|
|
|
|
|
|
|
|
|
|
|
| This is what I did.
I got a free certificate from verisign. I placed it on one server and I am able to connect correctly through a web browser.On the Websphere box I saved the original certificate along with the signed certificate. In Websphere Admin I tried to set up the k
eystore and trustedstore along with the Java protocol handler.In short I have two boxes - one server running https and WebSphere (not ssl) trying to make calls to the other server.
Thanks
| |
| Sunit Patke 2006-10-23, 7:22 pm |
| You are trying to call a web service (URL) on one box from another box that
is running WebSphere. i.e. WebSphere application is service consumer and the
remote box is service provider.
1. Are you able to access the service from the WebSphere box using web
browser with SSL (HTTPS)? If yes then the service is set up correctly for
SSL.
2. Install the SSL certificate used by the web service provider (you can get
it from the browser in step 1) in the $WASHOME/java/jre/security/cacerts
files. cacerts is a jks type certificate store and you should be able to
open it using ikeyman. The default password for cacerts is changeit.
Sunit
<junksome@gmail.com> wrote in message
news:371051855.1161287807225.JavaMail.wassrvr@ltsgwas010.sby.ibm.com...
> This is what I did.
>
> I got a free certificate from verisign. I placed it on one server and I
> am able to connect correctly through a web browser.On the Websphere box I
> saved the original certificate along with the signed certificate. In
> Websphere Admin I tried to set up the keystore and trustedstore along with
> the Java protocol handler.In short I have two boxes - one server running
> https and WebSphere (not ssl) trying to make calls to the other server.
>
> Thanks
>
| |
| Paul Ilechko 2006-10-23, 7:22 pm |
| junksome@gmail.com wrote:
> This is what I did.
>
> I got a free certificate from verisign. I placed it on one server
> and I am able to connect correctly through a web browser.On the
> Websphere box I saved the original certificate along with the signed
> certificate. In Websphere Admin I tried to set up the keystore and
> trustedstore along with the Java protocol handler.In short I have two
> boxes - one server running https and WebSphere (not ssl) trying to
> make calls to the other server.
>
I hate to disillusion you, but I am not a mind reader. Now, you can
either try being *exact* about what you did (e.g. which certificate did
you put in which keystore) or we can just forget the whole thing. You
obviously did something wrong, but as of now, I have no idea what.
Did you read the paper that I give you the link to? That is very clear
on what needs to be done for JSSE.
| |
| Paul Ilechko 2006-10-23, 7:22 pm |
| Sunit Patke wrote:
> You are trying to call a web service (URL) on one box from another box that
> is running WebSphere. i.e. WebSphere application is service consumer and the
> remote box is service provider.
He never mentioned web services. As far as I know he's doing straight
HTTP(s).
>
> 1. Are you able to access the service from the WebSphere box using web
> browser with SSL (HTTPS)? If yes then the service is set up correctly for
> SSL.
>
> 2. Install the SSL certificate used by the web service provider (you can get
> it from the browser in step 1) in the $WASHOME/java/jre/security/cacerts
> files. cacerts is a jks type certificate store and you should be able to
> open it using ikeyman. The default password for cacerts is changeit.
No !!!! You do *not* touch cacerts in WAS. If you do, you may break WAS
internals.
| |
|
| Thanks for your help....I figured out what my problem was? trust store was not setup correctly.
| |
| Sunit Patke 2006-10-23, 7:22 pm |
| cacerts is a jks that contains root CA certificates and trusted certificates
as provided by Sun. Last year some of the Verisign certificates expired and
IBM refused to issue a patch for SDK to fix the issue. Instead we were
pointed to Sun advisory on how to import new certificates into cacerts.
My observation so far has been that there is nothing WAS specific in cacerts
itself. IBM does modify the security providers list for WAS but again that's
not cacerts. But this could have changed with WAS 6.x
Sunit
"Paul Ilechko" <paul.ilechko@us.ibm.com> wrote in message
news:eh8qag$13k54$2@news.boulder.ibm.com...
> Sunit Patke wrote:
>
> He never mentioned web services. As far as I know he's doing straight
> HTTP(s).
>
> No !!!! You do *not* touch cacerts in WAS. If you do, you may break WAS
> internals.
| |
| Paul Ilechko 2006-10-23, 7:22 pm |
| Sunit Patke wrote:
> cacerts is a jks that contains root CA certificates and trusted certificates
> as provided by Sun. Last year some of the Verisign certificates expired and
> IBM refused to issue a patch for SDK to fix the issue. Instead we were
> pointed to Sun advisory on how to import new certificates into cacerts.
Yes, but WAS has its own keystores and truststores to provide the
ability to manage multiple SSL configurations. Changing cacerts is not
the appropriate way to set up application level trust in WAS, at least
when you have global security enabled. You should read the JSSE paper on
websphere developer domain that I referenced earlier, and you should not
be telling people to blindly add certificates to cacerts, as that will
usually be the wrong approach.
|
|
|
|