Securing U2 Soap Server Introduction To enable SSL on the Client(Consumer-to-U2SS side), we need a U2 soap server Certificate. There are three possible methods to obtain the Server Certificate: 1. Use U2 UniAdmin to generate a self signed certificate 2. Obtain one from a commercial site (CA Authority). 3. Use the Java keytool program. teklap4.usco.ibm.com U2 Soap Server EF020C9DB8.usco.ibm.com SOAP Processor UOJ Connection Pools C L I E N T UniRPC/SSL S E R V E R U2 DB SOAP Requests Jetty Http Server SERVER SOAP Responses Consumers SOAP over HTTP(s)/SSL CLIENT Consumers 1
Information and Naming Conventions For the purposes of this document, UniAdmin will be used to generate the U2 soap server root certificate request file, the U2 soap server root certificate file, and the U2 soap server Leaf CA certificate file. The Java keytool will be used to create the U2 soap server Leaf CA certificate request file. The U2 soap server root certificate file is called u2ssroot.cer The U2 soap server certificate file is called u2soapserver.cer The U2 soap server qualified domain name is teklap4.usco.ibm.com This document will demonstrate securing the components in the following drawing: 2
1. Create Self-signed Root Certificate u2ssroot.cer a. Create the certificate directory First, decide on a common place to store all your certificates (a good practice), here we assume it is C:\certs\SoapServer b. Create a Certificate Request 1) From Start->Programs->IBMU2->UniAdmin 2) Once in UniAdmin, define a U2 Server under U2 Servers (if there are none) 3) Connect to a U2 Server (here assume a UV server) 4) Click SSL Configure 5) In SSL Configuration window, Click Generate a Certificate Request 6) Follow the UniAdmin wizard, and specify a Certificate Request File path, and certificate request file name: C:\ certs\u2soapserver\u2ssroot.req Also click SHA1 digest algorithm. 7) For Request Properties, we assume the following values: C US ST Colorado L Denver O IBM Corp. OU U2 soap server self signed root certificate CN teklap4.usco.ibm.com (fully qualified domain name) Email nikk@us.ibm.com 8) For Key Pair Generation, click Generating new key pair 9) For Key Pair Info, type in two path name for key pairs: C:\ certs\u2soapserver\u2ssroot.prv C:\certs\U2SoapServer\u2ssroot.pub 10) For Password, type and confirm key password phrase my password 11) Click Create, a certificate request will be created. 12) Click Finish The following images demonstrate the UniAdmin tool: 3
Generate a Certificate Request Next 4
C:\certs\U2SoapServer\u2ssroot.req SHA1 Next> 5
C = US ST = Colorado L = Denver O = IBM Corp. OU = U2 Support Soap Server self signed root certificate CN = teklap4.usco.ibm.com Email = nikk@us.ibm.com Next > 6
Key Pair Selection Check Generating new key pair Next > 7
Key Pair Info Private Key File = C:\ certs\u2soapserver\u2ssroot.pvt Public Key File = C:\ certs\u2soapserver\u2ssdroot.pub Next > 8
Password Password for Private Key = my password Confirm Password = my password Next > OK 9
Finish 10
c. Create Certificate If all the above steps succeeded, then: 1) From SSL Configure window, click Certificate tab 2) Click Generate a Certificate button. 3) For Certificate File, type in a path and for certificate file name: c:\ certs\u2soapserver\u2ssroot.cer 4) Type c:\ certs\u2soapserver\u2ssroot.req into Certificate Request File box. 5) Select or type 1826 (5 years) as value for Validity period 6) Check Self Sign for Certificate Type. 7) Type C:\ certs\u2soapserver\u2ssroot.pvt for Private Key File 8) Type in my password for the private key (see step 10). 9) Click Create. If everything is supplied correctly, a self-signed root certificate will be created. The following images demonstrate the UniAdmin tool: Certificate Generate a Certificate 11
Next > 12
c:\ certs\u2soapserver\u2ssroot.cer Next > 13
C:\certs\U2SoapServer\u2ssroot.req Next > 14
Validity Period = 1826 Next > 15
Self Sign Next > 16
c:\ certs\u2soapserver\u2ssroot.pvt Next > 17
my password Create 18
OK Finish 19
INFO: Below is a typical Certificate Request Site (IBM's is shown below) 20
21
22
