1
Securing U2 Soap Server
Introduction To enable SSL on the Client(Consumer-to-U2SS side), we need a U2 soap server Certificate. There are three possible methods to obtain the Server Certificate:
1. Use U2 UniAdmin to generate a self –signed certificate 2. Obtain one from a commercial site (CA Authority). 3. Use the Java keytool program.
U2 DB
teklap4.usco.ibm.com
SOAP
Processor
UOJ Connection
Pools
Jetty Http Server
SOAP Responses
SOAP Requests
SOAP over HTTP(s)/SSL
UniRPC/SSL
U2 Soap Server
Consumers
CLIENT
SERVER
SERVER
CLIENT Consumers
EF020C9DB8.usco.ibm.com
2
Information and Naming Conventions
For the purposes of this document, UniAdmin will be used to generate the U2 soap server root certificate request file, the U2 soap server root certificate file, and the U2 soap server Leaf CA certificate file. The Java keytool will be used to create the U2 soap server Leaf CA certificate request file. The U2 soap server root certificate file is called u2ssroot.cer The U2 soap server certificate file is called u2SoapServer.cer The U2 soap server qualified domain name is teklap4.usco.ibm.com This document will demonstrate securing the components in the following drawing:
3
1. Create Self-signed Root Certificate – u2ssroot.cer
a. Create the certificate directory
First, decide on a common place to store all your certificates (a good practice), here we assume it is C:\certs\SoapServer
b. Create a Certificate Request
1) From Start->Programs->IBMU2->UniAdmin 2) Once in UniAdmin, define a U2 Server under U2 Servers (if there are none) 3) Connect to a U2 Server (here assume a UV server) 4) Click “SSL Configure” 5) In “SSL Configuration” window, Click “Generate a Certificate Request…” 6) Follow the UniAdmin wizard, and specify a “Certificate Request File” path, and certificate request file name:
“C:\ certs\U2SoapServer\u2ssroot.req” Also click SHA1 digest algorithm.
7) For “Request Properties”, we assume the following values: C US ST Colorado L Denver
O IBM Corp. OU U2 soap server self signed root certificate CN teklap4.usco.ibm.com (fully qualified domain name) Email [email protected] 8) For ‘Key Pair Generation”, click “Generating new key pair” 9) For “Key Pair Info”, type in two path name for key pairs: C:\ certs\U2SoapServer\u2ssroot.prv C:\certs\U2SoapServer\u2ssroot.pub 10) For “Password”, type and confirm key password phrase “my password” 11) Click “Create”, a certificate request will be created. 12) Click “Finish” The following images demonstrate the UniAdmin tool:
4
Generate a Certificate Request
Next
5
C:\certs\U2SoapServer\u2ssroot.req SHA1 Next>
6
C = US ST = Colorado L = Denver O = IBM Corp. OU = U2 Support Soap Server self signed root certificate CN = teklap4.usco.ibm.com Email = [email protected] Next >
7
Key Pair Selection Check Generating new key pair Next >
8
Key Pair Info Private Key File = C:\ certs\U2SoapServer\u2ssroot.pvt Public Key File = C:\ certs\U2SoapServer\u2ssdroot.pub Next >
9
Password Password for Private Key = “my password” Confirm Password = “my password” Next >
OK
10
Finish
11
c. Create Certificate
If all the above steps succeeded, then: 1) From “SSL Configure” window, click “Certificate” tab 2) Click “Generate a Certificate” button. 3) For “Certificate File”, type in a path and for certificate file name: “c:\ certs\u2SoapServer\u2ssroot.cer” 4) Type “c:\ certs\U2SoapServer\u2ssroot.req” into “Certificate Request File” box. 5) Select or type 1826 (5 years) as value for “Validity period” 6) Check “Self Sign” for “Certificate Type”. 7) Type “C:\ certs\U2SoapServer\u2ssroot.pvt” for “Private Key File” 8) Type in “my password” for the private key (see step 10). 9) Click “Create”. If everything is supplied correctly, a self-signed root certificate will be created. The following images demonstrate the UniAdmin tool:
Certificate Generate a Certificate
12
Next >
13
c:\ certs\U2SoapServer\u2ssroot.cer Next >
14
C:\certs\U2SoapServer\u2ssroot.req Next >
15
Validity Period = 1826 Next >
16
Self Sign Next >
17
c:\ certs\U2SoapServer\u2ssroot.pvt Next >
18
my password Create
19
OK
Finish
20
INFO: Below is a typical Certificate Request Site (IBM's is shown below)
21
22
23
2. Create a U2 soap server Keystore “u2sskeystore”
