofDB3hWn23A5ENfXRj/CJj0cJTxzrTVxboVAOa
dCUs8D/o0Xsl8vovQtSunVF00P3QFiondp50ICiKFUMgsEYyJwLnHO9wLmN+B29o
kxlTKdBvobvCJz5Q5AMsh9ohqw/X3wTHd9o9ozCeMTyVVwrsv2XkVcsIKSkOmLq1
cNoZIv6P+fLm0RWBvA==
-----END CERTIFICATE-----
    Note: The first line of the certificate must contain only -----BEGIN CERTIFICATE-----, and the last line must contain only -----END CERTIFICATE-----.
  5. In the WebSphere user account repository, create a new user whose user name matches the first CN value of the subject field in client.cer certificate.
    For example, to configure the user name for the following certificate, use production.company.com as the user name.
    CN = production.company.com
CN = Services Department
O = Company Inc.
L = Toronto
S = Ontario
C = CA
  6. If the WebSphere user account repository is configured for Active Directory or LDAP, create the user in Active Directory or LDAP. If the user account repository is configured for an internal file repository, create the user using the Integrated Solutions Console.
    Important: If you create the new user in LDAP, you must enter the user name that you used for the WebSphere user account repository in the Full Name attribute. Do not enter values for the First Name and Last Name attributes.
  7. If your WebSphere configuration uses a LDAP user account repository, you must update the certificate mapping for repository:
    1. Launch the Integrated Solutions Console.
    2. Click the Security field, then click Global security.
    3. In User account repository, click Configure.
    4. In Related Items, click Manage repositories.
    5. Select the repository that represents the LDAP user account repository.
    6. In the Certificate mapping field, select CERTIFICATE_FILTER.
    7. Set the Certificate filter to cn=${SubjectCN}.
  8. Restart all WebSphere processes.
  9. Reconfigure and redeploy the application.
  10. Verify the changes.
Two-way SSL authentication is configured for inbound traffic to the WAS.