2. Create a U2 soap server Keystore u2sskeystore The U2 soap server needs a keystore to store the soap servers root and leaf CA Certificate. We will be using our own Java Key Store called u2sskeystore (c:\certs\u2soapserver\u2sskeystore), and the U2 soap server Java Runtime keystore called cacerts located in your U2 IBM install path (normally c:\ibm\unidk\jre\lib\security\cacerts). The Java keytool program is a very powerful utility. Documentation/examples on how to use this tool is available off the internet: KeyTool User Guide-142.html http://www.ibm.com/developerworks/java/jdk/security/142/secguides/keytooldocs/keytooluserguide-142.html Assumptions: U2 soap server certificate and key store repository is c:\certs\u2soapserver Key Store Alias is u2sskey Key password is my password Key Store password is changeit U2 soap server domain name is teklap4.usco.ibm.com a. Creating u2sskeystore: keytool -genkey -keyalg RSA -keysize 1024 -dname "CN=teklap4.usco.ibm.com, OU=IBM Corp., O=U2 Support soap server certificate keystore, L=Denver, S=Colorado, C=US" -alias u2sskey -keypass "my password" -keystore u2sskeystore -storepass "changeit" 23
b. Create a U2 soap server Keystore Certificate Request Assumptions: Key Store is u2sskeystore Certificate request is from alias u2sskey Key password is my password Key Store password is changeit keytool -certreq -file u2soapserver.req -alias "u2sskey" -keypass "my password" -keystore u2sskeystore -storepass "changeit" 24
c. Create a U2 soap server Keystore Certificate 1) Go back to UniAdmin->SSL Configure->Certificate->Generate a Certificate 2) For Certificate File, type a path name for certificate file C:\certs\U2SoapServer\u2SoapServer.cer 3) Type C:\certs\U2SoapServer\u2SoapServer.req into Certificate Request File box. 4) Highlight the default value 365 and type 1826 (5 years) as value for Validity period 5) Check Leaf CA Sign for Certificate Type. 6) In X.509 v3 Certificate Extensions screen, check SubjectAltName and click the edit icon on the right. In the bottom the screen, choose DNS for Type, and type teklap4.usco.ibm.com. 7) In Signing Certificate and Private Key File screen, type C:\certs\U2SoapServer\u2ssroot.cer for CA Certificate File and C:\certs\SoapServer\u2ssroot.pvt for Private Key 8) Type in my password for the private key. 9) Click Create. The following images demonstrate the UniAdmin tool: Certificate File C:\certs\U2SoapServer\u2SoapServer.cer Next > 25
Certificate Request File C:\certs\U2SoapServer\u2SoapServer.req Next > 26
Validity Period 1826 Next > 27
Certificate Type Leaf CA Sign Next > 28
SubjectAltName DNS:teklap4.usco.ibm.com Next > 29
Signing Certificate and Private Key File CA Certificate File = C:\certs\U2SoapServer\u2ssroot.cer Private Key File = C:\certs\U2SoapServer\u2ssroot.pvt Next > 30
Password for Private Key = my password Create 31
OK Finish 32
3. Import Certificates into Key Store a. Import Root Certificate into Java Keystore Assumptions: Key Store is u2sskeystore U2 soap server Root Certificate tied to alias U2ssrootkey Key password is my password Key Store password is changeit keytool -import -file u2ssroot.cer -alias "U2ssrootkey" -keypass "my password" - keystore u2sskeystore -storepass "changeit" C:\certs\U2SoapServer> 33
b. Import the soap server Certificate into Java Keystore Assumptions: Key Store is u2sskeystore U2 soap server Certificate tied to alias u2sskey Key password is my password Key Store password is changeit keytool -import -file u2soapserver.cer -alias "u2sskey" -keypass "my password" - keystore u2sskeystore -storepass "changeit" c. Import Root Certificate into Default JRE s CA keystore cd \IBM\UniDK\JRE2\jre\lib\security Assumptions: Key Store is cacerts U2 soap server Certificate tied to alias U2ssrootkey Key password is my password Key Store password is changeit 34
C:\IBM\UniDK\JRE2\jre\lib\security> keytool -import -file c:\certs\u2soapserver\u2ssroot.cer -alias U2ssrootkey - keypass "my password" -keystore cacerts -storepass "changeit" 35
d. Import Root Certificate into Windows Certificate Store Open an IE window From Tool Bar->Tools->Internet Options->Content 36
Certificates 37
Import 38
Next 39
For File name, specify the path for your soap server Root Certificate, e.g., C:\certs\U2SoapServer\u2ssroot.cer Next> 40
Browse 41
Select Trusted Root Certification Authorities OK Next 42
The Wizard will ask you to confirm the content of the certificate Click Finish 43
The Wizard should display Do you want to install this certificate, Click Yes 44
The Wizard should display a success message. Find Trusted Root Certificate Authorities tab, click and verify that the Root Certificate is indeed installed. OK and close the IE windows. Proceed to the secure u2 soap server-v4 u2ss-u2db - document 2 45