Enabling SSL for outbound web services

You can enable SSL for web services that are created by using the WebSphere Commerce web services or Rational Application Developer.

If you require more security measures, consider alternatives such as creating JAX-WS/JAX-RPC web service clients by using the Rational Application Developer wizard.
Note: If you are using the Rational Application Developer wizard, the client can be created under an EJB project by using a stateless session bean facade to access the service, not in the Stores.war project. That is, if you define the web service client in the stores web module, the service reference is not visible if you are running outside the Stores context. For example, if you attempt to use the web Service Client from a scheduler job, the call fails.

Before you begin

Ensure that you completed the following task:
  • Installed WebSphere Commerce Version 7

Procedure

  1. When client authentication is not needed.

    If the server does not require client authentication, that is, it does not validate the client certificate, the configuration is not complex. The server certificate is added to the default truststore:

    1. Open the WebSphere Application Server administrative console.
    2. Expand Security. Click SSL certificate and key management.
    3. In the Related Items section, click Key stores and certificates.
    4. Select NodeDefaultTrustStore.
    5. In the Additional Properties section, click Signer Certificates.
    6. You can either:
      • Click Retrieve from port and enter the HTTPS host name and port. This setting automatically retrieves the certificate for you.
      • Click Add to import the Base64-encoded certificate file.

      The server is now trusted.

  2. When client authentication is needed.

    If client authentication is needed, the server verifies the client certificate and refuses the connection if the client is untrusted. The server must add the client certificate to its own truststore.

    1. Create the keystore and truststore.
      For testing purposes, you can create a new keystore and truststore and use a self-signed certificate. However, in production, you must use a certificate from a trusted certificate authority.
      1. Open ikeyman to create the certificate stores. ikeyman is in the AppServer/bin directory.
      2. In the Key Database File menu, select New....
        1. For the key database type, select JKS. Other formats such as PKCS12 can also be selected.
        2. Select a name and path for the keystore. For example, CommerceKeyStore.jks
        3. Enter a password. Remember this password as it is needed in later steps.
      3. When Personal Certificates is selected, click New Self-Signed...
      4. Complete the form and click Accept.
      Your new keystore is created and contains the self-signed certificate. The following steps create the truststore.
      1. In the Key Database File menu, select New....
        1. Create a file to use for the truststore, for example, CommerceTrustStore.jks. The truststore contains the certificates this server trusts. The server certificate needs to be added to this truststore.
        2. You can add the server certificate later by using the user interface or iKeyman. The server certificate is typically a .arm (Base64-encoded) certificate file or is included in a key database such as JKS or p12.
        3. To import the server certificate from an arm file, ensure that the Signer Certificates drop-down menu is selected and click Add.... If the certificate is a JKS or p12 file, you can extract it as an asm file.
    2. Define the new truststore and keystore in WebSphere Commerce.
      1. Open the WebSphere Application Server administrative console.
      2. Expand Security. Click SSL certificate and key management.
      3. In the Related Items section, click Key stores and certificates.
      4. Click New. Use CommerceKeyStore for the name and populate the path and password for the CommerceKeyStore.jks file and remaining options.
      5. After creation, click Personal certificates to see the details of the self-signed certificate. This test ensures that the keystore is correctly defined.
      6. Repeat these steps and define CommerceTrustStore from CommerceTrustStore.jks. Click Signer certificates for the truststore to see the server certificate.
    3. Create an SSL configuration.
      1. Expand Security. Click SSL certificate and key management
      2. In the Related Items section, click SSL configurations.
      3. Click New.
      4. Enter CommerceSSLConfig as the name.
      5. For the truststore name, select CommerceTrustStore.
      6. For the keystore name, select CommerceKeyStore.
      7. Click Get certificate aliases.
      8. For the Default server certificate alias and Default client certificate alias, select the alias for the self-signed certificate or your client certificate.
      9. In the Additional properties section, click Quality of protection (QoP) settings.
      10. Set Client Authentication to Required.
    4. Associate the SSL Configuration to the web Service.
      1. In the Related Items section of the SSL certificate and key management pane, click Dynamic outbound endpoint SSL configurations.
      2. Click New. You can configure outbound requests that are made in a particular protocol to a particular host name and port to use a non-default SSL configuration.
      3. Select the combination of protocol, host, and port that matches the one used by the outbound web service.
      4. In the Related Items section of the SSL certificate and key management pane, click SSL Configuration.
      5. Select CommerceSSLConfig. Then, click Get certificate aliases.
      6. Select the client certificate.