Liberty settings guide

Question

We are using IBM CLM application (6.0.5) with bundled liberty profile.For each 7 applications, there are separate liberty profiles in different servers and all this applications are running behind IHS server where we already have ihs.kdb file and self signed certificate.

In each liberty profiles we already have default keystore and server.xml & server.startup with default settings.

Now our requirement is to enable mutual ssl authentication between each liberty profiles (Since IHS is in front of these applications, we are thinking to make mutual ssl authentication between IHS and each liberty profile).

So how we can achieve this?

what configurations we have to do in liberty server side and IHS serer.

do we need to specify IHS servers keystore file and location things in each server.xml file ? Could you guide somebody here as we are very new here.

Is your goal to authenticate the webserver to Liberty, or to authenticate your end- users as they come through IHS, or both? — covener
Here the requirement is to make mutual authentication between all applications which are hosted on seperate liberty profiles in different servers.But Since the IHS is the frontend server for all communications with all liberty servers, we thought to make the mutual ssl authentication with IHS and Liberty servers. — saran
In Liberty profile, How can we remove the default keystore and add new keystore file ? in server.xml file we have onlydefault configuration and we have below requirement. — saran
1) we created a new keystore file using ikeyman named ccm.jks 2) opened the ccm.jks keystore file using ikeyman and under "personal certificate" content, created a new self signed certificate with common name as servers FQDN name and given the key alias name as "ccm". Now the personel certificate displays "ccm" certificate. (Refer Screenshot1) 2) we created a new truststore file using ikeyman named ccmtrust.jks 3) then we edited the server.xml values with new parameters as below. — saran
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" sslProtocol="SSL" enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 <keyStore id="defaultKeyStore" location="${server.config.dir}/resources/security/CCM.jks" type="JKS" password="changeme"/> <keyStore id="defaultTrustStore" location="${server.config.dir}/resources/security/ccmtrust.jks" type="JKS" password="changeme"/> <httpEndpoint id="defaultHttpEndpoint — saran

Bruce T. Bruce T. · Accepted Answer · 2018-03-16T20:42:25

Here's the general process for setting up https. You'll need this in your server.xml:

<featureManager>       
        <feature>ssl-1.0</feature>
          ..... more features here....
</featureManager>
<keyStore id="defaultKeyStore" password="keyspass" /> 
<httpEndpoint host="*" httpPort="19080" httpsPort="19045" 
            id="defaultHttpEndpoint"/>

Then you add the public keys of the servers you want to communicate with (IHS) to Liberty's truststore file as explained here:

https://github.com/brutif/miscdocs/blob/master/Adding_trusted_certificates.txt

Restart Liberty after updating the truststore.

Then configure IHS as explained here:

https://www.ibm.com/support/knowledgecenter/en/SSEQTJ_9.0.0/com.ibm.websphere.ihs.doc/ihs/tihs_install_config_liberty.html

Liberty settings guide

1 Answers