The U2 soap server needs a keystore to store the soap servers root and leaf CA Certificate. We will be using our own Java Key Store called u2sskeystore (c:\certs\U2SoapServer\u2sskeystore), and the U2 soap server Java Runtime keystore called cacerts located in your U2 IBM install path (normally c:\ibm\unidk\jre\lib\security\cacerts). The Java keytool program is a very powerful utility. Documentation/examples on how to use this tool is available off the internet: “KeyTool User Guide-142.html” http://www.ibm.com/developerworks/java/jdk/security/142/secguides/keytoolDocs/KeyToolUserGuide-142.html
Assumptions: U2 soap server certificate and key store repository is c:\certs\U2SoapServer Key Store Alias is u2sskey Key password is “my password” Key Store password is “changeit” U2 soap server domain name is teklap4.usco.ibm.com
a. Creating u2sskeystore:
keytool -genkey -keyalg RSA -keysize 1024 -dname "CN=teklap4.usco.ibm.com, OU=IBM Corp., O=U2 Support soap server certificate keystore, L=Denver, S=Colorado, C=US" -alias u2sskey -keypass "my password" -keystore u2sskeystore -storepass "changeit"
24
b. Create a U2 soap server Keystore Certificate Request
Assumptions: Key Store is u2sskeystore Certificate request is from alias u2sskey Key password is “my password” Key Store password is “changeit”
keytool -certreq -file u2soapserver.req -alias "u2sskey" -keypass "my password" -keystore u2sskeystore -storepass "changeit"
25
c. Create a U2 soap server Keystore Certificate
1) Go back to UniAdmin->SSL Configure->Certificate->Generate a Certificate 2) For “Certificate File”, type a path name for certificate file “C:\certs\U2SoapServer\u2SoapServer.cer” 3) Type “C:\certs\U2SoapServer\u2SoapServer.req” into “Certificate Request File” box. 4) Highlight the default value 365 and type 1826 (5 years) as value for “Validity period” 5) Check “Leaf CA Sign” for “Certificate Type”. 6) In “X.509 v3 Certificate Extensions” screen, check “SubjectAltName” and click the edit icon on the right. In the bottom the screen, choose “DNS” for Type, and type “teklap4.usco.ibm.com”. 7) In “Signing Certificate and Private Key File” screen, type C:\certs\U2SoapServer\u2ssroot.cer for “CA Certificate File” and C:\certs\SoapServer\u2ssroot.pvt for “Private Key” 8) Type in “my password” for the private key. 9) Click “Create”. The following images demonstrate the UniAdmin tool: Certificate File C:\certs\U2SoapServer\u2SoapServer.cer Next >
26
Certificate Request File C:\certs\U2SoapServer\u2SoapServer.req Next >
27
Validity Period 1826 Next >
28
Certificate Type Leaf CA Sign Next >
29
SubjectAltName DNS:teklap4.usco.ibm.com Next >
30
Signing Certificate and Private Key File CA Certificate File = C:\certs\U2SoapServer\u2ssroot.cer Private Key File = C:\certs\U2SoapServer\u2ssroot.pvt Next >
31
Password for Private Key = my password Create
32
OK
Finish
33
3. Import Certificates into Key Store
a. Import Root Certificate into Java Keystore
Assumptions: Key Store is u2sskeystore U2 soap server Root Certificate tied to alias U2ssrootkey Key password is “my password” Key Store password is “changeit” keytool -import -file u2ssroot.cer -alias "U2ssrootkey" -keypass "my password" -keystore u2sskeystore -storepass "changeit" C:\certs\U2SoapServer>
34
b. Import the soap server Certificate into Java Keystore
Assumptions: Key Store is u2sskeystore U2 soap server Certificate tied to alias u2sskey Key password is “my password” Key Store password is “changeit” keytool -import -file u2soapserver.cer -alias "u2sskey" -keypass "my password" -keystore u2sskeystore -storepass "changeit"
c. Import Root Certificate into Default JRE’s CA keystore
cd \IBM\UniDK\JRE2\jre\lib\security
Assumptions: Key Store is cacerts U2 soap server Certificate tied to alias U2ssrootkey Key password is “my password” Key Store password is “changeit”
35
C:\IBM\UniDK\JRE2\jre\lib\security>
keytool -import -file c:\certs\U2SoapServer\u2ssroot.cer -alias U2ssrootkey -keypass "my password" -keystore cacerts -storepass "changeit"
36
d. Import Root Certificate into Windows Certificate Store
Open an IE window From Tool Bar->Tools->Internet Options->Content
37
Certificates
38
Import
39
Next
40
For File name, specify the path for your soap server Root Certificate, e.g.,“C:\certs\U2SoapServer\u2ssroot.cer Next>
41
Browse
42
Select “Trusted Root Certification Authorities” OK Next
43
The Wizard will ask you to confirm the content of the certificate Click Finish
44
The Wizard should display “Do you want to install this certificate”, Click Yes
45
The Wizard should display a “success” message.
Find “Trusted Root Certificate Authorities” tab, click and verify that the Root Certificate is indeed installed. OK and close the IE windows.
Proceed to the “secure u2 soap server-v4 u2ss-u2db - document 2”