Configuring SSL for Sterling Order Management

After configuring two-way SSL for HCL Commerce, configure two-way SSL authentication for Sterling Order Management.

Before you begin

Ensure that you configure the authorizationOnlyAPIServlet for direct integration. For information, see Configuring the authorizationOnlyApiServlet for direct integration.

About this task

The AuthorizationOnlyApiServlet and SCWCSoapServlet provide two-way SSL authentication for direct API calls. Configuration includes:
  • Enabling access to the servlets
  • Restricting access to an authorized username

Procedure

  1. Open the <INSTALL_DIR>/repository/eardata/smcfs/extn/ directory.
  2. Optional: If the web.xml.sample file does not already exist, build the smcfs.ear file to generate the file, and then rename web.xml.sample to web.xml.
Next, for each servlet, restrict access to an authorized username:
  1. Edit <INSTALL_DIR>/repository/eardata/smcfs/extn/web.xml by adding code for AuthorizationOnlyApiServlet and SCWCSoapServlet.

    For AutorizationOnlyApiServlet, add the following code: 

    <security-constraint>
<web-resource-collection>
<web-resource-name>AuthorizationOnlyApiServlet</web-resource-name>
<url-pattern>/interop/AuthorizationOnlyApiServlet</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>WCIntegrationUser</role-name>
</auth-constraint>
</security-constraint>
    For SCWCSoapServlet, add the following code: 
    
<security-constraint>
<web-resource-collection>
<web-resource-name>SCWCSoapServlet</web-resource-name>
<url-pattern>/servlets/scwcsoapservlet</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>WCIntegrationUser</role-name>
</auth-constraint>
</security-constraint>
<login-config><auth-method>CLIENT-CERT</auth-method>
<realm-name>defaultWIMFileBasedRealm</realm-name></login-config>
<security-role>
<role-name>WCIntegrationUser</role-name>
</security-role>
    Note: To determine the value to enter for <realm-name> in web.xml, refer to the WebSphere Application Server configuration. The sample code uses defaultWIMFileBasedRealm for <realm-name>.
  2. Build the EAR, which now contains the modified web.xml file.
  3. Redeploy the EAR:
    1. Open the WebSphere Application Server Administrative Console and click Applications > WebSphere enterprise applications.
    2. Select Sterling Order Management and click Update.
    3. Select Replace the entire application and Remote file system. Browse to the smcfs.ear file.
    4. Click Next and accept all defaults.
    The application is updated.
Next, enable administrative and application security:
  1. In the WebSphere Application Server Administrative Console, click Security > Global Security. The Global Security settings are displayed.
  2. Click Security Configuration Wizard and click Enable administrative security if it is not enabled by default. Click Next.
  3. For Step 2: Select user repository, click Federated repositories.
  4. For Step 3: Configure federated repository, enter a Primary administrative user name and password. User name example: configadmin
  5. For Step 4: Summary, verify that the following values are shown:
    Table 1. Summary of options set in the global security wizard for administrative security

    A list of the five options and expected values set through use of the Global administrative wizard are shown.
    Options Value
    Enable administrative security true
    Enable application security true
    Use Java 2 security to restrict application access to local resources false
    User repository Federated depositories
    Primary administrative user name Varies.
  6. Restart the WebSphere Application Server for Sterling Order Management.
  7. Set the value of the certificateMapMode property to notSupported. For more information, see Enabling client certificate login support for a file-based repository in federated repositories.
    1. Go to <Sterling_profiledir>/bin/.
    2. Run ./wsadmin.sh -conntype none.
    3. In wsadmin tool, run $AdminTask setIdMgrCustomProperty {-id InternalFileRepository -name certificateMapMode -value notSupported}
    4. To save the configuration, run $AdminConfig save.
  8. Go to Users and Groups > Manage Users > Create Users and create WCIntegrationUser.
  9. Go to Users and Groups > Manage Groups > Create Groups and create WCIntegrationGroup.
  10. Add the newly created WCIntegrationUser user as a member of WCIntegrationGroup. Go to Users and Groups > Manage Groups, and then search for and choose the WCIntegrationGroup group. Click on members and add WCIntegrationUser.
  11. Go to Applications > WebSphere Enterprise Applications > Application_Name > Security role to user/group mapping, and map the following below:
    1. WCIntegrationUser user role to the WCIntegrationUser user created in Step 13.
    2. WCIntegrationGroup group role to the WCIntegrationGroup group created in Step 14.
  12. Click Security > SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings.
    1. Click Quality of protection (QoP) settings.
    2. Set Client Authentication to Supported.